jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #358 from avagin/capabilities 

namespaces: allow to use pid namespace without mount namespace
This commit is contained in:
Victor Marmol 2015-02-03 15:05:54 -08:00
parent e59984353a 21c344a479
commit 2da44f8c7b
4 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
security/capabilities/capabilities.go
View File

@ -1,8 +1,6 @@
package capabilities package capabilities
import ( import (
"os"
"github.com/syndtr/gocapability/capability" "github.com/syndtr/gocapability/capability"
) )
@ -11,7 +9,7 @@ const allCapabilityTypes = capability.CAPS | capability.BOUNDS
// DropBoundingSet drops the capability bounding set to those specified in the // DropBoundingSet drops the capability bounding set to those specified in the
// container configuration. // container configuration.
func DropBoundingSet(capabilities []string) error { func DropBoundingSet(capabilities []string) error {
c, err := capability.NewPid(os.Getpid()) c, err := capability.NewPid(0)
if err != nil { if err != nil {
return err return err
} }
@ -29,7 +27,7 @@ func DropBoundingSet(capabilities []string) error {
// DropCapabilities drops all capabilities for the current process except those specified in the container configuration. // DropCapabilities drops all capabilities for the current process except those specified in the container configuration.
func DropCapabilities(capList []string) error { func DropCapabilities(capList []string) error {
c, err := capability.NewPid(os.Getpid()) c, err := capability.NewPid(0)
if err != nil { if err != nil {
return err return err
} }

2
update-vendor.sh
View File

@ -43,6 +43,6 @@ clone() {
clone git github.com/codegangsta/cli 1.1.0 clone git github.com/codegangsta/cli 1.1.0
clone git github.com/coreos/go-systemd v2 clone git github.com/coreos/go-systemd v2
clone git github.com/godbus/dbus v2 clone git github.com/godbus/dbus v2
clone git github.com/syndtr/gocapability 3c85049eae clone git github.com/syndtr/gocapability 1cf3ac4dc4
# intentionally not vendoring Docker itself... that'd be a circle :) # intentionally not vendoring Docker itself... that'd be a circle :)

3
vendor/src/github.com/syndtr/gocapability/capability/capability.go vendored
View File

@ -60,7 +60,8 @@ type Capabilities interface {
Apply(kind CapType) error Apply(kind CapType) error
} }
// NewPid create new initialized Capabilities object for given pid. // NewPid create new initialized Capabilities object for given pid when it
// is nonzero, or for the current pid if pid is 0
func NewPid(pid int) (Capabilities, error) { func NewPid(pid int) (Capabilities, error) {
return newPid(pid) return newPid(pid)
} }

10
vendor/src/github.com/syndtr/gocapability/capability/capability_linux.go vendored
View File

@ -351,7 +351,15 @@ func (c *capsV3) Load() (err error) {
return return
} }
f, err := os.Open(fmt.Sprintf("/proc/%d/status", c.hdr.pid)) var status_path string
if c.hdr.pid == 0 {
status_path = fmt.Sprintf("/proc/self/status")
} else {
status_path = fmt.Sprintf("/proc/%d/status", c.hdr.pid)
}
f, err := os.Open(status_path)
if err != nil { if err != nil {
return return
} }