diff --git a/libcontainer/README.md b/libcontainer/README.md index b58b789..70f22f5 100644 --- a/libcontainer/README.md +++ b/libcontainer/README.md @@ -43,11 +43,11 @@ Sample `container.json` file: "capabilities_mask" : [ { "key": "SETPCAP", - "enabled": true + "enabled": false }, { "key": "SYS_MODULE", - "enabled": true + "enabled": false }, { "key": "SYS_RAWIO", @@ -55,27 +55,27 @@ Sample `container.json` file: }, { "key": "SYS_PACCT", - "enabled": true + "enabled": false }, { "key": "SYS_ADMIN", - "enabled": true + "enabled": false }, { "key": "SYS_NICE", - "enabled": true + "enabled": false }, { "key": "SYS_RESOURCE", - "enabled": true + "enabled": false }, { "key": "SYS_TIME", - "enabled": true + "enabled": false }, { "key": "SYS_TTY_CONFIG", - "enabled": true + "enabled": false }, { "key": "MKNOD", @@ -83,23 +83,23 @@ Sample `container.json` file: }, { "key": "AUDIT_WRITE", - "enabled": true + "enabled": false }, { "key": "AUDIT_CONTROL", - "enabled": true + "enabled": false }, { "key": "MAC_OVERRIDE", - "enabled": true + "enabled": false }, { "key": "MAC_ADMIN", - "enabled": true + "enabled": false }, { "key": "NET_ADMIN", - "enabled": true + "enabled": false } ], "context" : { diff --git a/libcontainer/container.json b/libcontainer/container.json index 03a5091..68f9504 100644 --- a/libcontainer/container.json +++ b/libcontainer/container.json @@ -32,11 +32,11 @@ "capabilities_mask": [ { "key": "SETPCAP", - "enabled": true + "enabled": false }, { "key": "SYS_MODULE", - "enabled": true + "enabled": false }, { "key": "SYS_RAWIO", @@ -44,27 +44,27 @@ }, { "key": "SYS_PACCT", - "enabled": true + "enabled": false }, { "key": "SYS_ADMIN", - "enabled": true + "enabled": false }, { "key": "SYS_NICE", - "enabled": true + "enabled": false }, { "key": "SYS_RESOURCE", - "enabled": true + "enabled": false }, { "key": "SYS_TIME", - "enabled": true + "enabled": false }, { "key": "SYS_TTY_CONFIG", - "enabled": true + "enabled": false }, { "key": "MKNOD", @@ -72,23 +72,23 @@ }, { "key": "AUDIT_WRITE", - "enabled": true + "enabled": false }, { "key": "AUDIT_CONTROL", - "enabled": true + "enabled": false }, { "key": "MAC_OVERRIDE", - "enabled": true + "enabled": false }, { "key": "MAC_ADMIN", - "enabled": true + "enabled": false }, { "key": "NET_ADMIN", - "enabled": true + "enabled": false } ], "networks": [{ diff --git a/libcontainer/container_test.go b/libcontainer/container_test.go index 06e7979..c413c7c 100644 --- a/libcontainer/container_test.go +++ b/libcontainer/container_test.go @@ -15,8 +15,7 @@ func TestContainerJsonFormat(t *testing.T) { var container *Container if err := json.NewDecoder(f).Decode(&container); err != nil { - t.Log("failed to decode container config") - t.FailNow() + t.Fatal("failed to decode container config") } if container.Hostname != "koye" { t.Log("hostname is not set") @@ -39,12 +38,22 @@ func TestContainerJsonFormat(t *testing.T) { } if !container.CapabilitiesMask.Contains("SYS_ADMIN") { - t.Log("capabilities should contain SYS_ADMIN") + t.Log("capabilities mask should contain SYS_ADMIN") + t.Fail() + } + + if container.CapabilitiesMask.Get("SYS_ADMIN").Enabled { + t.Log("SYS_ADMIN should not be enabled in capabilities mask") + t.Fail() + } + + if !container.CapabilitiesMask.Get("MKNOD").Enabled { + t.Log("MKNOD should be enabled in capabilities mask") t.Fail() } if container.CapabilitiesMask.Contains("SYS_CHROOT") { - t.Log("capabitlies should not contain SYS_CHROOT") + t.Log("capabilities mask should not contain SYS_CHROOT") t.Fail() }