From 655b1b46a8f65acd7e51df900a96bedee374e77f Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Fri, 5 May 2017 12:14:34 +0200 Subject: [PATCH] server: fix set caps on container create Signed-off-by: Antonio Murdaca --- server/container_create.go | 10 ++++- test/testdata/container_config.json | 40 +++++++----------- .../testdata/container_config_by_imageid.json | 40 +++++++----------- test/testdata/container_config_logging.json | 42 ++++++++----------- test/testdata/container_config_seccomp.json | 40 +++++++----------- test/testdata/container_exit_test.json | 8 +--- test/testdata/container_redis.json | 14 +++---- 7 files changed, 80 insertions(+), 114 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index a25c8c83..38fc3c6f 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -400,11 +400,17 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, } capabilities := linux.GetSecurityContext().GetCapabilities() + toCAPPrefixed := func(cap string) string { + if !strings.HasPrefix(strings.ToLower(cap), "cap_") { + return "CAP_" + cap + } + return cap + } if capabilities != nil { addCaps := capabilities.AddCapabilities if addCaps != nil { for _, cap := range addCaps { - if err := specgen.AddProcessCapability(cap); err != nil { + if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil { return nil, err } } @@ -413,7 +419,7 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, dropCaps := capabilities.DropCapabilities if dropCaps != nil { for _, cap := range dropCaps { - if err := specgen.DropProcessCapability(cap); err != nil { + if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil { return nil, err } } diff --git a/test/testdata/container_config.json b/test/testdata/container_config.json index 3ab8fb8d..6f466981 100644 --- a/test/testdata/container_config.json +++ b/test/testdata/container_config.json @@ -51,30 +51,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_by_imageid.json b/test/testdata/container_config_by_imageid.json index 5c87e7a5..83882d24 100644 --- a/test/testdata/container_config_by_imageid.json +++ b/test/testdata/container_config_by_imageid.json @@ -53,30 +53,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_logging.json b/test/testdata/container_config_logging.json index 2d48747c..018f9539 100644 --- a/test/testdata/container_config_logging.json +++ b/test/testdata/container_config_logging.json @@ -4,7 +4,7 @@ "attempt": 1 }, "image": { - "image": "docker://busybox:latest" + "image": "busybox:latest" }, "command": [ "/bin/sh", "-c" @@ -53,30 +53,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "container_t", - "level": "s0:c4,c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "container_t", + "level": "s0:c4,c5" + } } } } diff --git a/test/testdata/container_config_seccomp.json b/test/testdata/container_config_seccomp.json index 027c25e1..e63e931c 100644 --- a/test/testdata/container_config_seccomp.json +++ b/test/testdata/container_config_seccomp.json @@ -53,30 +53,22 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "setuid", - "setgid" - ], - "drop_capabilities": [ - "audit_write", - "audit_read" - ] - }, - "selinux_options": { - "user": "system_u", - "role": "system_r", - "type": "svirt_lxc_net_t", - "level": "s0:c4-c5" - }, - "user": { - "uid": 5, - "gid": 300, - "additional_gids": [ - 400, - 401, - 402 - ] + "security_context": { + "capabilities": { + "add_capabilities": [ + "setuid", + "setgid" + ], + "drop_capabilities": [ + "audit_read" + ] + }, + "selinux_options": { + "user": "system_u", + "role": "system_r", + "type": "svirt_lxc_net_t", + "level": "s0:c4-c5" + } } } } diff --git a/test/testdata/container_exit_test.json b/test/testdata/container_exit_test.json index bca99fb7..6ead905a 100644 --- a/test/testdata/container_exit_test.json +++ b/test/testdata/container_exit_test.json @@ -18,11 +18,5 @@ "log_path": "", "stdin": false, "stdin_once": false, - "tty": false, - "linux": { - "user": { - "uid": 0, - "gid": 0 - } - } + "tty": false } diff --git a/test/testdata/container_redis.json b/test/testdata/container_redis.json index 839ca746..cbc9922c 100644 --- a/test/testdata/container_redis.json +++ b/test/testdata/container_redis.json @@ -51,14 +51,12 @@ "memory_limit_in_bytes": 88000000, "oom_score_adj": 30 }, - "capabilities": { - "add_capabilities": [ - "sys_admin" - ] - }, - "user": { - "uid": 0, - "gid": 0 + "security_context": { + "capabilities": { + "add_capabilities": [ + "sys_admin" + ] + } } } }