Make libcontainer's CapabilitiesMask into a []string (Capabilities).

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
This commit is contained in:
Victor Marmol 2014-05-17 00:44:10 +00:00
parent afea8ea5d0
commit 6ecb140618
5 changed files with 41 additions and 45 deletions

View File

@ -19,7 +19,7 @@ type Container struct {
Env []string `json:"environment,omitempty"` // environment to set
Tty bool `json:"tty,omitempty"` // setup a proper tty or not
Namespaces map[string]bool `json:"namespaces,omitempty"` // namespaces to apply
CapabilitiesMask map[string]bool `json:"capabilities_mask,omitempty"` // capabilities to drop
Capabilities []string `json:"capabilities,omitempty"` // capabilities given to the container
Networks []*Network `json:"networks,omitempty"` // nil for host's network stack
Cgroups *cgroups.Cgroup `json:"cgroups,omitempty"` // cgroups
Context Context `json:"context,omitempty"` // generic context for specific options (apparmor, selinux)

View File

@ -24,24 +24,9 @@
"mtu": 1500
}
],
"capabilities_mask": {
"SYSLOG": false,
"MKNOD": true,
"NET_ADMIN": false,
"MAC_ADMIN": false,
"MAC_OVERRIDE": false,
"AUDIT_CONTROL": false,
"AUDIT_WRITE": false,
"SYS_TTY_CONFIG": false,
"SETPCAP": false,
"SYS_MODULE": false,
"SYS_RAWIO": false,
"SYS_PACCT": false,
"SYS_ADMIN": false,
"SYS_NICE": false,
"SYS_RESOURCE": false,
"SYS_TIME": false
},
"capabilities": [
"MKNOD"
],
"cgroups": {
"name": "docker-koye",
"parent": "docker"

View File

@ -6,6 +6,16 @@ import (
"testing"
)
// Checks whether the expected capability is specified in the capabilities.
func hasCapability(expected string, capabilities []string) bool {
for _, capability := range capabilities {
if capability == expected {
return true
}
}
return false
}
func TestContainerJsonFormat(t *testing.T) {
f, err := os.Open("container.json")
if err != nil {
@ -37,22 +47,17 @@ func TestContainerJsonFormat(t *testing.T) {
t.Fail()
}
if _, exists := container.CapabilitiesMask["SYS_ADMIN"]; !exists {
t.Log("capabilities mask should contain SYS_ADMIN")
t.Fail()
}
if container.CapabilitiesMask["SYS_ADMIN"] {
if hasCapability("SYS_ADMIN", container.Capabilities) {
t.Log("SYS_ADMIN should not be enabled in capabilities mask")
t.Fail()
}
if !container.CapabilitiesMask["MKNOD"] {
if !hasCapability("MKNOD", container.Capabilities) {
t.Log("MKNOD should be enabled in capabilities mask")
t.Fail()
}
if container.CapabilitiesMask["SYS_CHROOT"] {
if hasCapability("SYS_CHROOT", container.Capabilities) {
t.Log("capabilities mask should not contain SYS_CHROOT")
t.Fail()
}

View File

@ -26,15 +26,13 @@ func DropCapabilities(container *libcontainer.Container) error {
return nil
}
// getCapabilitiesMask returns the capabilities that should not be dropped by the container.
// getEnabledCapabilities returns the capabilities that should not be dropped by the container.
func getEnabledCapabilities(container *libcontainer.Container) []capability.Cap {
keep := []capability.Cap{}
for key, enabled := range container.CapabilitiesMask {
if enabled {
if c := libcontainer.GetCapability(key); c != nil {
for _, capability := range container.Capabilities {
if c := libcontainer.GetCapability(capability); c != nil {
keep = append(keep, c.Value)
}
}
}
return keep
}

View File

@ -123,6 +123,14 @@ func GetCapability(key string) *Capability {
return nil
}
func GetAllCapabilities() []string {
output := make([]string, len(capabilityList))
for i, capability := range capabilityList {
output[i] = capability.String()
}
return output
}
// Contains returns true if the specified Capability is
// in the slice
func (c Capabilities) Contains(capp string) bool {