We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
moby
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

support add and drop in both order

Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
Victor Vieux 11 years ago
parent
222a6f4401
commit
064b5f870d
2 changed files with 36 additions and 2 deletions
Unified View Show Diff Stats
  1. 6 2
      daemon/execdriver/utils.go
  2. 30 0
      integration-cli/docker_cli_run_test.go

+ 6 - 2
daemon/execdriver/utils.go
View File 

@@ -9,6 +9,11 @@ import (
 
 
 
 func TweakCapabilities(basics, adds, drops []string) []string {
 
 func TweakCapabilities(basics, adds, drops []string) []string {
 
 	var caps []string
 
 	var caps []string
 
+
 
+	if utils.StringsContainsNoCase(adds, "all") {
 
+		basics = capabilities.GetAllCapabilities()
 
+	}
 
+
 
 	if !utils.StringsContainsNoCase(drops, "all") {
 
 	if !utils.StringsContainsNoCase(drops, "all") {
 
 		for _, cap := range basics {
 
 		for _, cap := range basics {
 
 			if !utils.StringsContainsNoCase(drops, cap) {
 
 			if !utils.StringsContainsNoCase(drops, cap) {
 
@@ -19,8 +24,7 @@ func TweakCapabilities(basics, adds, drops []string) []string {
 
 
 
 	for _, cap := range adds {
 
 	for _, cap := range adds {
 
 		if strings.ToLower(cap) == "all" {
 
 		if strings.ToLower(cap) == "all" {
 
-			caps = capabilities.GetAllCapabilities()
 
-			break
 
+			continue
 
 		}
 
 		}
 
 		if !utils.StringsContainsNoCase(caps, cap) {
 
 		if !utils.StringsContainsNoCase(caps, cap) {
 
 			caps = append(caps, cap)
 
 			caps = append(caps, cap)

+ 30 - 0
integration-cli/docker_cli_run_test.go
View File 

@@ -813,6 +813,21 @@ func TestCapDropALLCannotMknod(t *testing.T) {
 
 	logDone("run - test --cap-drop=ALL cannot mknod")
 
 	logDone("run - test --cap-drop=ALL cannot mknod")
 
 }
 
 }
 
 
 
+func TestCapDropALLAddMknodCannotMknod(t *testing.T) {
 
+	cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL --cap-add=MKNOD", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
 
+	out, _, err := runCommandWithOutput(cmd)
 
+	if err != nil {
 
+		t.Fatal(err, out)
 
+	}
 
+
 
+	if actual := strings.Trim(out, "\r\n"); actual != "ok" {
 
+		t.Fatalf("expected output ok received %s", actual)
 
+	}
 
+	deleteAllContainers()
 
+
 
+	logDone("run - test --cap-drop=ALL --cap-add=MKNOD can mknod")
 
+}
 
+
 
 func TestCapAddCanDownInterface(t *testing.T) {
 
 func TestCapAddCanDownInterface(t *testing.T) {
 
 	cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
 
 	cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
 
 	out, _, err := runCommandWithOutput(cmd)
 
 	out, _, err := runCommandWithOutput(cmd)
 
@@ -843,6 +858,21 @@ func TestCapAddALLCanDownInterface(t *testing.T) {
 
 	logDone("run - test --cap-add=ALL can set eth0 down")
 
 	logDone("run - test --cap-add=ALL can set eth0 down")
 
 }
 
 }
 
 
 
+func TestCapAddALLDropNetAdminCanDownInterface(t *testing.T) {
 
+	cmd := exec.Command(dockerBinary, "run", "--cap-add=ALL --cap-drop=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
 
+	out, _, err := runCommandWithOutput(cmd)
 
+	if err == nil {
 
+		t.Fatal(err, out)
 
+	}
 
+
 
+	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
 
+		t.Fatalf("expected output not ok received %s", actual)
 
+	}
 
+	deleteAllContainers()
 
+
 
+	logDone("run - test --cap-add=ALL --cap-drop=NET_ADMIN cannot set eth0 down")
 
+}
 
+
 
 func TestPrivilegedCanMount(t *testing.T) {
 
 func TestPrivilegedCanMount(t *testing.T) {
 
 	cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")
 
 	cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5