32 lines
965 B
Go
32 lines
965 B
Go
|
package daemon // import "github.com/docker/docker/daemon"
|
||
|
|
|
||
|
|
import (
|
||
|
|
"github.com/docker/docker/container"
|
||
|
|
"github.com/docker/docker/daemon/caps"
|
||
|
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||
|
|
)
|
||
|
|
|
||
|
|
func setCapabilities(s *specs.Spec, c *container.Container) error {
|
||
|
|
var caplist []string
|
||
|
|
var err error
|
||
|
|
if c.HostConfig.Privileged {
|
||
|
|
caplist = caps.GetAllCapabilities()
|
||
|
|
} else {
|
||
|
|
caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
|
||
|
|
if err != nil {
|
||
|
|
return err
|
||
|
|
}
|
||
|
|
}
|
||
|
|
s.Process.Capabilities.Effective = caplist
|
||
|
|
s.Process.Capabilities.Bounding = caplist
|
||
|
|
s.Process.Capabilities.Permitted = caplist
|
||
|
|
s.Process.Capabilities.Inheritable = caplist
|
||
|
|
// setUser has already been executed here
|
||
|
|
// if non root drop capabilities in the way execve does
|
||
|
|
if s.Process.User.UID != 0 {
|
||
|
|
s.Process.Capabilities.Effective = []string{}
|
||
|
|
s.Process.Capabilities.Permitted = []string{}
|
||
|
|
}
|
||
|
|
return nil
|
||
|
|
}
|