server: fix set caps on container create
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This commit is contained in:
parent
715785950c
commit
139b16bac2
7 changed files with 80 additions and 114 deletions
|
@ -400,11 +400,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
}
|
||||
|
||||
capabilities := linux.GetSecurityContext().GetCapabilities()
|
||||
toCAPPrefixed := func(cap string) string {
|
||||
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
|
||||
return "CAP_" + cap
|
||||
}
|
||||
return cap
|
||||
}
|
||||
if capabilities != nil {
|
||||
addCaps := capabilities.AddCapabilities
|
||||
if addCaps != nil {
|
||||
for _, cap := range addCaps {
|
||||
if err := specgen.AddProcessCapability(cap); err != nil {
|
||||
if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
@ -413,7 +419,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
|
|||
dropCaps := capabilities.DropCapabilities
|
||||
if dropCaps != nil {
|
||||
for _, cap := range dropCaps {
|
||||
if err := specgen.DropProcessCapability(cap); err != nil {
|
||||
if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
|
40
test/testdata/container_config.json
vendored
40
test/testdata/container_config.json
vendored
|
@ -51,30 +51,22 @@
|
|||
"memory_limit_in_bytes": 88000000,
|
||||
"oom_score_adj": 30
|
||||
},
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"setuid",
|
||||
"setgid"
|
||||
],
|
||||
"drop_capabilities": [
|
||||
"audit_write",
|
||||
"audit_read"
|
||||
]
|
||||
},
|
||||
"selinux_options": {
|
||||
"user": "system_u",
|
||||
"role": "system_r",
|
||||
"type": "container_t",
|
||||
"level": "s0:c4,c5"
|
||||
},
|
||||
"user": {
|
||||
"uid": 5,
|
||||
"gid": 300,
|
||||
"additional_gids": [
|
||||
400,
|
||||
401,
|
||||
402
|
||||
]
|
||||
"security_context": {
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"setuid",
|
||||
"setgid"
|
||||
],
|
||||
"drop_capabilities": [
|
||||
"audit_read"
|
||||
]
|
||||
},
|
||||
"selinux_options": {
|
||||
"user": "system_u",
|
||||
"role": "system_r",
|
||||
"type": "container_t",
|
||||
"level": "s0:c4,c5"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
40
test/testdata/container_config_by_imageid.json
vendored
40
test/testdata/container_config_by_imageid.json
vendored
|
@ -51,30 +51,22 @@
|
|||
"memory_limit_in_bytes": 88000000,
|
||||
"oom_score_adj": 30
|
||||
},
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"setuid",
|
||||
"setgid"
|
||||
],
|
||||
"drop_capabilities": [
|
||||
"audit_write",
|
||||
"audit_read"
|
||||
]
|
||||
},
|
||||
"selinux_options": {
|
||||
"user": "system_u",
|
||||
"role": "system_r",
|
||||
"type": "container_t",
|
||||
"level": "s0:c4,c5"
|
||||
},
|
||||
"user": {
|
||||
"uid": 5,
|
||||
"gid": 300,
|
||||
"additional_gids": [
|
||||
400,
|
||||
401,
|
||||
402
|
||||
]
|
||||
"security_context": {
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"setuid",
|
||||
"setgid"
|
||||
],
|
||||
"drop_capabilities": [
|
||||
"audit_read"
|
||||
]
|
||||
},
|
||||
"selinux_options": {
|
||||
"user": "system_u",
|
||||
"role": "system_r",
|
||||
"type": "container_t",
|
||||
"level": "s0:c4,c5"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
42
test/testdata/container_config_logging.json
vendored
42
test/testdata/container_config_logging.json
vendored
|
@ -4,7 +4,7 @@
|
|||
"attempt": 1
|
||||
},
|
||||
"image": {
|
||||
"image": "docker://busybox:latest"
|
||||
"image": "busybox:latest"
|
||||
},
|
||||
"command": [
|
||||
"/bin/sh", "-c"
|
||||
|
@ -53,30 +53,22 @@
|
|||
"memory_limit_in_bytes": 88000000,
|
||||
"oom_score_adj": 30
|
||||
},
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"setuid",
|
||||
"setgid"
|
||||
],
|
||||
"drop_capabilities": [
|
||||
"audit_write",
|
||||
"audit_read"
|
||||
]
|
||||
},
|
||||
"selinux_options": {
|
||||
"user": "system_u",
|
||||
"role": "system_r",
|
||||
"type": "container_t",
|
||||
"level": "s0:c4,c5"
|
||||
},
|
||||
"user": {
|
||||
"uid": 5,
|
||||
"gid": 300,
|
||||
"additional_gids": [
|
||||
400,
|
||||
401,
|
||||
402
|
||||
]
|
||||
"security_context": {
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"setuid",
|
||||
"setgid"
|
||||
],
|
||||
"drop_capabilities": [
|
||||
"audit_read"
|
||||
]
|
||||
},
|
||||
"selinux_options": {
|
||||
"user": "system_u",
|
||||
"role": "system_r",
|
||||
"type": "container_t",
|
||||
"level": "s0:c4,c5"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
40
test/testdata/container_config_seccomp.json
vendored
40
test/testdata/container_config_seccomp.json
vendored
|
@ -53,30 +53,22 @@
|
|||
"memory_limit_in_bytes": 88000000,
|
||||
"oom_score_adj": 30
|
||||
},
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"setuid",
|
||||
"setgid"
|
||||
],
|
||||
"drop_capabilities": [
|
||||
"audit_write",
|
||||
"audit_read"
|
||||
]
|
||||
},
|
||||
"selinux_options": {
|
||||
"user": "system_u",
|
||||
"role": "system_r",
|
||||
"type": "svirt_lxc_net_t",
|
||||
"level": "s0:c4-c5"
|
||||
},
|
||||
"user": {
|
||||
"uid": 5,
|
||||
"gid": 300,
|
||||
"additional_gids": [
|
||||
400,
|
||||
401,
|
||||
402
|
||||
]
|
||||
"security_context": {
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"setuid",
|
||||
"setgid"
|
||||
],
|
||||
"drop_capabilities": [
|
||||
"audit_read"
|
||||
]
|
||||
},
|
||||
"selinux_options": {
|
||||
"user": "system_u",
|
||||
"role": "system_r",
|
||||
"type": "svirt_lxc_net_t",
|
||||
"level": "s0:c4-c5"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
8
test/testdata/container_exit_test.json
vendored
8
test/testdata/container_exit_test.json
vendored
|
@ -18,11 +18,5 @@
|
|||
"log_path": "",
|
||||
"stdin": false,
|
||||
"stdin_once": false,
|
||||
"tty": false,
|
||||
"linux": {
|
||||
"user": {
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
}
|
||||
}
|
||||
"tty": false
|
||||
}
|
||||
|
|
14
test/testdata/container_redis.json
vendored
14
test/testdata/container_redis.json
vendored
|
@ -51,14 +51,12 @@
|
|||
"memory_limit_in_bytes": 88000000,
|
||||
"oom_score_adj": 30
|
||||
},
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"sys_admin"
|
||||
]
|
||||
},
|
||||
"user": {
|
||||
"uid": 0,
|
||||
"gid": 0
|
||||
"security_context": {
|
||||
"capabilities": {
|
||||
"add_capabilities": [
|
||||
"sys_admin"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue