container_create: handle cap add/drop ALL

Kubelet can send cap add/drop ALL. Handle that in CRI-O as well. Also, this PR is re-vendoring runtime-tools to fix capabilities add to add caps to _all_ caps set **and** fix a shared memory issue (caps set were initialized with the same slice, if one modifies one slice, it's reflected on the other slices, the vendoring fixes this as well) Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-09-06 13:25:19 +02:00 · 2017-09-06 13:25:19 +02:00 · af0a494251
commit af0a494251
parent 7f4f630b98
25 changed files with 2057 additions and 283 deletions
--- a/server/utils.go
+++ b/server/utils.go
@ -7,6 +7,8 @@ import (
 	"strings"

 	"github.com/cri-o/ocicni/pkg/ocicni"
+	"github.com/opencontainers/runtime-tools/validate"
+	"github.com/syndtr/gocapability/capability"
 )

 const (
@ -155,3 +157,26 @@ func newPodNetwork(namespace, name, id, netns string) ocicni.PodNetwork {
 		NetNS:     netns,
 	}
 }
+
+// inStringSlice checks whether a string is inside a string slice.
+// Comparison is case insensitive.
+func inStringSlice(ss []string, str string) bool {
+	for _, s := range ss {
+		if strings.ToLower(s) == strings.ToLower(str) {
+			return true
+		}
+	}
+	return false
+}
+
+// getOCICapabilitiesList returns a list of all available capabilities.
+func getOCICapabilitiesList() []string {
+	var caps []string
+	for _, cap := range capability.List() {
+		if cap > validate.LastCap() {
+			continue
+		}
+		caps = append(caps, "CAP_"+strings.ToUpper(cap.String()))
+	}
+	return caps
+}