server: fix set caps on container create

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-05 12:14:34 +02:00 · 2017-05-05 12:14:34 +02:00 · 139b16bac2
commit 139b16bac2
parent 715785950c
7 changed files with 80 additions and 114 deletions
--- a/server/container_create.go
+++ b/server/container_create.go
@ -400,11 +400,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 		}

 		capabilities := linux.GetSecurityContext().GetCapabilities()
+		toCAPPrefixed := func(cap string) string {
+			if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
+				return "CAP_" + cap
+			}
+			return cap
+		}
 		if capabilities != nil {
 			addCaps := capabilities.AddCapabilities
 			if addCaps != nil {
 				for _, cap := range addCaps {
-					if err := specgen.AddProcessCapability(cap); err != nil {
+					if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil {
 						return nil, err
 					}
 				}
@ -413,7 +419,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
 			dropCaps := capabilities.DropCapabilities
 			if dropCaps != nil {
 				for _, cap := range dropCaps {
-					if err := specgen.DropProcessCapability(cap); err != nil {
+					if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil {
 						return nil, err
 					}
 				}
--- a/test/testdata/container_config.json
+++ b/test/testdata/container_config.json
@ -51,30 +51,22 @@
 			"memory_limit_in_bytes": 88000000,
 			"oom_score_adj": 30
 		},
-		"capabilities": {
-			"add_capabilities": [
-				"setuid",
-				"setgid"
-			],
-			"drop_capabilities": [
-				"audit_write",
-				"audit_read"
-			]
-		},
-		"selinux_options": {
-			"user": "system_u",
-			"role": "system_r",
-			"type": "container_t",
-			"level": "s0:c4,c5"
-		},
-		"user": {
-			"uid": 5,
-			"gid": 300,
-			"additional_gids": [
-				400,
-				401,
-				402
-			]
+		"security_context": {
+			"capabilities": {
+				"add_capabilities": [
+					"setuid",
+					"setgid"
+				],
+				"drop_capabilities": [
+					"audit_read"
+				]
+			},
+			"selinux_options": {
+				"user": "system_u",
+				"role": "system_r",
+				"type": "container_t",
+				"level": "s0:c4,c5"
+			}
 		}
 	}
 }
--- a/test/testdata/container_config_by_imageid.json
+++ b/test/testdata/container_config_by_imageid.json
@ -51,30 +51,22 @@
 			"memory_limit_in_bytes": 88000000,
 			"oom_score_adj": 30
 		},
-		"capabilities": {
-			"add_capabilities": [
-				"setuid",
-				"setgid"
-			],
-			"drop_capabilities": [
-				"audit_write",
-				"audit_read"
-			]
-		},
-		"selinux_options": {
-			"user": "system_u",
-			"role": "system_r",
-			"type": "container_t",
-			"level": "s0:c4,c5"
-		},
-		"user": {
-			"uid": 5,
-			"gid": 300,
-			"additional_gids": [
-				400,
-				401,
-				402
-			]
+		"security_context": {
+			"capabilities": {
+				"add_capabilities": [
+					"setuid",
+					"setgid"
+				],
+				"drop_capabilities": [
+					"audit_read"
+				]
+			},
+			"selinux_options": {
+				"user": "system_u",
+				"role": "system_r",
+				"type": "container_t",
+				"level": "s0:c4,c5"
+			}
 		}
 	}
 }
--- a/test/testdata/container_config_logging.json
+++ b/test/testdata/container_config_logging.json
@ -4,7 +4,7 @@
 		"attempt": 1
 	},
 	"image": {
-		"image": "docker://busybox:latest"
+		"image": "busybox:latest"
 	},
 	"command": [
 		"/bin/sh", "-c"
@ -53,30 +53,22 @@
 			"memory_limit_in_bytes": 88000000,
 			"oom_score_adj": 30
 		},
-		"capabilities": {
-			"add_capabilities": [
-				"setuid",
-				"setgid"
-			],
-			"drop_capabilities": [
-				"audit_write",
-				"audit_read"
-			]
-		},
-		"selinux_options": {
-			"user": "system_u",
-			"role": "system_r",
-			"type": "container_t",
-			"level": "s0:c4,c5"
-		},
-		"user": {
-			"uid": 5,
-			"gid": 300,
-			"additional_gids": [
-				400,
-				401,
-				402
-			]
+		"security_context": {
+			"capabilities": {
+				"add_capabilities": [
+					"setuid",
+					"setgid"
+				],
+				"drop_capabilities": [
+					"audit_read"
+				]
+			},
+			"selinux_options": {
+				"user": "system_u",
+				"role": "system_r",
+				"type": "container_t",
+				"level": "s0:c4,c5"
+			}
 		}
 	}
 }
--- a/test/testdata/container_config_seccomp.json
+++ b/test/testdata/container_config_seccomp.json
@ -53,30 +53,22 @@
 			"memory_limit_in_bytes": 88000000,
 			"oom_score_adj": 30
 		},
-		"capabilities": {
-			"add_capabilities": [
-				"setuid",
-				"setgid"
-			],
-			"drop_capabilities": [
-				"audit_write",
-				"audit_read"
-			]
-		},
-		"selinux_options": {
-			"user": "system_u",
-			"role": "system_r",
-			"type": "svirt_lxc_net_t",
-			"level": "s0:c4-c5"
-		},
-		"user": {
-			"uid": 5,
-			"gid": 300,
-			"additional_gids": [
-				400,
-				401,
-				402
-			]
+		"security_context": {
+			"capabilities": {
+				"add_capabilities": [
+					"setuid",
+					"setgid"
+				],
+				"drop_capabilities": [
+					"audit_read"
+				]
+			},
+			"selinux_options": {
+				"user": "system_u",
+				"role": "system_r",
+				"type": "svirt_lxc_net_t",
+				"level": "s0:c4-c5"
+			}
 		}
 	}
 }
--- a/test/testdata/container_exit_test.json
+++ b/test/testdata/container_exit_test.json
@ -18,11 +18,5 @@
 	"log_path": "",
 	"stdin": false,
 	"stdin_once": false,
-	"tty": false,
-	"linux": {
-		"user": {
-			"uid": 0,
-			"gid": 0
-		}
-	}
+	"tty": false
 }
--- a/test/testdata/container_redis.json
+++ b/test/testdata/container_redis.json
@ -51,14 +51,12 @@
 			"memory_limit_in_bytes": 88000000,
 			"oom_score_adj": 30
 		},
-		"capabilities": {
-			"add_capabilities": [
-				"sys_admin"
-			]
-		},
-		"user": {
-			"uid": 0,
-			"gid": 0
+		"security_context": {
+			"capabilities": {
+				"add_capabilities": [
+					"sys_admin"
+				]
+			}
 		}
 	}
 }