Use libcontainer cap drop method

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)

daemon/execdriver/lxc/driver.go

@@ -19,6 +19,7 @@ import (
 	"github.com/docker/libcontainer/label"
 	"github.com/docker/libcontainer/mount/nodes"
 	"github.com/dotcloud/docker/daemon/execdriver"
+	"github.com/dotcloud/docker/pkg/system"
 	"github.com/dotcloud/docker/utils"
 )
 
@@ -36,7 +37,13 @@ func init() {
 		if err := setupNetworking(args); err != nil {
 			return err
 		}
-		if err := setupCapabilities(args); err != nil {
+		if err := setupWorkingDirectory(args); err != nil {
+			return err
+		}
+		if err := system.CloseFdsFrom(3); err != nil {
+			return err
+		}
+		if err := finalizeNamespace(args); err != nil {
 			return err
 		}
 

daemon/execdriver/lxc/init.go

@@ -11,9 +11,6 @@ import (
 
 	"github.com/docker/libcontainer/netlink"
 	"github.com/dotcloud/docker/daemon/execdriver"
-	"github.com/dotcloud/docker/pkg/system"
-	"github.com/dotcloud/docker/pkg/user"
-	"github.com/syndtr/gocapability/capability"
 )
 
 // Clear environment pollution introduced by lxc-start
@@ -108,126 +105,6 @@ func setupWorkingDirectory(args *execdriver.InitArgs) error {
 	return nil
 }
 
-// Takes care of dropping privileges to the desired user
-func changeUser(args *execdriver.InitArgs) error {
-	uid, gid, suppGids, err := user.GetUserGroupSupplementary(
-		args.User,
-		syscall.Getuid(), syscall.Getgid(),
-	)
-	if err != nil {
-		return err
-	}
-
-	if err := syscall.Setgroups(suppGids); err != nil {
-		return fmt.Errorf("Setgroups failed: %v", err)
-	}
-	if err := syscall.Setgid(gid); err != nil {
-		return fmt.Errorf("Setgid failed: %v", err)
-	}
-	if err := syscall.Setuid(uid); err != nil {
-		return fmt.Errorf("Setuid failed: %v", err)
-	}
-
-	return nil
-}
-
-var whiteList = []capability.Cap{
-	capability.CAP_MKNOD,
-	capability.CAP_SETUID,
-	capability.CAP_SETGID,
-	capability.CAP_CHOWN,
-	capability.CAP_NET_RAW,
-	capability.CAP_DAC_OVERRIDE,
-	capability.CAP_FOWNER,
-	capability.CAP_FSETID,
-	capability.CAP_KILL,
-	capability.CAP_SETGID,
-	capability.CAP_SETUID,
-	capability.CAP_LINUX_IMMUTABLE,
-	capability.CAP_NET_BIND_SERVICE,
-	capability.CAP_NET_BROADCAST,
-	capability.CAP_IPC_LOCK,
-	capability.CAP_IPC_OWNER,
-	capability.CAP_SYS_CHROOT,
-	capability.CAP_SYS_PTRACE,
-	capability.CAP_SYS_BOOT,
-	capability.CAP_LEASE,
-	capability.CAP_SETFCAP,
-	capability.CAP_WAKE_ALARM,
-	capability.CAP_BLOCK_SUSPEND,
-}
-
-func dropBoundingSet() error {
-	c, err := capability.NewPid(os.Getpid())
-	if err != nil {
-		return err
-	}
-	c.Clear(capability.BOUNDS)
-	c.Set(capability.BOUNDS, whiteList...)
-
-	if err := c.Apply(capability.BOUNDS); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-const allCapabilityTypes = capability.CAPS | capability.BOUNDS
-
-func dropCapabilities() error {
-	c, err := capability.NewPid(os.Getpid())
-	if err != nil {
-		return err
-	}
-	c.Clear(allCapabilityTypes)
-	c.Set(allCapabilityTypes, whiteList...)
-
-	if err := c.Apply(allCapabilityTypes); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func setupCapabilities(args *execdriver.InitArgs) error {
-	if err := system.CloseFdsFrom(3); err != nil {
-		return err
-	}
-
-	if !args.Privileged {
-		// drop capabilities in bounding set before changing user
-		if err := dropBoundingSet(); err != nil {
-			return fmt.Errorf("drop bounding set %s", err)
-		}
-
-		// preserve existing capabilities while we change users
-		if err := system.SetKeepCaps(); err != nil {
-			return fmt.Errorf("set keep caps %s", err)
-		}
-	}
-
-	if err := changeUser(args); err != nil {
-		return err
-	}
-
-	if !args.Privileged {
-		if err := system.ClearKeepCaps(); err != nil {
-			return fmt.Errorf("clear keep caps %s", err)
-		}
-
-		// drop all other capabilities
-		if err := dropCapabilities(); err != nil {
-			return fmt.Errorf("drop capabilities %s", err)
-		}
-	}
-
-	if err := setupWorkingDirectory(args); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func getEnv(args *execdriver.InitArgs, key string) string {
 	for _, kv := range args.Env {
 		parts := strings.SplitN(kv, "=", 2)

daemon/execdriver/lxc/lxc_init_linux.go

@@ -3,9 +3,51 @@
 package lxc
 
 import (
+	"fmt"
 	"syscall"
+
+	"github.com/docker/libcontainer/namespaces"
+	"github.com/docker/libcontainer/security/capabilities"
+	"github.com/dotcloud/docker/daemon/execdriver"
+	"github.com/dotcloud/docker/daemon/execdriver/native/template"
+	"github.com/dotcloud/docker/pkg/system"
 )
 
 func setHostname(hostname string) error {
 	return syscall.Sethostname([]byte(hostname))
 }
+
+func finalizeNamespace(args *execdriver.InitArgs) error {
+	// We use the native drivers default template so that things like caps are consistent
+	// across both drivers
+	container := template.New()
+
+	if !args.Privileged {
+		// drop capabilities in bounding set before changing user
+		if err := capabilities.DropBoundingSet(container); err != nil {
+			return fmt.Errorf("drop bounding set %s", err)
+		}
+
+		// preserve existing capabilities while we change users
+		if err := system.SetKeepCaps(); err != nil {
+			return fmt.Errorf("set keep caps %s", err)
+		}
+	}
+
+	if err := namespaces.SetupUser(args.User); err != nil {
+		return fmt.Errorf("setup user %s", err)
+	}
+
+	if !args.Privileged {
+		if err := system.ClearKeepCaps(); err != nil {
+			return fmt.Errorf("clear keep caps %s", err)
+		}
+
+		// drop all other capabilities
+		if err := capabilities.DropCapabilities(container); err != nil {
+			return fmt.Errorf("drop capabilities %s", err)
+		}
+	}
+
+	return nil
+}

daemon/execdriver/lxc/lxc_init_unsupported.go

@@ -2,6 +2,12 @@
 
 package lxc
 
+import "github.com/dotcloud/docker/daemon/execdriver"
+
 func setHostname(hostname string) error {
 	panic("Not supported on darwin")
 }
+
+func finalizeNamespace(args *execdriver.InitArgs) error {
+	panic("Not supported on darwin")
+}

pkg/system/unsupported.go

@@ -28,3 +28,11 @@ func GetClockTicks() int {
 func CreateMasterAndConsole() (*os.File, string, error) {
 	return nil, "", ErrNotSupportedPlatform
 }
+
+func SetKeepCaps() error {
+	return ErrNotSupportedPlatform
+}
+
+func ClearKeepCaps() error {
+	return ErrNotSupportedPlatform
+}