From 47917135daa38b40a1a3ee11f31153b031ea7963 Mon Sep 17 00:00:00 2001
From: Michael Crosby <michael@docker.com>
Date: Wed, 16 Jul 2014 12:14:26 -0700
Subject: [PATCH 1/2] Fix cap drop issues with lxc

This uses "," instead of spaces so that the flags are parsed correctly
and also does not do a strings.Split on an empty string because
strings.Split will return a slice with one element, and empty string
causing parsing to fail when it validates that the cap exists.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
---
 daemon/execdriver/lxc/driver.go         |  4 ++--
 daemon/execdriver/lxc/lxc_init_linux.go | 14 +++++++++++++-
 daemon/execdriver/utils.go              |  6 +++---
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/daemon/execdriver/lxc/driver.go b/daemon/execdriver/lxc/driver.go
index 2faada2350..1d315ca3b7 100644
--- a/daemon/execdriver/lxc/driver.go
+++ b/daemon/execdriver/lxc/driver.go
@@ -123,11 +123,11 @@ func (d *driver) Run(c *execdriver.Command, pipes *execdriver.Pipes, startCallba
 	}
 
 	if len(c.CapAdd) > 0 {
-		params = append(params, "-cap-add", strings.Join(c.CapAdd, " "))
+		params = append(params, "-cap-add", strings.Join(c.CapAdd, ","))
 	}
 
 	if len(c.CapDrop) > 0 {
-		params = append(params, "-cap-drop", strings.Join(c.CapDrop, " "))
+		params = append(params, "-cap-drop", strings.Join(c.CapDrop, ","))
 	}
 
 	params = append(params, "--", c.Entrypoint)
diff --git a/daemon/execdriver/lxc/lxc_init_linux.go b/daemon/execdriver/lxc/lxc_init_linux.go
index 40956e442b..de7a6385a0 100644
--- a/daemon/execdriver/lxc/lxc_init_linux.go
+++ b/daemon/execdriver/lxc/lxc_init_linux.go
@@ -49,7 +49,19 @@ func finalizeNamespace(args *execdriver.InitArgs) error {
 			return fmt.Errorf("clear keep caps %s", err)
 		}
 
-		caps, err := execdriver.TweakCapabilities(container.Capabilities, strings.Split(args.CapAdd, " "), strings.Split(args.CapDrop, " "))
+		var (
+			adds  []string
+			drops []string
+		)
+
+		if args.CapAdd != "" {
+			adds = strings.Split(args.CapAdd, ",")
+		}
+		if args.CapDrop != "" {
+			drops = strings.Split(args.CapDrop, ",")
+		}
+
+		caps, err := execdriver.TweakCapabilities(container.Capabilities, adds, drops)
 		if err != nil {
 			return err
 		}
diff --git a/daemon/execdriver/utils.go b/daemon/execdriver/utils.go
index 90c5177421..d09e27fec0 100644
--- a/daemon/execdriver/utils.go
+++ b/daemon/execdriver/utils.go
@@ -20,7 +20,7 @@ func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
 			continue
 		}
 		if !utils.StringsContainsNoCase(allCaps, cap) {
-			return nil, fmt.Errorf("Unknown capability: %s", cap)
+			return nil, fmt.Errorf("Unknown capability drop: %q", cap)
 		}
 	}
 
@@ -49,9 +49,8 @@ func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
 			continue
 		}
 
-		// look for invalid cap in the drop list
 		if !utils.StringsContainsNoCase(allCaps, cap) {
-			return nil, fmt.Errorf("Unknown capability: %s", cap)
+			return nil, fmt.Errorf("Unknown capability to add: %q", cap)
 		}
 
 		// add cap if not already in the list
@@ -59,5 +58,6 @@ func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
 			newCaps = append(newCaps, cap)
 		}
 	}
+
 	return newCaps, nil
 }

From 50b580cfecc8e438223250f058fb7b61c7477a59 Mon Sep 17 00:00:00 2001
From: Michael Crosby <michael@docker.com>
Date: Wed, 16 Jul 2014 13:40:10 -0700
Subject: [PATCH 2/2] Use : to split caps in sysinit flags
 Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github:
 crosbymichael)

---
 daemon/execdriver/lxc/driver.go         | 4 ++--
 daemon/execdriver/lxc/lxc_init_linux.go | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/daemon/execdriver/lxc/driver.go b/daemon/execdriver/lxc/driver.go
index 1d315ca3b7..e7aaaf7ec7 100644
--- a/daemon/execdriver/lxc/driver.go
+++ b/daemon/execdriver/lxc/driver.go
@@ -123,11 +123,11 @@ func (d *driver) Run(c *execdriver.Command, pipes *execdriver.Pipes, startCallba
 	}
 
 	if len(c.CapAdd) > 0 {
-		params = append(params, "-cap-add", strings.Join(c.CapAdd, ","))
+		params = append(params, fmt.Sprintf("-cap-add=%s", strings.Join(c.CapAdd, ":")))
 	}
 
 	if len(c.CapDrop) > 0 {
-		params = append(params, "-cap-drop", strings.Join(c.CapDrop, ","))
+		params = append(params, fmt.Sprintf("-cap-drop=%s", strings.Join(c.CapDrop, ":")))
 	}
 
 	params = append(params, "--", c.Entrypoint)
diff --git a/daemon/execdriver/lxc/lxc_init_linux.go b/daemon/execdriver/lxc/lxc_init_linux.go
index de7a6385a0..0eee2c4881 100644
--- a/daemon/execdriver/lxc/lxc_init_linux.go
+++ b/daemon/execdriver/lxc/lxc_init_linux.go
@@ -55,10 +55,10 @@ func finalizeNamespace(args *execdriver.InitArgs) error {
 		)
 
 		if args.CapAdd != "" {
-			adds = strings.Split(args.CapAdd, ",")
+			adds = strings.Split(args.CapAdd, ":")
 		}
 		if args.CapDrop != "" {
-			drops = strings.Split(args.CapDrop, ",")
+			drops = strings.Split(args.CapDrop, ":")
 		}
 
 		caps, err := execdriver.TweakCapabilities(container.Capabilities, adds, drops)