Pass down process Capabilities and apply them if present.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

container_linux.go

@@ -193,12 +193,13 @@ func (c *linuxContainer) newSetnsProcess(p *Process, cmd *exec.Cmd, parentPipe,
 
 func (c *linuxContainer) newInitConfig(process *Process) *initConfig {
 	return &initConfig{
-		Config:  c.config,
+		Config:       c.config,
-		Args:    process.Args,
+		Args:         process.Args,
-		Env:     process.Env,
+		Env:          process.Env,
-		User:    process.User,
+		User:         process.User,
-		Cwd:     process.Cwd,
+		Cwd:          process.Cwd,
-		Console: process.consolePath,
+		Console:      process.consolePath,
+		Capabilities: process.Capabilities,
 	}
 }
 

init_linux.go

@@ -40,13 +40,14 @@ type network struct {
 
 // initConfig is used for transferring parameters from Exec() to Init()
 type initConfig struct {
-	Args     []string        `json:"args"`
+	Args         []string        `json:"args"`
-	Env      []string        `json:"env"`
+	Env          []string        `json:"env"`
-	Cwd      string          `json:"cwd"`
+	Cwd          string          `json:"cwd"`
-	User     string          `json:"user"`
+	Capabilities []string        `json:"capabilities"`
-	Config   *configs.Config `json:"config"`
+	User         string          `json:"user"`
-	Console  string          `json:"console"`
+	Config       *configs.Config `json:"config"`
-	Networks []*network      `json:"network"`
+	Console      string          `json:"console"`
+	Networks     []*network      `json:"network"`
 }
 
 type initer interface {
@@ -99,7 +100,12 @@ func finalizeNamespace(config *initConfig) error {
 	if err := utils.CloseExecFrom(3); err != nil {
 		return err
 	}
-	w, err := newCapWhitelist(config.Config.Capabilities)
+
+	capabilities := config.Config.Capabilities
+	if config.Capabilities != nil {
+		capabilities = config.Capabilities
+	}
+	w, err := newCapWhitelist(capabilities)
 	if err != nil {
 		return err
 	}