|
@@ -13,7 +13,6 @@ import (
|
|
|
|
|
|
containertypes "github.com/docker/docker/api/types/container"
|
|
|
"github.com/docker/docker/container"
|
|
|
- "github.com/docker/docker/daemon/caps"
|
|
|
daemonconfig "github.com/docker/docker/daemon/config"
|
|
|
"github.com/docker/docker/oci"
|
|
|
"github.com/docker/docker/pkg/idtools"
|
|
@@ -249,30 +248,6 @@ func setNamespace(s *specs.Spec, ns specs.LinuxNamespace) {
|
|
|
s.Linux.Namespaces = append(s.Linux.Namespaces, ns)
|
|
|
}
|
|
|
|
|
|
-func setCapabilities(s *specs.Spec, c *container.Container) error {
|
|
|
- var caplist []string
|
|
|
- var err error
|
|
|
- if c.HostConfig.Privileged {
|
|
|
- caplist = caps.GetAllCapabilities()
|
|
|
- } else {
|
|
|
- caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, c.HostConfig.CapAdd, c.HostConfig.CapDrop)
|
|
|
- if err != nil {
|
|
|
- return err
|
|
|
- }
|
|
|
- }
|
|
|
- s.Process.Capabilities.Effective = caplist
|
|
|
- s.Process.Capabilities.Bounding = caplist
|
|
|
- s.Process.Capabilities.Permitted = caplist
|
|
|
- s.Process.Capabilities.Inheritable = caplist
|
|
|
- // setUser has already been executed here
|
|
|
- // if non root drop capabilities in the way execve does
|
|
|
- if s.Process.User.UID != 0 {
|
|
|
- s.Process.Capabilities.Effective = []string{}
|
|
|
- s.Process.Capabilities.Permitted = []string{}
|
|
|
- }
|
|
|
- return nil
|
|
|
-}
|
|
|
-
|
|
|
func setNamespaces(daemon *Daemon, s *specs.Spec, c *container.Container) error {
|
|
|
userNS := false
|
|
|
// user
|