moby--moby/daemon/execdriver/utils.go

package execdriver

import (
	"fmt"
	"strings"

	"github.com/docker/docker/utils"
	"github.com/docker/libcontainer/security/capabilities"
)

func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
	var (
		newCaps []string
		allCaps = capabilities.GetAllCapabilities()
	)

	// look for invalid cap in the drop list
	for _, cap := range drops {
		if strings.ToLower(cap) == "all" {
			continue
		}
		if !utils.StringsContainsNoCase(allCaps, cap) {
			return nil, fmt.Errorf("Unknown capability drop: %q", cap)
		}
	}

	// handle --cap-add=all
	if utils.StringsContainsNoCase(adds, "all") {
		basics = capabilities.GetAllCapabilities()
	}

	if !utils.StringsContainsNoCase(drops, "all") {
		for _, cap := range basics {
			// skip `all` aready handled above
			if strings.ToLower(cap) == "all" {
				continue
			}

			// if we don't drop `all`, add back all the non-dropped caps
			if !utils.StringsContainsNoCase(drops, cap) {
				newCaps = append(newCaps, strings.ToUpper(cap))
			}
		}
	}

	for _, cap := range adds {
		// skip `all` aready handled above
		if strings.ToLower(cap) == "all" {
			continue
		}

		if !utils.StringsContainsNoCase(allCaps, cap) {
			return nil, fmt.Errorf("Unknown capability to add: %q", cap)
		}

		// add cap if not already in the list
		if !utils.StringsContainsNoCase(newCaps, cap) {
			newCaps = append(newCaps, strings.ToUpper(cap))
		}
	}

	return newCaps, nil
}
small refactoring Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:11:35 -04:00			`package execdriver`

add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:31:01 -04:00			`import (`
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00			`"fmt"`
add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:31:01 -04:00			`"strings"`

update go import path and libcontainer Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-24 18:19:50 -04:00			`"github.com/docker/docker/utils"`
gofmt -s -w Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-24 18:25:29 -04:00			`"github.com/docker/libcontainer/security/capabilities"`
add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:31:01 -04:00			`)`
small refactoring Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:11:35 -04:00
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00			`func TweakCapabilities(basics, adds, drops []string) ([]string, error) {`
			`var (`
			`newCaps []string`
			`allCaps = capabilities.GetAllCapabilities()`
			`)`
support add and drop in both order Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:02:39 -04:00
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00			`// look for invalid cap in the drop list`
			`for _, cap := range drops {`
			`if strings.ToLower(cap) == "all" {`
			`continue`
			`}`
			`if !utils.StringsContainsNoCase(allCaps, cap) {`
Fix cap drop issues with lxc This uses "," instead of spaces so that the flags are parsed correctly and also does not do a strings.Split on an empty string because strings.Split will return a slice with one element, and empty string causing parsing to fail when it validates that the cap exists. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-07-16 15:14:26 -04:00			`return nil, fmt.Errorf("Unknown capability drop: %q", cap)`
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00			`}`
			`}`

			`// handle --cap-add=all`
support add and drop in both order Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:02:39 -04:00			`if utils.StringsContainsNoCase(adds, "all") {`
			`basics = capabilities.GetAllCapabilities()`
			`}`

add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:31:01 -04:00			`if !utils.StringsContainsNoCase(drops, "all") {`
			`for _, cap := range basics {`
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00			// skip `all` aready handled above
			`if strings.ToLower(cap) == "all" {`
			`continue`
			`}`

			// if we don't drop `all`, add back all the non-dropped caps
add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:31:01 -04:00			`if !utils.StringsContainsNoCase(drops, cap) {`
Allow case insensitive caps for add and drop Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-07-16 14:47:55 -04:00			`newCaps = append(newCaps, strings.ToUpper(cap))`
add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:31:01 -04:00			`}`
small refactoring Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:11:35 -04:00			`}`
			`}`

			`for _, cap := range adds {`
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00			// skip `all` aready handled above
add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:31:01 -04:00			`if strings.ToLower(cap) == "all" {`
support add and drop in both order Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:02:39 -04:00			`continue`
add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:31:01 -04:00			`}`
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00
			`if !utils.StringsContainsNoCase(allCaps, cap) {`
Fix cap drop issues with lxc This uses "," instead of spaces so that the flags are parsed correctly and also does not do a strings.Split on an empty string because strings.Split will return a slice with one element, and empty string causing parsing to fail when it validates that the cap exists. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-07-16 15:14:26 -04:00			`return nil, fmt.Errorf("Unknown capability to add: %q", cap)`
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00			`}`

			`// add cap if not already in the list`
			`if !utils.StringsContainsNoCase(newCaps, cap) {`
Allow case insensitive caps for add and drop Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-07-16 14:47:55 -04:00			`newCaps = append(newCaps, strings.ToUpper(cap))`
small refactoring Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:11:35 -04:00			`}`
			`}`
Fix cap drop issues with lxc This uses "," instead of spaces so that the flags are parsed correctly and also does not do a strings.Split on an empty string because strings.Split will return a slice with one element, and empty string causing parsing to fail when it validates that the cap exists. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael) 2014-07-16 15:14:26 -04:00
add check for invalid caps Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 19:38:11 -04:00			`return newCaps, nil`
small refactoring Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux) 2014-07-10 18:11:35 -04:00			`}`