From 669e2fe4795e629dfdac1bef4b555aee6c361391 Mon Sep 17 00:00:00 2001 From: Victor Vieux Date: Thu, 10 Jul 2014 22:31:01 +0000 Subject: [PATCH] add basic support for 'all' Docker-DCO-1.1-Signed-off-by: Victor Vieux (github: vieux) Upstream-commit: 222a6f44016451dcbd2da0003e64521c06e88ba9 Component: engine --- components/engine/daemon/execdriver/utils.go | 21 +++++++++---- .../integration-cli/docker_cli_run_test.go | 30 +++++++++++++++++++ components/engine/utils/utils.go | 4 +-- 3 files changed, 48 insertions(+), 7 deletions(-) diff --git a/components/engine/daemon/execdriver/utils.go b/components/engine/daemon/execdriver/utils.go index 7ca12a596b..4188b9bf07 100644 --- a/components/engine/daemon/execdriver/utils.go +++ b/components/engine/daemon/execdriver/utils.go @@ -1,17 +1,28 @@ package execdriver -import "github.com/dotcloud/docker/utils" +import ( + "strings" + + "github.com/docker/libcontainer/security/capabilities" + "github.com/dotcloud/docker/utils" +) func TweakCapabilities(basics, adds, drops []string) []string { var caps []string - for _, cap := range basics { - if !utils.StringsContains(drops, cap) { - caps = append(caps, cap) + if !utils.StringsContainsNoCase(drops, "all") { + for _, cap := range basics { + if !utils.StringsContainsNoCase(drops, cap) { + caps = append(caps, cap) + } } } for _, cap := range adds { - if !utils.StringsContains(caps, cap) { + if strings.ToLower(cap) == "all" { + caps = capabilities.GetAllCapabilities() + break + } + if !utils.StringsContainsNoCase(caps, cap) { caps = append(caps, cap) } } diff --git a/components/engine/integration-cli/docker_cli_run_test.go b/components/engine/integration-cli/docker_cli_run_test.go index e813ec6a7d..d4832638b7 100644 --- a/components/engine/integration-cli/docker_cli_run_test.go +++ b/components/engine/integration-cli/docker_cli_run_test.go @@ -798,6 +798,21 @@ func TestCapDropCannotMknod(t *testing.T) { logDone("run - test --cap-drop=MKNOD cannot mknod") } +func TestCapDropALLCannotMknod(t *testing.T) { + cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok") + out, _, err := runCommandWithOutput(cmd) + if err == nil { + t.Fatal(err, out) + } + + if actual := strings.Trim(out, "\r\n"); actual == "ok" { + t.Fatalf("expected output not ok received %s", actual) + } + deleteAllContainers() + + logDone("run - test --cap-drop=ALL cannot mknod") +} + func TestCapAddCanDownInterface(t *testing.T) { cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok") out, _, err := runCommandWithOutput(cmd) @@ -813,6 +828,21 @@ func TestCapAddCanDownInterface(t *testing.T) { logDone("run - test --cap-add=NET_ADMIN can set eth0 down") } +func TestCapAddALLCanDownInterface(t *testing.T) { + cmd := exec.Command(dockerBinary, "run", "--cap-add=ALL", "busybox", "sh", "-c", "ip link set eth0 down && echo ok") + out, _, err := runCommandWithOutput(cmd) + if err != nil { + t.Fatal(err, out) + } + + if actual := strings.Trim(out, "\r\n"); actual != "ok" { + t.Fatalf("expected output ok received %s", actual) + } + deleteAllContainers() + + logDone("run - test --cap-add=ALL can set eth0 down") +} + func TestPrivilegedCanMount(t *testing.T) { cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok") diff --git a/components/engine/utils/utils.go b/components/engine/utils/utils.go index 085f493032..0d44ec0f72 100644 --- a/components/engine/utils/utils.go +++ b/components/engine/utils/utils.go @@ -908,9 +908,9 @@ func ValidateContextDirectory(srcPath string) error { return finalError } -func StringsContains(slice []string, s string) bool { +func StringsContainsNoCase(slice []string, s string) bool { for _, ss := range slice { - if s == ss { + if strings.ToLower(s) == strings.ToLower(ss) { return true } }