runc/capabilities/capabilities.go

52 lines
1.8 KiB
Go
Raw Normal View History

package capabilities
import (
"github.com/dotcloud/docker/pkg/libcontainer"
"github.com/syndtr/gocapability/capability"
"os"
)
var capMap = map[libcontainer.Capability]capability.Cap{
libcontainer.CAP_SETPCAP: capability.CAP_SETPCAP,
libcontainer.CAP_SYS_MODULE: capability.CAP_SYS_MODULE,
libcontainer.CAP_SYS_RAWIO: capability.CAP_SYS_RAWIO,
libcontainer.CAP_SYS_PACCT: capability.CAP_SYS_PACCT,
libcontainer.CAP_SYS_ADMIN: capability.CAP_SYS_ADMIN,
libcontainer.CAP_SYS_NICE: capability.CAP_SYS_NICE,
libcontainer.CAP_SYS_RESOURCE: capability.CAP_SYS_RESOURCE,
libcontainer.CAP_SYS_TIME: capability.CAP_SYS_TIME,
libcontainer.CAP_SYS_TTY_CONFIG: capability.CAP_SYS_TTY_CONFIG,
libcontainer.CAP_MKNOD: capability.CAP_MKNOD,
libcontainer.CAP_AUDIT_WRITE: capability.CAP_AUDIT_WRITE,
libcontainer.CAP_AUDIT_CONTROL: capability.CAP_AUDIT_CONTROL,
libcontainer.CAP_MAC_OVERRIDE: capability.CAP_MAC_OVERRIDE,
libcontainer.CAP_MAC_ADMIN: capability.CAP_MAC_ADMIN,
libcontainer.CAP_NET_ADMIN: capability.CAP_NET_ADMIN,
}
// DropCapabilities drops capabilities for the current process based
// on the container's configuration.
func DropCapabilities(container *libcontainer.Container) error {
if drop := getCapabilities(container); len(drop) > 0 {
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
c.Unset(capability.CAPS|capability.BOUNDS, drop...)
if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {
return err
}
}
return nil
}
// getCapabilities returns the specific cap values for the libcontainer types
func getCapabilities(container *libcontainer.Container) []capability.Cap {
drop := []capability.Cap{}
for _, c := range container.Capabilities {
drop = append(drop, capMap[c])
}
return drop
}