Basic --cap-add and --cap-drop support for lxc

Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)

daemon/execdriver/driver.go

@@ -60,6 +60,8 @@ type InitArgs struct {
 	Console    string
 	Pipe       int
 	Root       string
+	CapAdd     string
+	CapDrop    string
 }
 
 // Driver specific information based on

daemon/execdriver/lxc/driver.go

@@ -122,6 +122,14 @@ func (d *driver) Run(c *execdriver.Command, pipes *execdriver.Pipes, startCallba
 		params = append(params, "-w", c.WorkingDir)
 	}
 
+	if len(c.CapAdd) > 0 {
+		params = append(params, "-cap-add", strings.Join(c.CapAdd, " "))
+	}
+
+	if len(c.CapDrop) > 0 {
+		params = append(params, "-cap-drop", strings.Join(c.CapDrop, " "))
+	}
+
 	params = append(params, "--", c.Entrypoint)
 	params = append(params, c.Arguments...)
 

daemon/execdriver/lxc/lxc_init_linux.go

@@ -4,6 +4,7 @@ package lxc
 
 import (
 	"fmt"
+	"strings"
 	"syscall"
 
 	"github.com/docker/libcontainer/namespaces"
@@ -12,6 +13,7 @@ import (
 	"github.com/dotcloud/docker/daemon/execdriver"
 	"github.com/dotcloud/docker/daemon/execdriver/native/template"
 	"github.com/dotcloud/docker/pkg/system"
+	utils2 "github.com/dotcloud/docker/utils"
 )
 
 func setHostname(hostname string) error {
@@ -48,8 +50,21 @@ func finalizeNamespace(args *execdriver.InitArgs) error {
 			return fmt.Errorf("clear keep caps %s", err)
 		}
 
+		var caps []string
+		for _, cap := range container.Capabilities {
+			if !utils2.StringsContains(strings.Split(args.CapDrop, " "), cap) {
+				caps = append(caps, cap)
+			}
+		}
+
+		for _, cap := range strings.Split(args.CapAdd, " ") {
+			if !utils2.StringsContains(caps, cap) {
+				caps = append(caps, cap)
+			}
+		}
+
 		// drop all other capabilities
-		if err := capabilities.DropCapabilities(container.Capabilities); err != nil {
+		if err := capabilities.DropCapabilities(caps); err != nil {
 			return fmt.Errorf("drop capabilities %s", err)
 		}
 	}

sysinit/sysinit.go

@@ -3,11 +3,12 @@ package sysinit
 import (
 	"flag"
 	"fmt"
+	"log"
+	"os"
+
 	"github.com/dotcloud/docker/daemon/execdriver"
 	_ "github.com/dotcloud/docker/daemon/execdriver/lxc"
 	_ "github.com/dotcloud/docker/daemon/execdriver/native"
-	"log"
-	"os"
 )
 
 func executeProgram(args *execdriver.InitArgs) error {
@@ -39,6 +40,8 @@ func SysInit() {
 		pipe       = flag.Int("pipe", 0, "sync pipe fd")
 		console    = flag.String("console", "", "console (pty slave) path")
 		root       = flag.String("root", ".", "root path for configuration files")
+		capAdd     = flag.String("cap-add", "", "capabilities to add")
+		capDrop    = flag.String("cap-drop", "", "capabilities to drop")
 	)
 	flag.Parse()
 
@@ -54,6 +57,8 @@ func SysInit() {
 		Console:    *console,
 		Pipe:       *pipe,
 		Root:       *root,
+		CapAdd:     *capAdd,
+		CapDrop:    *capDrop,
 	}
 
 	if err := executeProgram(args); err != nil {