vendor: bump oci/runtime-tools to fix caps drop

Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-05-12 16:33:29 +02:00 · 2017-05-12 16:33:29 +02:00 · 2d997859de
commit 2d997859de
parent c533e5e34b
6 changed files with 21 additions and 33 deletions
--- a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
@ -40,22 +40,6 @@ var (
 		"RLIMIT_SIGPENDING",
 		"RLIMIT_STACK",
 	}
-	defaultCaps = []string{
-		"CAP_CHOWN",
-		"CAP_DAC_OVERRIDE",
-		"CAP_FSETID",
-		"CAP_FOWNER",
-		"CAP_MKNOD",
-		"CAP_NET_RAW",
-		"CAP_SETGID",
-		"CAP_SETUID",
-		"CAP_SETFCAP",
-		"CAP_SETPCAP",
-		"CAP_NET_BIND_SERVICE",
-		"CAP_SYS_CHROOT",
-		"CAP_KILL",
-		"CAP_AUDIT_WRITE",
-	}
 )

 // Validator represents a validator for runtime bundle
@ -275,7 +259,7 @@ func (v *Validator) CheckProcess() (msgs []string) {
 		}
 	}

-	msgs = append(msgs, v.CheckCapablities()...)
+	msgs = append(msgs, v.CheckCapabilities()...)
 	msgs = append(msgs, v.CheckRlimits()...)

 	if v.spec.Platform.OS == "linux" {
@ -292,7 +276,8 @@ func (v *Validator) CheckProcess() (msgs []string) {
 	return
 }

-func (v *Validator) CheckCapablities() (msgs []string) {
+// CheckCapabilities checks v.spec.Process.Capabilities
+func (v *Validator) CheckCapabilities() (msgs []string) {
 	process := v.spec.Process
 	if v.spec.Platform.OS == "linux" {
 		var caps []string
@ -325,6 +310,7 @@ func (v *Validator) CheckCapablities() (msgs []string) {
 	return
 }

+// CheckRlimits checks v.spec.Process.Rlimits
 func (v *Validator) CheckRlimits() (msgs []string) {
 	process := v.spec.Process
 	for index, rlimit := range process.Rlimits {
@ -700,13 +686,8 @@ func namespaceValid(ns rspec.LinuxNamespace) bool {

 func deviceValid(d rspec.LinuxDevice) bool {
 	switch d.Type {
-	case "b":
-	case "c":
-	case "u":
-		if d.Major <= 0 {
-			return false
-		}
-		if d.Minor <= 0 {
+	case "b", "c", "u":
+		if d.Major <= 0 || d.Minor <= 0 {
 			return false
 		}
 	case "p":