oracle
diff --git a/‎oci/src/lib.rs‎
Lines changed: 98 additions & 2 deletions b/‎oci/src/lib.rs‎
Lines changed: 98 additions & 2 deletions
diff --git a/‎src/capabilities.rs‎
Lines changed: 16 additions & 17 deletions b/‎src/capabilities.rs‎
Lines changed: 16 additions & 17 deletions
diff --git a/‎src/cgroups.rs‎
Lines changed: 58 additions & 0 deletions b/‎src/cgroups.rs‎
Lines changed: 58 additions & 0 deletions
@@ -123,6 +123,20 @@ pub enum LinuxCapabilityType {
     CAP_AUDIT_READ,
 }
 
+#[derive(Serialize, Deserialize, Debug)]
+pub struct LinuxCapabilities {
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub bounding: Vec<LinuxCapabilityType>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub effective: Vec<LinuxCapabilityType>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub inheritable: Vec<LinuxCapabilityType>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub permitted: Vec<LinuxCapabilityType>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub ambient: Vec<LinuxCapabilityType>,
+}
+
 #[derive(Serialize, Deserialize, Debug)]
 pub struct Process {
     #[serde(default, skip_serializing_if = "is_false")]
@@ -136,8 +150,9 @@ pub struct Process {
     pub env: Vec<String>,
     #[serde(default, skip_serializing_if = "String::is_empty")]
     pub cwd: String,
-    #[serde(default, skip_serializing_if = "Vec::is_empty")]
-    pub capabilities: Vec<LinuxCapabilityType>,
+    #[serde(default, deserialize_with = "deserialize_capabilities",
+            skip_serializing_if = "Option::is_none")]
+    pub capabilities: Option<LinuxCapabilities>,
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
     pub rlimits: Vec<LinuxRlimit>,
     #[serde(default, skip_serializing_if = "is_false",
@@ -151,6 +166,84 @@ pub struct Process {
     pub selinux_label: String,
 }
 
+use serde::Deserialize;
+
+fn cap_from_array<D>(
+    a: &[serde_json::Value],
+) -> Result<Vec<LinuxCapabilityType>, D::Error>
+where
+    D: serde::Deserializer,
+{
+    let mut caps = Vec::new();
+    for c in a {
+        match LinuxCapabilityType::deserialize(c) {
+            Ok(val) => caps.push(val),
+            Err(_) => {
+                let msg = format!("Capability '{}' is not valid", c);
+                return Err(serde::de::Error::custom(msg));
+            }
+        }
+    }
+    Ok(caps)
+}
+
+fn cap_from_object<D>(
+    o: &serde_json::Map<String, serde_json::Value>,
+    key: &str,
+) -> Result<Vec<LinuxCapabilityType>, D::Error>
+where
+    D: serde::Deserializer,
+{
+    if let Some(v) = o.get(key) {
+        match *v {
+            serde_json::Value::Null => Ok(Vec::new()),
+            serde_json::Value::Array(ref a) => cap_from_array::<D>(a),
+            _ => Err(serde::de::Error::custom(
+                "Unexpected value in capability set",
+            )),
+        }
+    } else {
+        Ok(Vec::new())
+    }
+}
+
+// handle the old case where caps was just a list of caps
+fn deserialize_capabilities<D>(
+    de: D,
+) -> Result<Option<LinuxCapabilities>, D::Error>
+where
+    D: serde::Deserializer,
+{
+    let r: serde_json::Value = serde::Deserialize::deserialize(de)?;
+    match r {
+        serde_json::Value::Null => Ok(None),
+        serde_json::Value::Array(a) => {
+            let caps = cap_from_array::<D>(&a)?;
+            let capabilities = LinuxCapabilities {
+                bounding: caps.clone(),
+                effective: caps.clone(),
+                inheritable: caps.clone(),
+                permitted: caps.clone(),
+                ambient: caps.clone(),
+            };
+
+            Ok(Some(capabilities))
+        }
+        serde_json::Value::Object(o) => {
+            let capabilities = LinuxCapabilities{
+                bounding: cap_from_object::<D>(&o, "bounding")?,
+                effective: cap_from_object::<D>(&o, "effective")?,
+                inheritable: cap_from_object::<D>(&o, "inheritable")?,
+                permitted: cap_from_object::<D>(&o, "permitted")?,
+                ambient: cap_from_object::<D>(&o, "ambient")?,
+            };
+
+            Ok(Some(capabilities))
+        }
+        _ => Err(serde::de::Error::custom("Unexpected value in capabilites")),
+    }
+}
+
 #[derive(Serialize, Deserialize, Debug)]
 pub struct Root {
     #[serde(default)]
@@ -467,8 +560,11 @@ pub struct LinuxSeccompArg {
 
