Make libcontainer's CapabilitiesMask into a []string (Capabilities).

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol) Upstream-commit: 92614928cecd48b241011e614fa856c4fdbac1f6 Component: engine
2014-05-17 00:44:10 +00:00
parent ed8430a340
commit e3742d2641
9 changed files with 75 additions and 80 deletions
--- a/components/engine/daemon/execdriver/native/configuration/parse.go
+++ b/components/engine/daemon/execdriver/native/configuration/parse.go
@ -109,12 +109,19 @@ func memorySwap(container *libcontainer.Container, context interface{}, value st
 }

 func addCap(container *libcontainer.Container, context interface{}, value string) error {
-	container.CapabilitiesMask[value] = true
+	container.Capabilities = append(container.Capabilities, value)
 	return nil
 }

 func dropCap(container *libcontainer.Container, context interface{}, value string) error {
-	container.CapabilitiesMask[value] = false
+	// If the capability is specified multiple times, remove all instances.
+	for i, capability := range container.Capabilities {
+		if capability == value {
+			container.Capabilities = append(container.Capabilities[:i], container.Capabilities[i+1:]...)
+		}
+	}
+
+	// The capability wasn't found so we will drop it anyways.
 	return nil
 }

--- a/components/engine/daemon/execdriver/native/configuration/parse_test.go
+++ b/components/engine/daemon/execdriver/native/configuration/parse_test.go
@ -4,8 +4,19 @@ import (
 	"testing"

 	"github.com/dotcloud/docker/daemon/execdriver/native/template"
+	"github.com/dotcloud/docker/pkg/libcontainer"
 )

+// Checks whether the expected capability is specified in the capabilities.
+func hasCapability(expected string, capabilities []string) bool {
+	for _, capability := range capabilities {
+		if capability == expected {
+			return true
+		}
+	}
+	return false
+}
+
 func TestSetReadonlyRootFs(t *testing.T) {
 	var (
 		container = template.New()
@ -39,10 +50,10 @@ func TestConfigurationsDoNotConflict(t *testing.T) {
 		t.Fatal(err)
 	}

-	if !container1.CapabilitiesMask["NET_ADMIN"] {
+	if !hasCapability("NET_ADMIN", container1.Capabilities) {
 		t.Fatal("container one should have NET_ADMIN enabled")
 	}
-	if container2.CapabilitiesMask["NET_ADMIN"] {
+	if hasCapability("NET_ADMIN", container2.Capabilities) {
 		t.Fatal("container two should not have NET_ADMIN enabled")
 	}
 }
@ -138,10 +149,10 @@ func TestAddCap(t *testing.T) {
 		t.Fatal(err)
 	}

-	if !container.CapabilitiesMask["MKNOD"] {
+	if !hasCapability("MKNOD", container.Capabilities) {
 		t.Fatal("container should have MKNOD enabled")
 	}
-	if !container.CapabilitiesMask["SYS_ADMIN"] {
+	if !hasCapability("SYS_ADMIN", container.Capabilities) {
 		t.Fatal("container should have SYS_ADMIN enabled")
 	}
 }
@ -154,14 +165,12 @@ func TestDropCap(t *testing.T) {
 		}
 	)
 	// enabled all caps like in privileged mode
-	for key := range container.CapabilitiesMask {
-		container.CapabilitiesMask[key] = true
-	}
+	container.Capabilities = libcontainer.GetAllCapabilities()
 	if err := ParseConfiguration(container, nil, opts); err != nil {
 		t.Fatal(err)
 	}

-	if container.CapabilitiesMask["MKNOD"] {
+	if hasCapability("MKNOD", container.Capabilities) {
 		t.Fatal("container should not have MKNOD enabled")
 	}
 }
--- a/components/engine/daemon/execdriver/native/create.go
+++ b/components/engine/daemon/execdriver/native/create.go
@ -98,9 +98,7 @@ func (d *driver) createNetwork(container *libcontainer.Container, c *execdriver.
 }

 func (d *driver) setPrivileged(container *libcontainer.Container) error {
-	for key := range container.CapabilitiesMask {
-		container.CapabilitiesMask[key] = true
-	}
+	container.Capabilities = libcontainer.GetAllCapabilities()
 	container.Cgroups.DeviceAccess = true

 	delete(container.Context, "restrictions")
--- a/components/engine/daemon/execdriver/native/template/default_template.go
+++ b/components/engine/daemon/execdriver/native/template/default_template.go
@ -9,28 +9,13 @@ import (
 // New returns the docker default configuration for libcontainer
 func New() *libcontainer.Container {
 	container := &libcontainer.Container{
-		CapabilitiesMask: map[string]bool{
-			"SETPCAP":        false,
-			"SYS_MODULE":     false,
-			"SYS_RAWIO":      false,
-			"SYS_PACCT":      false,
-			"SYS_ADMIN":      false,
-			"SYS_NICE":       false,
-			"SYS_RESOURCE":   false,
-			"SYS_TIME":       false,
-			"SYS_TTY_CONFIG": false,
-			"AUDIT_WRITE":    false,
-			"AUDIT_CONTROL":  false,
-			"MAC_OVERRIDE":   false,
-			"MAC_ADMIN":      false,
-			"NET_ADMIN":      false,
-			"MKNOD":          true,
-			"SYSLOG":         false,
-			"SETUID":         true,
-			"SETGID":         true,
-			"CHOWN":          true,
-			"NET_RAW":        true,
-			"DAC_OVERRIDE":   true,
+		Capabilities: []string{
+			"MKNOD",
+			"SETUID",
+			"SETGID",
+			"CHOWN",
+			"NET_RAW",
+			"DAC_OVERRIDE",
 		},
 		Namespaces: map[string]bool{
 			"NEWNS":  true,