Move DefaultCapabilities() to caps package
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
This commit is contained in:
parent
44d3901386
commit
1308a3a99f
|
@ -139,7 +139,7 @@ func WithApparmor(c *container.Container) coci.SpecOpts {
|
||||||
func WithCapabilities(c *container.Container) coci.SpecOpts {
|
func WithCapabilities(c *container.Container) coci.SpecOpts {
|
||||||
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
|
||||||
capabilities, err := caps.TweakCapabilities(
|
capabilities, err := caps.TweakCapabilities(
|
||||||
oci.DefaultCapabilities(),
|
caps.DefaultCapabilities(),
|
||||||
c.HostConfig.CapAdd,
|
c.HostConfig.CapAdd,
|
||||||
c.HostConfig.CapDrop,
|
c.HostConfig.CapDrop,
|
||||||
c.HostConfig.Capabilities,
|
c.HostConfig.Capabilities,
|
||||||
|
|
|
@ -390,7 +390,7 @@ func (daemon *Daemon) createSpecLinuxFields(c *container.Container, s *specs.Spe
|
||||||
// Note these are against the UVM.
|
// Note these are against the UVM.
|
||||||
setResourcesInSpec(c, s, true) // LCOW is Hyper-V only
|
setResourcesInSpec(c, s, true) // LCOW is Hyper-V only
|
||||||
|
|
||||||
capabilities, err := caps.TweakCapabilities(oci.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, c.HostConfig.Privileged)
|
capabilities, err := caps.TweakCapabilities(caps.DefaultCapabilities(), c.HostConfig.CapAdd, c.HostConfig.CapDrop, c.HostConfig.Capabilities, c.HostConfig.Privileged)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("linux spec capabilities: %v", err)
|
return fmt.Errorf("linux spec capabilities: %v", err)
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
package caps // import "github.com/docker/docker/oci/caps"
|
||||||
|
|
||||||
|
// DefaultCapabilities returns a Linux kernel default capabilities
|
||||||
|
func DefaultCapabilities() []string {
|
||||||
|
return []string{
|
||||||
|
"CAP_CHOWN",
|
||||||
|
"CAP_DAC_OVERRIDE",
|
||||||
|
"CAP_FSETID",
|
||||||
|
"CAP_FOWNER",
|
||||||
|
"CAP_MKNOD",
|
||||||
|
"CAP_NET_RAW",
|
||||||
|
"CAP_SETGID",
|
||||||
|
"CAP_SETUID",
|
||||||
|
"CAP_SETFCAP",
|
||||||
|
"CAP_SETPCAP",
|
||||||
|
"CAP_NET_BIND_SERVICE",
|
||||||
|
"CAP_SYS_CHROOT",
|
||||||
|
"CAP_KILL",
|
||||||
|
"CAP_AUDIT_WRITE",
|
||||||
|
}
|
||||||
|
}
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"runtime"
|
"runtime"
|
||||||
|
|
||||||
|
"github.com/docker/docker/oci/caps"
|
||||||
specs "github.com/opencontainers/runtime-spec/specs-go"
|
specs "github.com/opencontainers/runtime-spec/specs-go"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -11,26 +12,6 @@ func iPtr(i int64) *int64 { return &i }
|
||||||
func u32Ptr(i int64) *uint32 { u := uint32(i); return &u }
|
func u32Ptr(i int64) *uint32 { u := uint32(i); return &u }
|
||||||
func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
|
func fmPtr(i int64) *os.FileMode { fm := os.FileMode(i); return &fm }
|
||||||
|
|
||||||
// DefaultCapabilities returns a Linux kernel default capabilities
|
|
||||||
func DefaultCapabilities() []string {
|
|
||||||
return []string{
|
|
||||||
"CAP_CHOWN",
|
|
||||||
"CAP_DAC_OVERRIDE",
|
|
||||||
"CAP_FSETID",
|
|
||||||
"CAP_FOWNER",
|
|
||||||
"CAP_MKNOD",
|
|
||||||
"CAP_NET_RAW",
|
|
||||||
"CAP_SETGID",
|
|
||||||
"CAP_SETUID",
|
|
||||||
"CAP_SETFCAP",
|
|
||||||
"CAP_SETPCAP",
|
|
||||||
"CAP_NET_BIND_SERVICE",
|
|
||||||
"CAP_SYS_CHROOT",
|
|
||||||
"CAP_KILL",
|
|
||||||
"CAP_AUDIT_WRITE",
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// DefaultSpec returns the default spec used by docker for the current Platform
|
// DefaultSpec returns the default spec used by docker for the current Platform
|
||||||
func DefaultSpec() specs.Spec {
|
func DefaultSpec() specs.Spec {
|
||||||
return DefaultOSSpec(runtime.GOOS)
|
return DefaultOSSpec(runtime.GOOS)
|
||||||
|
@ -60,10 +41,10 @@ func DefaultLinuxSpec() specs.Spec {
|
||||||
Version: specs.Version,
|
Version: specs.Version,
|
||||||
Process: &specs.Process{
|
Process: &specs.Process{
|
||||||
Capabilities: &specs.LinuxCapabilities{
|
Capabilities: &specs.LinuxCapabilities{
|
||||||
Bounding: DefaultCapabilities(),
|
Bounding: caps.DefaultCapabilities(),
|
||||||
Permitted: DefaultCapabilities(),
|
Permitted: caps.DefaultCapabilities(),
|
||||||
Inheritable: DefaultCapabilities(),
|
Inheritable: caps.DefaultCapabilities(),
|
||||||
Effective: DefaultCapabilities(),
|
Effective: caps.DefaultCapabilities(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Root: &specs.Root{},
|
Root: &specs.Root{},
|
||||||
|
|
Loading…
Reference in New Issue