 #[derive(Serialize, Deserialize, Debug)]
 pub struct LinuxSyscall {
+    // old version used name
     #[serde(default, skip_serializing_if = "String::is_empty")]
     pub name: String,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub names: Vec<String>,
     pub action: LinuxSeccompAction,
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
     pub args: Vec<LinuxSeccompArg>,
 
@@ -1,16 +1,17 @@
 use caps::*;
-use oci::LinuxCapabilityType;
+use oci::{LinuxCapabilities, LinuxCapabilityType};
 
 fn to_cap(cap: LinuxCapabilityType) -> Capability {
     unsafe { ::std::mem::transmute(cap) }
 }
 
-const ALL_CAP_SETS: &'static [CapSet] = &[
-    CapSet::Effective,
-    CapSet::Permitted,
-    CapSet::Inheritable,
-    CapSet::Ambient,
-];
+fn to_set(caps: &[LinuxCapabilityType]) -> CapsHashSet {
+    let mut capabilities = CapsHashSet::new();
+    for c in caps {
+        capabilities.insert(to_cap(*c));
+    }
+    capabilities
+}
 
 pub fn reset_effective() -> ::Result<()> {
     let mut all = CapsHashSet::new();
@@ -21,22 +22,20 @@ pub fn reset_effective() -> ::Result<()> {
     Ok(())
 }
 
-pub fn drop_privileges(cs: &[LinuxCapabilityType]) -> ::Result<()> {
+pub fn drop_privileges(cs: &LinuxCapabilities) -> ::Result<()> {
     let mut all = CapsHashSet::new();
     for c in Capability::iter_variants() {
         all.insert(c);
     }
-    let mut capabilities = CapsHashSet::new();
-    for c in cs {
-        capabilities.insert(to_cap(*c));
-    }
+    debug!("dropping bounding capabilities to {:?}", cs.bounding);
     // drop excluded caps from the bounding set
-    for c in all.difference(&capabilities) {
+    for c in all.difference(&to_set(&cs.bounding)) {
         drop(None, CapSet::Bounding, *c)?;
     }
-    // set all sets for current process
-    for capset in ALL_CAP_SETS {
-        set(None, *capset, capabilities.clone())?;
-    }
+    // set other sets for current process
+    set(None, CapSet::Effective, to_set(&cs.effective))?;
+    set(None, CapSet::Permitted, to_set(&cs.permitted))?;
+    set(None, CapSet::Inheritable, to_set(&cs.inheritable))?;
+    set(None, CapSet::Ambient, to_set(&cs.ambient))?;
     Ok(())
 }
@@ -12,6 +12,7 @@ pub fn init() {
     // initialize lazy_static maps
     initialize(&PATHS);
     initialize(&MOUNTS);
+    initialize(&DEFAULT_ALLOWED_DEVICES);
     initialize(&APPLIES);
 }
 
@@ -242,6 +243,59 @@ lazy_static! {
     };
 }
 
+lazy_static! {
+    static ref DEFAULT_ALLOWED_DEVICES: Vec<LinuxDeviceCgroup> = {
+        let mut v = Vec::new();
+        // mknod any device
+        v.push(LinuxDeviceCgroup{
+            allow: true,
+            typ: LinuxDeviceType::c,
+            major: None,
+            minor: None,
+            access: "m".to_string(),
+        });
+        v.push(LinuxDeviceCgroup{
+            allow: true,
+            typ: LinuxDeviceType::b,
+            major: None,
+            minor: None,
+            access: "m".to_string(),
+        });
+        // /dev/console
+        v.push(LinuxDeviceCgroup{
+            allow: true,
+            typ: LinuxDeviceType::c,
+            major: Some(5),
+            minor: Some(1),
+            access: "rwm".to_string(),
+        });
+        // /dev/pts
+        v.push(LinuxDeviceCgroup{
+            allow: true,
+            typ: LinuxDeviceType::c,
+            major: Some(136),
+            minor: None,
+            access: "rwm".to_string(),
+        });
+        v.push(LinuxDeviceCgroup{
+            allow: true,
+            typ: LinuxDeviceType::c,
+            major: Some(5),
+            minor: Some(2),
+            access: "rwm".to_string(),
+        });
+        // tun/tap
+        v.push(LinuxDeviceCgroup{
+            allow: true,
+            typ: LinuxDeviceType::c,
+            major: Some(10),
+            minor: Some(200),
+            access: "rwm".to_string(),
+        });
+        v
+    };
+}
+
 type Apply = fn(&LinuxResources, &str) -> Result<()>;
 
 lazy_static! {
@@ -468,5 +522,9 @@ fn devices_apply(r: &LinuxResources, dir: &str) -> Result<()> {
 
         write_device(&ld, dir)?;
     }
+    for ld in DEFAULT_ALLOWED_DEVICES.iter() {
+        write_device(ld, dir)?;
+    }
+
     Ok(())
 }