Add ambient and bounding capability support

crosbymichael · crosbymichael · commit c119f260d491 · 2017-02-08T12:01:49.000-08:00
Closes opencontainers#668 Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
diff --git a/config.md b/config.md
@@ -131,7 +131,12 @@ For Windows, see links for details about [mountvol](http://ss64.com/nt/mountvol.
 * **`env`** (array of strings, OPTIONAL) with the same semantics as [IEEE Std 1003.1-2001's `environ`][ieee-1003.1-2001-xbd-c8.1].
 * **`args`** (array of strings, REQUIRED) with similar semantics to [IEEE Std 1003.1-2001 `execvp`'s *argv*][ieee-1003.1-2001-xsh-exec].
   This specification extends the IEEE standard in that at least one entry is REQUIRED, and that entry is used with the same semantics as `execvp`'s *file*.
-* **`capabilities`** (array of strings, OPTIONAL) is an array that specifies the set of capabilities of the process(es) inside the container. Valid values are platform-specific. For example, valid values for Linux are defined in the [CAPABILITIES(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) man page.
+* **`capabilities`** (object of strings, OPTIONAL) is an array that specifies the set of capabilities of the process(es) inside the container. Valid values are platform-specific. For example, valid values for Linux are defined in the [CAPABILITIES(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) man page.
+  capabilities contains the following properties:
+    * **`effective`** (array of strings, OPTIONAL) - the 'bounding' field is the whitelist of bounding capabilities that are kept for the process.
+    * **`inheritable`** (array of strings, OPTIONAL) - the 'bounding' field is the whitelist of bounding capabilities that are kept for the process.
+    * **`permitted`** (array of strings, OPTIONAL) - the 'bounding' field is the whitelist of bounding capabilities that are kept for the process.
+    * **`ambient`** (array of strings, OPTIONAL) - the 'ambient' field is the whitelist of ambient capabilities that are kept for the process.
 * **`rlimits`** (array of objects, OPTIONAL) allows setting resource limits for a process inside the container.
   Each entry has the following structure:
 
@@ -190,11 +195,15 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
     "apparmorProfile": "acme_secure_profile",
     "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
     "noNewPrivileges": true,
-    "capabilities": [
-        "CAP_AUDIT_WRITE",
-        "CAP_KILL",
-        "CAP_NET_BIND_SERVICE"
-    ],
+    "capabilities": {
+        "bounding": [
+            "CAP_AUDIT_WRITE",
+            "CAP_KILL",
+        ],
+        "ambient": [
+            "CAP_NET_BIND_SERVICE"
+        ]
+    },
     "rlimits": [
         {
             "type": "RLIMIT_NOFILE",
@@ -445,11 +454,15 @@ Here is a full example `config.json` for reference.
             "TERM=xterm"
         ],
         "cwd": "/",
-        "capabilities": [
-            "CAP_AUDIT_WRITE",
-            "CAP_KILL",
-            "CAP_NET_BIND_SERVICE"
-        ],
+        "capabilities": {
+            "bounding": [
+                "CAP_AUDIT_WRITE",
+                "CAP_KILL",
+            ],
+            "ambient": [
+                "CAP_NET_BIND_SERVICE"
+            ]
+        },
         "rlimits": [
             {
                 "type": "RLIMIT_CORE",
diff --git a/schema/config-schema.json b/schema/config-schema.json
@@ -135,9 +135,36 @@
                 },
                 "capabilities": {
                     "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities",
-                    "type": "array",
-                    "items": {
-                        "$ref": "defs-linux.json#/definitions/Capability"
+                    "type": "object",
+                    "properties": {
+                        "permitted": {
+                            "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/permitted",
+                            "type": "array",
+                            "items": {
+                                "$ref": "defs-linux.json#/definitions/Capability"
+                            }
+                        },
+                        "effective": {
+                            "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/effective",
+                            "type": "array",
+                            "items": {
+                                "$ref": "defs-linux.json#/definitions/Capability"
+                            }
+                        },
+                        "inheritable": {
+                            "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/inheritable",
+                            "type": "array",
+                            "items": {
+                                "$ref": "defs-linux.json#/definitions/Capability"
+                            }
+                        },
+                        "ambient": {
+                            "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/ambient",
+                            "type": "array",
+                            "items": {
+                                "$ref": "defs-linux.json#/definitions/Capability"
+                            }
+                        }
                     }
                 },
                 "apparmorProfile": {
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -78,7 +78,7 @@
             }
         },
         "Capability": {
-            "description": "Linux process permissions",
+            "description": "Linux process capabilities",
             "type": "string",
             "pattern": "^CAP_([A-Z]|_)+$"
         },
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -44,8 +44,8 @@ type Process struct {
 	// Cwd is the current working directory for the process and must be
 	// relative to the container's root.
 	Cwd string `json:"cwd"`
-	// Capabilities are Linux capabilities that are kept for the container.
-	Capabilities []string `json:"capabilities,omitempty" platform:"linux"`
+	// Capabilities are Linux capabilities that are kept for the process.
+	Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"`
 	// Rlimits specifies rlimit options to apply to the process.
 	Rlimits []LinuxRlimit `json:"rlimits,omitempty" platform:"linux"`
 	// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
@@ -56,6 +56,19 @@ type Process struct {
 	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
 }
 
+// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.
+// http://man7.org/linux/man-pages/man7/capabilities.7.html
+type LinuxCapabilities struct {
+	// Effective is the set of capabilities checked by the kernel.
+	Effective []string `json:"effective",omitempty" platform:"linux"`
+	// Inheritable is the capabilities preserved across execve.
+	Inheritable []string `json:"inheritable,omitempty" platform:"linux"`
+	// Permitted is the limiting superset for effective capabilities.
+	Permitted []string `json:"permitted,omitempty" platform:"linux"`
+	// Ambient is the ambient set of capabilities that are kept.
+	Ambient []string `json:"ambient,omitempty" platform:"linux"`
+}
+
 // Box specifies dimensions of a rectangle. Used for specifying the size of a console.
 type Box struct {
 	// Height is the vertical dimension of a box.

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@`
`78`	`78`	`}`
`79`	`79`	`},`
`80`	`80`	`"Capability": {`
`81`		`- "description": "Linux process permissions",`
	`81`	`+ "description": "Linux process capabilities",`
`82`	`82`	`"type": "string",`
`83`	`83`	`"pattern": "^CAP_([A-Z]\|_)+$"`
`84`	`84`	`},`