| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 |
- package execdriver
- import (
- "fmt"
- "strings"
- "github.com/docker/docker/utils"
- "github.com/docker/libcontainer/security/capabilities"
- )
- func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
- var (
- newCaps []string
- allCaps = capabilities.GetAllCapabilities()
- )
- // look for invalid cap in the drop list
- for _, cap := range drops {
- if strings.ToLower(cap) == "all" {
- continue
- }
- if !utils.StringsContainsNoCase(allCaps, cap) {
- return nil, fmt.Errorf("Unknown capability drop: %q", cap)
- }
- }
- // handle --cap-add=all
- if utils.StringsContainsNoCase(adds, "all") {
- basics = capabilities.GetAllCapabilities()
- }
- if !utils.StringsContainsNoCase(drops, "all") {
- for _, cap := range basics {
- // skip `all` aready handled above
- if strings.ToLower(cap) == "all" {
- continue
- }
- // if we don't drop `all`, add back all the non-dropped caps
- if !utils.StringsContainsNoCase(drops, cap) {
- newCaps = append(newCaps, strings.ToUpper(cap))
- }
- }
- }
- for _, cap := range adds {
- // skip `all` aready handled above
- if strings.ToLower(cap) == "all" {
- continue
- }
- if !utils.StringsContainsNoCase(allCaps, cap) {
- return nil, fmt.Errorf("Unknown capability to add: %q", cap)
- }
- // add cap if not already in the list
- if !utils.StringsContainsNoCase(newCaps, cap) {
- newCaps = append(newCaps, strings.ToUpper(cap))
- }
- }
- return newCaps, nil
- }
|
