Added DropCapabilities() and DropBoundingSet() API to libcontainer.

Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-06-23 18:30:25 +00:00 · 2014-06-23 18:30:25 +00:00 · ece2d83558
parent 4c55db7d58
commit ece2d83558
4 changed files with 16 additions and 8 deletions
--- a/namespaces/init.go
+++ b/namespaces/init.go
@ -195,7 +195,7 @@ func FinalizeNamespace(container *libcontainer.Container) error {
 	}

 	// drop capabilities in bounding set before changing user
-	if err := capabilities.DropBoundingSet(&container.Capabilities); err != nil {
+	if err := capabilities.DropBoundingSet(container.Capabilities); err != nil {
 		return fmt.Errorf("drop bounding set %s", err)
 	}

@ -213,7 +213,7 @@ func FinalizeNamespace(container *libcontainer.Container) error {
 	}

 	// drop all other capabilities
-	if err := capabilities.DropCapabilities(&container.Capabilities); err != nil {
+	if err := capabilities.DropCapabilities(container.Capabilities); err != nil {
 		return fmt.Errorf("drop capabilities %s", err)
 	}

--- a/security/capabilities/capabilities.go
+++ b/security/capabilities/capabilities.go
@ -10,7 +10,7 @@ const allCapabilityTypes = capability.CAPS | capability.BOUNDS

 // DropBoundingSet drops the capability bounding set to those specified in the
 // container configuration.
-func DropBoundingSet(capabilities *[]string) error {
+func DropBoundingSet(capabilities []string) error {
 	c, err := capability.NewPid(os.Getpid())
 	if err != nil {
 		return err
@ -28,7 +28,7 @@ func DropBoundingSet(capabilities *[]string) error {
 }

 // DropCapabilities drops all capabilities for the current process expect those specified in the container configuration.
-func DropCapabilities(capList *[]string) error {
+func DropCapabilities(capList []string) error {
 	c, err := capability.NewPid(os.Getpid())
 	if err != nil {
 		return err
@ -45,9 +45,9 @@ func DropCapabilities(capList *[]string) error {
 }

 // getEnabledCapabilities returns the capabilities that should not be dropped by the container.
-func getEnabledCapabilities(capList *[]string) []capability.Cap {
+func getEnabledCapabilities(capList []string) []capability.Cap {
 	keep := []capability.Cap{}
-	for _, capability := range *capList {
+	for _, capability := range capList {
 		if c := GetCapability(capability); c != nil {
 			keep = append(keep, c.Value)
 		}
--- a/security/capabilities/types_test.go
+++ b/security/capabilities/types_test.go
@ -10,10 +10,10 @@ func TestCapabilitiesContains(t *testing.T) {
 		GetCapability("SETPCAP"),
 	}

-	if caps.Contains("SYS_ADMIN") {
+	if caps.contains("SYS_ADMIN") {
 		t.Fatal("capabilities should not contain SYS_ADMIN")
 	}
-	if !caps.Contains("MKNOD") {
+	if !caps.contains("MKNOD") {
 		t.Fatal("capabilities should contain MKNOD but does not")
 	}
 }
--- a/utils.go
+++ b/utils.go
@ -39,3 +39,11 @@ func GetInternalNetworkSpec(net *Network) *network.Network {
 func GetAllCapabilities() []string {
 	return capabilities.GetAllCapabilities()
 }
+
+func DropBoundingSet(container *Container) error {
+	return capabilities.DropBoundingSet(container.Capabilities)
+}
+
+func DropCapabilities(container *Container) error {
+	return capabilities.DropCapabilities(container.Capabilities)
+}