diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go index ba755da8..39b83a4e 100644 --- a/libcontainer/init_linux.go +++ b/libcontainer/init_linux.go @@ -119,9 +119,11 @@ func finalizeNamespace(config *initConfig) error { return err } - capabilities := config.Config.Capabilities + capabilities := &configs.Capabilities{} if config.Capabilities != nil { capabilities = config.Capabilities + } else if config.Config.Capabilities != nil { + capabilities = config.Config.Capabilities } w, err := newContainerCapList(capabilities) if err != nil { diff --git a/libcontainer/integration/exec_test.go b/libcontainer/integration/exec_test.go index 1e38b941..f3dd72a3 100644 --- a/libcontainer/integration/exec_test.go +++ b/libcontainer/integration/exec_test.go @@ -339,6 +339,57 @@ func TestProcessEnv(t *testing.T) { } } +func TestProcessEmptyCaps(t *testing.T) { + if testing.Short() { + return + } + root, err := newTestRoot() + ok(t, err) + defer os.RemoveAll(root) + + rootfs, err := newRootfs() + ok(t, err) + defer remove(rootfs) + + config := newTemplateConfig(rootfs) + config.Capabilities = nil + + container, err := factory.Create("test", config) + ok(t, err) + defer container.Destroy() + + var stdout bytes.Buffer + pconfig := libcontainer.Process{ + Cwd: "/", + Args: []string{"sh", "-c", "cat /proc/self/status"}, + Env: standardEnvironment, + Stdin: nil, + Stdout: &stdout, + } + err = container.Run(&pconfig) + ok(t, err) + + // Wait for process + waitProcess(&pconfig, t) + + outputStatus := string(stdout.Bytes()) + + lines := strings.Split(outputStatus, "\n") + + effectiveCapsLine := "" + for _, l := range lines { + line := strings.TrimSpace(l) + if strings.Contains(line, "CapEff:") { + effectiveCapsLine = line + break + } + } + + if effectiveCapsLine == "" { + t.Fatal("Couldn't find effective caps: ", outputStatus) + } +} + func TestProcessCaps(t *testing.T) { if testing.Short() { return