2014-02-19 00:56:11 +00:00
|
|
|
package capabilities
|
|
|
|
|
|
|
|
import (
|
2014-05-05 19:34:21 +00:00
|
|
|
"os"
|
|
|
|
|
2014-02-19 00:56:11 +00:00
|
|
|
"github.com/dotcloud/docker/pkg/libcontainer"
|
|
|
|
"github.com/syndtr/gocapability/capability"
|
|
|
|
)
|
|
|
|
|
|
|
|
// DropCapabilities drops capabilities for the current process based
|
|
|
|
// on the container's configuration.
|
|
|
|
func DropCapabilities(container *libcontainer.Container) error {
|
2014-03-17 17:16:34 +00:00
|
|
|
if drop := getCapabilitiesMask(container); len(drop) > 0 {
|
2014-02-19 00:56:11 +00:00
|
|
|
c, err := capability.NewPid(os.Getpid())
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
c.Unset(capability.CAPS|capability.BOUNDS, drop...)
|
|
|
|
|
|
|
|
if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2014-03-17 17:16:34 +00:00
|
|
|
// getCapabilitiesMask returns the specific cap mask values for the libcontainer types
|
|
|
|
func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap {
|
2014-02-19 00:56:11 +00:00
|
|
|
drop := []capability.Cap{}
|
2014-05-05 19:34:21 +00:00
|
|
|
for key, enabled := range container.CapabilitiesMask {
|
|
|
|
if !enabled {
|
|
|
|
if c := libcontainer.GetCapability(key); c != nil {
|
|
|
|
drop = append(drop, c.Value)
|
|
|
|
}
|
2014-03-21 00:10:24 +00:00
|
|
|
}
|
2014-02-19 00:56:11 +00:00
|
|
|
}
|
|
|
|
return drop
|
|
|
|
}
|