2014-02-19 08:56:11 +08:00
|
|
|
package capabilities
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/dotcloud/docker/pkg/libcontainer"
|
|
|
|
"github.com/syndtr/gocapability/capability"
|
|
|
|
"os"
|
|
|
|
)
|
|
|
|
|
|
|
|
var capMap = map[libcontainer.Capability]capability.Cap{
|
|
|
|
libcontainer.CAP_SETPCAP: capability.CAP_SETPCAP,
|
|
|
|
libcontainer.CAP_SYS_MODULE: capability.CAP_SYS_MODULE,
|
|
|
|
libcontainer.CAP_SYS_RAWIO: capability.CAP_SYS_RAWIO,
|
|
|
|
libcontainer.CAP_SYS_PACCT: capability.CAP_SYS_PACCT,
|
|
|
|
libcontainer.CAP_SYS_ADMIN: capability.CAP_SYS_ADMIN,
|
|
|
|
libcontainer.CAP_SYS_NICE: capability.CAP_SYS_NICE,
|
|
|
|
libcontainer.CAP_SYS_RESOURCE: capability.CAP_SYS_RESOURCE,
|
|
|
|
libcontainer.CAP_SYS_TIME: capability.CAP_SYS_TIME,
|
|
|
|
libcontainer.CAP_SYS_TTY_CONFIG: capability.CAP_SYS_TTY_CONFIG,
|
|
|
|
libcontainer.CAP_MKNOD: capability.CAP_MKNOD,
|
|
|
|
libcontainer.CAP_AUDIT_WRITE: capability.CAP_AUDIT_WRITE,
|
|
|
|
libcontainer.CAP_AUDIT_CONTROL: capability.CAP_AUDIT_CONTROL,
|
|
|
|
libcontainer.CAP_MAC_OVERRIDE: capability.CAP_MAC_OVERRIDE,
|
|
|
|
libcontainer.CAP_MAC_ADMIN: capability.CAP_MAC_ADMIN,
|
2014-02-20 13:21:49 +08:00
|
|
|
libcontainer.CAP_NET_ADMIN: capability.CAP_NET_ADMIN,
|
2014-02-19 08:56:11 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// DropCapabilities drops capabilities for the current process based
|
|
|
|
// on the container's configuration.
|
|
|
|
func DropCapabilities(container *libcontainer.Container) error {
|
|
|
|
if drop := getCapabilities(container); len(drop) > 0 {
|
|
|
|
c, err := capability.NewPid(os.Getpid())
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
c.Unset(capability.CAPS|capability.BOUNDS, drop...)
|
|
|
|
|
|
|
|
if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2014-02-20 14:43:40 +08:00
|
|
|
// getCapabilities returns the specific cap values for the libcontainer types
|
2014-02-19 08:56:11 +08:00
|
|
|
func getCapabilities(container *libcontainer.Container) []capability.Cap {
|
|
|
|
drop := []capability.Cap{}
|
|
|
|
for _, c := range container.Capabilities {
|
|
|
|
drop = append(drop, capMap[c])
|
|
|
|
}
|
|
|
|
return drop
|
|
|
|
}
|