From e0d677594ceee523a5ca9cdc0fcbf53a532a164e Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Sat, 6 May 2017 14:52:45 +0200 Subject: [PATCH] [DROP #493] disable caps set Signed-off-by: Antonio Murdaca --- server/container_create.go | 50 +++++++++++++++++++------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/server/container_create.go b/server/container_create.go index 38fc3c6f..f4af1eb2 100644 --- a/server/container_create.go +++ b/server/container_create.go @@ -399,32 +399,32 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string, } } - capabilities := linux.GetSecurityContext().GetCapabilities() - toCAPPrefixed := func(cap string) string { - if !strings.HasPrefix(strings.ToLower(cap), "cap_") { - return "CAP_" + cap - } - return cap - } - if capabilities != nil { - addCaps := capabilities.AddCapabilities - if addCaps != nil { - for _, cap := range addCaps { - if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil { - return nil, err - } - } - } + //capabilities := linux.GetSecurityContext().GetCapabilities() + //toCAPPrefixed := func(cap string) string { + //if !strings.HasPrefix(strings.ToLower(cap), "cap_") { + //return "CAP_" + cap + //} + //return cap + //} + //if capabilities != nil { + //addCaps := capabilities.AddCapabilities + //if addCaps != nil { + //for _, cap := range addCaps { + //if err := specgen.AddProcessCapability(toCAPPrefixed(cap)); err != nil { + //return nil, err + //} + //} + //} - dropCaps := capabilities.DropCapabilities - if dropCaps != nil { - for _, cap := range dropCaps { - if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil { - return nil, err - } - } - } - } + //dropCaps := capabilities.DropCapabilities + //if dropCaps != nil { + //for _, cap := range dropCaps { + //if err := specgen.DropProcessCapability(toCAPPrefixed(cap)); err != nil { + //return nil, err + //} + //} + //} + //} specgen.SetProcessSelinuxLabel(sb.processLabel) specgen.SetLinuxMountLabel(sb.mountLabel)