diff --git a/README.md b/README.md index 2c85111b..e967f6d7 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ Sample `container.json` file: "HOSTNAME=11bb30683fb0", "TERM=xterm" ], - "capabilities" : [ + "capabilities_mask" : [ "SETPCAP", "SYS_MODULE", "SYS_RAWIO", diff --git a/capabilities/capabilities.go b/capabilities/capabilities.go index 3c6d7524..fbf73538 100644 --- a/capabilities/capabilities.go +++ b/capabilities/capabilities.go @@ -9,7 +9,7 @@ import ( // DropCapabilities drops capabilities for the current process based // on the container's configuration. func DropCapabilities(container *libcontainer.Container) error { - if drop := getCapabilities(container); len(drop) > 0 { + if drop := getCapabilitiesMask(container); len(drop) > 0 { c, err := capability.NewPid(os.Getpid()) if err != nil { return err @@ -23,10 +23,10 @@ func DropCapabilities(container *libcontainer.Container) error { return nil } -// getCapabilities returns the specific cap values for the libcontainer types -func getCapabilities(container *libcontainer.Container) []capability.Cap { +// getCapabilitiesMask returns the specific cap mask values for the libcontainer types +func getCapabilitiesMask(container *libcontainer.Container) []capability.Cap { drop := []capability.Cap{} - for _, c := range container.Capabilities { + for _, c := range container.CapabilitiesMask { drop = append(drop, c.Value) } return drop diff --git a/container.go b/container.go index 14b4b65d..c7cac354 100644 --- a/container.go +++ b/container.go @@ -11,19 +11,19 @@ type Context map[string]string // Container defines configuration options for how a // container is setup inside a directory and how a process should be executed type Container struct { - Hostname string `json:"hostname,omitempty"` // hostname - ReadonlyFs bool `json:"readonly_fs,omitempty"` // set the containers rootfs as readonly - NoPivotRoot bool `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk - User string `json:"user,omitempty"` // user to execute the process as - WorkingDir string `json:"working_dir,omitempty"` // current working directory - Env []string `json:"environment,omitempty"` // environment to set - Tty bool `json:"tty,omitempty"` // setup a proper tty or not - Namespaces Namespaces `json:"namespaces,omitempty"` // namespaces to apply - Capabilities Capabilities `json:"capabilities,omitempty"` // capabilities to drop - Networks []*Network `json:"networks,omitempty"` // nil for host's network stack - Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` // cgroups - Context Context `json:"context,omitempty"` // generic context for specific options (apparmor, selinux) - Mounts []Mount `json:"mounts,omitempty"` + Hostname string `json:"hostname,omitempty"` // hostname + ReadonlyFs bool `json:"readonly_fs,omitempty"` // set the containers rootfs as readonly + NoPivotRoot bool `json:"no_pivot_root,omitempty"` // this can be enabled if you are running in ramdisk + User string `json:"user,omitempty"` // user to execute the process as + WorkingDir string `json:"working_dir,omitempty"` // current working directory + Env []string `json:"environment,omitempty"` // environment to set + Tty bool `json:"tty,omitempty"` // setup a proper tty or not + Namespaces Namespaces `json:"namespaces,omitempty"` // namespaces to apply + CapabilitiesMask Capabilities `json:"capabilities_mask,omitempty"` // capabilities to drop + Networks []*Network `json:"networks,omitempty"` // nil for host's network stack + Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` // cgroups + Context Context `json:"context,omitempty"` // generic context for specific options (apparmor, selinux) + Mounts []Mount `json:"mounts,omitempty"` } // Network defines configuration for a container's networking stack diff --git a/container.json b/container.json index 83e40746..f045315a 100644 --- a/container.json +++ b/container.json @@ -14,7 +14,7 @@ "NEWUTS", "NEWNET" ], - "capabilities": [ + "capabilities_mask": [ "SETPCAP", "SYS_MODULE", "SYS_RAWIO",