485cf38d48
In situations where docker runs in an environment where capabilities are limited, sucn as docker-in-docker in a container created by older versions of docker, or in a container where some capabilities have been disabled, starting a privileged container may fail, because even though the _kernel_ supports a capability, the capability is not available. This patch attempts to address this problem by limiting the list of "known" capa- bilities on the set of effective capabilties for the current process. This code is based on the code in containerd's "caps" package. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
35 lines
1 KiB
Go
35 lines
1 KiB
Go
package caps // import "github.com/docker/docker/oci/caps"
|
|
import (
|
|
"sync"
|
|
|
|
ccaps "github.com/containerd/containerd/pkg/cap"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
var initCapsOnce sync.Once
|
|
|
|
func initCaps() {
|
|
initCapsOnce.Do(func() {
|
|
rawCaps := ccaps.Known()
|
|
curCaps, err := ccaps.Current()
|
|
if err != nil {
|
|
logrus.WithError(err).Error("failed to get capabilities from current environment")
|
|
allCaps = rawCaps
|
|
} else {
|
|
allCaps = curCaps
|
|
}
|
|
knownCaps = make(map[string]*struct{}, len(rawCaps))
|
|
for _, capName := range rawCaps {
|
|
// For now, we assume the capability is available if we failed to
|
|
// get the capabilities from the current environment. This keeps the
|
|
// old (pre-detection) behavior, and prevents creating containers with
|
|
// no capabilities. The OCI runtime or kernel may still refuse capa-
|
|
// bilities that are not available, and produce an error in that case.
|
|
if len(curCaps) > 0 && !inSlice(curCaps, capName) {
|
|
knownCaps[capName] = nil
|
|
continue
|
|
}
|
|
knownCaps[capName] = &struct{}{}
|
|
}
|
|
})
|
|
}
|