Added DropCapabilities() and DropBoundingSet() API to libcontainer.

Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
pmorie · Jun 23, 2014 · ece2d83 · ece2d83
1 parent 4c55db7
commit ece2d83
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 8 deletions.
diff --git a/namespaces/init.go b/namespaces/init.go
@@ -195,7 +195,7 @@ func FinalizeNamespace(container *libcontainer.Container) error {
 	}
 
 	// drop capabilities in bounding set before changing user
-	if err := capabilities.DropBoundingSet(&container.Capabilities); err != nil {
+	if err := capabilities.DropBoundingSet(container.Capabilities); err != nil {
 		return fmt.Errorf("drop bounding set %s", err)
 	}
 
@@ -213,7 +213,7 @@ func FinalizeNamespace(container *libcontainer.Container) error {
 	}
 
 	// drop all other capabilities
-	if err := capabilities.DropCapabilities(&container.Capabilities); err != nil {
+	if err := capabilities.DropCapabilities(container.Capabilities); err != nil {
 		return fmt.Errorf("drop capabilities %s", err)
 	}
 

diff --git a/security/capabilities/capabilities.go b/security/capabilities/capabilities.go
@@ -10,7 +10,7 @@ const allCapabilityTypes = capability.CAPS | capability.BOUNDS
 
 // DropBoundingSet drops the capability bounding set to those specified in the
 // container configuration.
-func DropBoundingSet(capabilities *[]string) error {
+func DropBoundingSet(capabilities []string) error {
 	c, err := capability.NewPid(os.Getpid())
 	if err != nil {
 		return err
@@ -28,7 +28,7 @@ func DropBoundingSet(capabilities *[]string) error {
 }
 
 // DropCapabilities drops all capabilities for the current process expect those specified in the container configuration.
-func DropCapabilities(capList *[]string) error {
+func DropCapabilities(capList []string) error {
 	c, err := capability.NewPid(os.Getpid())
 	if err != nil {
 		return err
@@ -45,9 +45,9 @@ func DropCapabilities(capList *[]string) error {
 }
 
 // getEnabledCapabilities returns the capabilities that should not be dropped by the container.
-func getEnabledCapabilities(capList *[]string) []capability.Cap {
+func getEnabledCapabilities(capList []string) []capability.Cap {
 	keep := []capability.Cap{}
-	for _, capability := range *capList {
+	for _, capability := range capList {
 		if c := GetCapability(capability); c != nil {
 			keep = append(keep, c.Value)
 		}

diff --git a/security/capabilities/types_test.go b/security/capabilities/types_test.go
@@ -10,10 +10,10 @@ func TestCapabilitiesContains(t *testing.T) {
 		GetCapability("SETPCAP"),
 	}
 
-	if caps.Contains("SYS_ADMIN") {
+	if caps.contains("SYS_ADMIN") {
 		t.Fatal("capabilities should not contain SYS_ADMIN")
 	}
-	if !caps.Contains("MKNOD") {
+	if !caps.contains("MKNOD") {
 		t.Fatal("capabilities should contain MKNOD but does not")
 	}
 }
diff --git a/utils.go b/utils.go
@@ -39,3 +39,11 @@ func GetInternalNetworkSpec(net *Network) *network.Network {
 func GetAllCapabilities() []string {
 	return capabilities.GetAllCapabilities()
 }
+
+func DropBoundingSet(container *Container) error {
+	return capabilities.DropBoundingSet(container.Capabilities)
+}
+
+func DropCapabilities(container *Container) error {
+	return capabilities.DropCapabilities(container.Capabilities)
+}