From 1308a3a99faa13ff279dcb4eb5ad23aee3ab5cdb Mon Sep 17 00:00:00 2001 From: Olli Janatuinen Date: Thu, 14 Nov 2019 19:53:52 +0200 Subject: [PATCH] Move DefaultCapabilities() to caps package Signed-off-by: Olli Janatuinen --- daemon/oci_linux.go | 2 +- daemon/oci_windows.go | 2 +- oci/caps/defaults.go | 21 +++++++++++++++++++++ oci/defaults.go | 29 +++++------------------------ 4 files changed, 28 insertions(+), 26 deletions(-) create mode 100644 oci/caps/defaults.go diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index ac102e48c0..65d2e48ef7 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -139,7 +139,7 @@ func WithApparmor(c *container.Container) coci.SpecOpts { func WithCapabilities(c *container.Container) coci.SpecOpts { return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error { capabilities, err := caps.TweakCapabilities( - oci.DefaultCapabilities(), + caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, diff --git a/daemon/oci_windows.go b/daemon/oci_windows.go index d73d4d5129..3b4d46dd12 100644 --- a/daemon/oci_windows.go +++ b/daemon/oci_windows.go @@ -390,7 +390,7 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe // Note these are against the UVM. setResourcesInSpec(c, s, true) // LCOW is Hyper-V only - capabilities, err := caps.TweakCapabilities(oci.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, c.HostConfig.Privileged) + capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, c.HostConfig.Privileged) if err != nil { return fmt.Errorf("linux spec capabilities: %v", err) } diff --git a/oci/caps/defaults.go b/oci/caps/defaults.go new file mode 100644 index 0000000000..242ee5811d --- /dev/null +++ b/oci/caps/defaults.go @@ -0,0 +1,21 @@ +package caps // import "github.com/docker/docker/oci/caps" + +// DefaultCapabilities returns a Linux kernel default capabilities +func DefaultCapabilities() []string { + return []string{ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE", + } +} diff --git a/oci/defaults.go b/oci/defaults.go index c55d1aac02..390618a89c 100644 --- a/oci/defaults.go +++ b/oci/defaults.go @@ -4,6 +4,7 @@ import ( "os" "runtime" + "github.com/docker/docker/oci/caps" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -11,26 +12,6 @@ func iPtr(i int64) *int64 { return &i } func u32Ptr(i int64) *uint32 { u := uint32(i); return &u } func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm } -// DefaultCapabilities returns a Linux kernel default capabilities -func DefaultCapabilities() []string { - return []string{ - "CAP_CHOWN", - "CAP_DAC_OVERRIDE", - "CAP_FSETID", - "CAP_FOWNER", - "CAP_MKNOD", - "CAP_NET_RAW", - "CAP_SETGID", - "CAP_SETUID", - "CAP_SETFCAP", - "CAP_SETPCAP", - "CAP_NET_BIND_SERVICE", - "CAP_SYS_CHROOT", - "CAP_KILL", - "CAP_AUDIT_WRITE", - } -} - // DefaultSpec returns the default spec used by docker for the current Platform func DefaultSpec() specs.Spec { return DefaultOSSpec(runtime.GOOS) @@ -60,10 +41,10 @@ func DefaultLinuxSpec() specs.Spec { Version: specs.Version, Process: &specs.Process{ Capabilities: &specs.LinuxCapabilities{ - Bounding: DefaultCapabilities(), - Permitted: DefaultCapabilities(), - Inheritable: DefaultCapabilities(), - Effective: DefaultCapabilities(), + Bounding: caps.DefaultCapabilities(), + Permitted: caps.DefaultCapabilities(), + Inheritable: caps.DefaultCapabilities(), + Effective: caps.DefaultCapabilities(), }, }, Root: &specs.Root{},