Browse code
add basic support for 'all'
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
Victor Vieux authored on 2014/07/11 07:31:01Showing 3 changed files
| ... | ... |
@@ -1,17 +1,28 @@ |
| 1 | 1 |
package execdriver |
| 2 | 2 |
|
| 3 |
-import "github.com/dotcloud/docker/utils" |
|
| 3 |
+import ( |
|
| 4 |
+ "strings" |
|
| 5 |
+ |
|
| 6 |
+ "github.com/docker/libcontainer/security/capabilities" |
|
| 7 |
+ "github.com/dotcloud/docker/utils" |
|
| 8 |
+) |
|
| 4 | 9 |
|
| 5 | 10 |
func TweakCapabilities(basics, adds, drops []string) []string {
|
| 6 | 11 |
var caps []string |
| 7 |
- for _, cap := range basics {
|
|
| 8 |
- if !utils.StringsContains(drops, cap) {
|
|
| 9 |
- caps = append(caps, cap) |
|
| 12 |
+ if !utils.StringsContainsNoCase(drops, "all") {
|
|
| 13 |
+ for _, cap := range basics {
|
|
| 14 |
+ if !utils.StringsContainsNoCase(drops, cap) {
|
|
| 15 |
+ caps = append(caps, cap) |
|
| 16 |
+ } |
|
| 10 | 17 |
} |
| 11 | 18 |
} |
| 12 | 19 |
|
| 13 | 20 |
for _, cap := range adds {
|
| 14 |
- if !utils.StringsContains(caps, cap) {
|
|
| 21 |
+ if strings.ToLower(cap) == "all" {
|
|
| 22 |
+ caps = capabilities.GetAllCapabilities() |
|
| 23 |
+ break |
|
| 24 |
+ } |
|
| 25 |
+ if !utils.StringsContainsNoCase(caps, cap) {
|
|
| 15 | 26 |
caps = append(caps, cap) |
| 16 | 27 |
} |
| 17 | 28 |
} |
| ... | ... |
@@ -798,6 +798,21 @@ func TestCapDropCannotMknod(t *testing.T) {
|
| 798 | 798 |
logDone("run - test --cap-drop=MKNOD cannot mknod")
|
| 799 | 799 |
} |
| 800 | 800 |
|
| 801 |
+func TestCapDropALLCannotMknod(t *testing.T) {
|
|
| 802 |
+ cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok") |
|
| 803 |
+ out, _, err := runCommandWithOutput(cmd) |
|
| 804 |
+ if err == nil {
|
|
| 805 |
+ t.Fatal(err, out) |
|
| 806 |
+ } |
|
| 807 |
+ |
|
| 808 |
+ if actual := strings.Trim(out, "\r\n"); actual == "ok" {
|
|
| 809 |
+ t.Fatalf("expected output not ok received %s", actual)
|
|
| 810 |
+ } |
|
| 811 |
+ deleteAllContainers() |
|
| 812 |
+ |
|
| 813 |
+ logDone("run - test --cap-drop=ALL cannot mknod")
|
|
| 814 |
+} |
|
| 815 |
+ |
|
| 801 | 816 |
func TestCapAddCanDownInterface(t *testing.T) {
|
| 802 | 817 |
cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok") |
| 803 | 818 |
out, _, err := runCommandWithOutput(cmd) |
| ... | ... |
@@ -813,6 +828,21 @@ func TestCapAddCanDownInterface(t *testing.T) {
|
| 813 | 813 |
logDone("run - test --cap-add=NET_ADMIN can set eth0 down")
|
| 814 | 814 |
} |
| 815 | 815 |
|
| 816 |
+func TestCapAddALLCanDownInterface(t *testing.T) {
|
|
| 817 |
+ cmd := exec.Command(dockerBinary, "run", "--cap-add=ALL", "busybox", "sh", "-c", "ip link set eth0 down && echo ok") |
|
| 818 |
+ out, _, err := runCommandWithOutput(cmd) |
|
| 819 |
+ if err != nil {
|
|
| 820 |
+ t.Fatal(err, out) |
|
| 821 |
+ } |
|
| 822 |
+ |
|
| 823 |
+ if actual := strings.Trim(out, "\r\n"); actual != "ok" {
|
|
| 824 |
+ t.Fatalf("expected output ok received %s", actual)
|
|
| 825 |
+ } |
|
| 826 |
+ deleteAllContainers() |
|
| 827 |
+ |
|
| 828 |
+ logDone("run - test --cap-add=ALL can set eth0 down")
|
|
| 829 |
+} |
|
| 830 |
+ |
|
| 816 | 831 |
func TestPrivilegedCanMount(t *testing.T) {
|
| 817 | 832 |
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok") |
| 818 | 833 |
|
| ... | ... |
@@ -908,9 +908,9 @@ func ValidateContextDirectory(srcPath string) error {
|
| 908 | 908 |
return finalError |
| 909 | 909 |
} |
| 910 | 910 |
|
| 911 |
-func StringsContains(slice []string, s string) bool {
|
|
| 911 |
+func StringsContainsNoCase(slice []string, s string) bool {
|
|
| 912 | 912 |
for _, ss := range slice {
|
| 913 |
- if s == ss {
|
|
| 913 |
+ if strings.ToLower(s) == strings.ToLower(ss) {
|
|
| 914 | 914 |
return true |
| 915 | 915 |
} |
| 916 | 916 |
} |