Browse code
support add and drop in both order
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
Victor Vieux authored on 2014/07/11 08:02:39Showing 2 changed files
| ... | ... |
@@ -9,6 +9,11 @@ import ( |
| 9 | 9 |
|
| 10 | 10 |
func TweakCapabilities(basics, adds, drops []string) []string {
|
| 11 | 11 |
var caps []string |
| 12 |
+ |
|
| 13 |
+ if utils.StringsContainsNoCase(adds, "all") {
|
|
| 14 |
+ basics = capabilities.GetAllCapabilities() |
|
| 15 |
+ } |
|
| 16 |
+ |
|
| 12 | 17 |
if !utils.StringsContainsNoCase(drops, "all") {
|
| 13 | 18 |
for _, cap := range basics {
|
| 14 | 19 |
if !utils.StringsContainsNoCase(drops, cap) {
|
| ... | ... |
@@ -19,8 +24,7 @@ func TweakCapabilities(basics, adds, drops []string) []string {
|
| 19 | 19 |
|
| 20 | 20 |
for _, cap := range adds {
|
| 21 | 21 |
if strings.ToLower(cap) == "all" {
|
| 22 |
- caps = capabilities.GetAllCapabilities() |
|
| 23 |
- break |
|
| 22 |
+ continue |
|
| 24 | 23 |
} |
| 25 | 24 |
if !utils.StringsContainsNoCase(caps, cap) {
|
| 26 | 25 |
caps = append(caps, cap) |
| ... | ... |
@@ -813,6 +813,21 @@ func TestCapDropALLCannotMknod(t *testing.T) {
|
| 813 | 813 |
logDone("run - test --cap-drop=ALL cannot mknod")
|
| 814 | 814 |
} |
| 815 | 815 |
|
| 816 |
+func TestCapDropALLAddMknodCannotMknod(t *testing.T) {
|
|
| 817 |
+ cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL --cap-add=MKNOD", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok") |
|
| 818 |
+ out, _, err := runCommandWithOutput(cmd) |
|
| 819 |
+ if err != nil {
|
|
| 820 |
+ t.Fatal(err, out) |
|
| 821 |
+ } |
|
| 822 |
+ |
|
| 823 |
+ if actual := strings.Trim(out, "\r\n"); actual != "ok" {
|
|
| 824 |
+ t.Fatalf("expected output ok received %s", actual)
|
|
| 825 |
+ } |
|
| 826 |
+ deleteAllContainers() |
|
| 827 |
+ |
|
| 828 |
+ logDone("run - test --cap-drop=ALL --cap-add=MKNOD can mknod")
|
|
| 829 |
+} |
|
| 830 |
+ |
|
| 816 | 831 |
func TestCapAddCanDownInterface(t *testing.T) {
|
| 817 | 832 |
cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok") |
| 818 | 833 |
out, _, err := runCommandWithOutput(cmd) |
| ... | ... |
@@ -843,6 +858,21 @@ func TestCapAddALLCanDownInterface(t *testing.T) {
|
| 843 | 843 |
logDone("run - test --cap-add=ALL can set eth0 down")
|
| 844 | 844 |
} |
| 845 | 845 |
|
| 846 |
+func TestCapAddALLDropNetAdminCanDownInterface(t *testing.T) {
|
|
| 847 |
+ cmd := exec.Command(dockerBinary, "run", "--cap-add=ALL --cap-drop=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok") |
|
| 848 |
+ out, _, err := runCommandWithOutput(cmd) |
|
| 849 |
+ if err == nil {
|
|
| 850 |
+ t.Fatal(err, out) |
|
| 851 |
+ } |
|
| 852 |
+ |
|
| 853 |
+ if actual := strings.Trim(out, "\r\n"); actual == "ok" {
|
|
| 854 |
+ t.Fatalf("expected output not ok received %s", actual)
|
|
| 855 |
+ } |
|
| 856 |
+ deleteAllContainers() |
|
| 857 |
+ |
|
| 858 |
+ logDone("run - test --cap-add=ALL --cap-drop=NET_ADMIN cannot set eth0 down")
|
|
| 859 |
+} |
|
| 860 |
+ |
|
| 846 | 861 |
func TestPrivilegedCanMount(t *testing.T) {
|
| 847 | 862 |
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok") |
| 848 | 863 |
|