Skip to content

Commit ae415cc

Browse files
wkingwking
committed
server/container_create: Factor out setupCapabilities helper
Having a separate function holding the details of this makes reading createSandboxContainer easier. While I was moving the code, I've also cleaned up two things: * The nil capabilities check is now earlier, where before it had been between the ALL handling and the non-ALL handling. * I've added a capPrefixed variable to avoid having multiple toCAPPrefixed per capability. Signed-off-by: W. Trevor King <[email protected]>
1 parent 77561e9 commit ae415cc

File tree

1 file changed

+107
-95
lines changed

1 file changed

+107
-95
lines changed

server/container_create.go

Lines changed: 107 additions & 95 deletions
Original file line numberDiff line numberDiff line change
@@ -490,6 +490,110 @@ func setupContainerUser(specgen *generate.Generator, rootfs string, sc *pb.Linux
490490
return nil
491491
}
492492

493+
// setupCapabilities sets process.capabilities in the OCI runtime config.
494+
func setupCapabilities(specgen *generate.Generator, capabilities *pb.Capability) error {
495+
if capabilities == nil {
496+
return nil
497+
}
498+
499+
toCAPPrefixed := func(cap string) string {
500+
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
501+
return "CAP_" + strings.ToUpper(cap)
502+
}
503+
return cap
504+
}
505+
506+
// Add/drop all capabilities if "all" is specified, so that
507+
// following individual add/drop could still work. E.g.
508+
// AddCapabilities: []string{"ALL"}, DropCapabilities: []string{"CHOWN"}
509+
// will be all capabilities without `CAP_CHOWN`.
510+
// see https://github.com/kubernetes/kubernetes/issues/51980
511+
if inStringSlice(capabilities.GetAddCapabilities(), "ALL") {
512+
for _, c := range getOCICapabilitiesList() {
513+
if err := specgen.AddProcessCapabilityAmbient(c); err != nil {
514+
return err
515+
}
516+
if err := specgen.AddProcessCapabilityBounding(c); err != nil {
517+
return err
518+
}
519+
if err := specgen.AddProcessCapabilityEffective(c); err != nil {
520+
return err
521+
}
522+
if err := specgen.AddProcessCapabilityInheritable(c); err != nil {
523+
return err
524+
}
525+
if err := specgen.AddProcessCapabilityPermitted(c); err != nil {
526+
return err
527+
}
528+
}
529+
}
530+
if inStringSlice(capabilities.GetDropCapabilities(), "ALL") {
531+
for _, c := range getOCICapabilitiesList() {
532+
if err := specgen.DropProcessCapabilityAmbient(c); err != nil {
533+
return err
534+
}
535+
if err := specgen.DropProcessCapabilityBounding(c); err != nil {
536+
return err
537+
}
538+
if err := specgen.DropProcessCapabilityEffective(c); err != nil {
539+
return err
540+
}
541+
if err := specgen.DropProcessCapabilityInheritable(c); err != nil {
542+
return err
543+
}
544+
if err := specgen.DropProcessCapabilityPermitted(c); err != nil {
545+
return err
546+
}
547+
}
548+
}
549+
550+
for _, cap := range capabilities.GetAddCapabilities() {
551+
if strings.ToUpper(cap) == "ALL" {
552+
continue
553+
}
554+
capPrefixed := toCAPPrefixed(cap)
555+
if err := specgen.AddProcessCapabilityAmbient(capPrefixed); err != nil {
556+
return err
557+
}
558+
if err := specgen.AddProcessCapabilityBounding(capPrefixed); err != nil {
559+
return err
560+
}
561+
if err := specgen.AddProcessCapabilityEffective(capPrefixed); err != nil {
562+
return err
563+
}
564+
if err := specgen.AddProcessCapabilityInheritable(capPrefixed); err != nil {
565+
return err
566+
}
567+
if err := specgen.AddProcessCapabilityPermitted(capPrefixed); err != nil {
568+
return err
569+
}
570+
}
571+
572+
for _, cap := range capabilities.GetDropCapabilities() {
573+
if strings.ToUpper(cap) == "ALL" {
574+
continue
575+
}
576+
capPrefixed := toCAPPrefixed(cap)
577+
if err := specgen.DropProcessCapabilityAmbient(capPrefixed); err != nil {
578+
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
579+
}
580+
if err := specgen.DropProcessCapabilityBounding(capPrefixed); err != nil {
581+
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
582+
}
583+
if err := specgen.DropProcessCapabilityEffective(capPrefixed); err != nil {
584+
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
585+
}
586+
if err := specgen.DropProcessCapabilityInheritable(capPrefixed); err != nil {
587+
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
588+
}
589+
if err := specgen.DropProcessCapabilityPermitted(capPrefixed); err != nil {
590+
return fmt.Errorf("failed to drop cap %s %v", capPrefixed, err)
591+
}
592+
}
593+
594+
return nil
595+
}
596+
493597
func hostNetwork(containerConfig *pb.ContainerConfig) bool {
494598
securityContext := containerConfig.GetLinux().GetSecurityContext()
495599
if securityContext == nil || securityContext.GetNamespaceOptions() == nil {
@@ -819,105 +923,13 @@ func (s *Server) createSandboxContainer(ctx context.Context, containerID string,
819923
}
820924
specgen.SetLinuxCgroupsPath(cgPath)
821925

822-
capabilities := linux.GetSecurityContext().GetCapabilities()
823926
if privileged {
824-
// this is setting correct capabilities as well for privileged mode
825927
specgen.SetupPrivileged(true)
826928
setOCIBindMountsPrivileged(&specgen)
827929
} else {
828-
toCAPPrefixed := func(cap string) string {
829-
if !strings.HasPrefix(strings.ToLower(cap), "cap_") {
830-
return "CAP_" + strings.ToUpper(cap)
831-
}
832-
return cap
833-
}
834-
835-
// Add/drop all capabilities if "all" is specified, so that
836-
// following individual add/drop could still work. E.g.
837-
// AddCapabilities: []string{"ALL"}, DropCapabilities: []string{"CHOWN"}
838-
// will be all capabilities without `CAP_CHOWN`.
839-
// see https://github.com/kubernetes/kubernetes/issues/51980
840-
if inStringSlice(capabilities.GetAddCapabilities(), "ALL") {
841-
for _, c := range getOCICapabilitiesList() {
842-
if err := specgen.AddProcessCapabilityAmbient(c); err != nil {
843-
return nil, err
844-
}
845-
if err := specgen.AddProcessCapabilityBounding(c); err != nil {
846-
return nil, err
847-
}
848-
if err := specgen.AddProcessCapabilityEffective(c); err != nil {
849-
return nil, err
850-
}
851-
if err := specgen.AddProcessCapabilityInheritable(c); err != nil {
852-
return nil, err
853-
}
854-
if err := specgen.AddProcessCapabilityPermitted(c); err != nil {
855-
return nil, err
856-
}
857-
}
858-
}
859-
if inStringSlice(capabilities.GetDropCapabilities(), "ALL") {
860-
for _, c := range getOCICapabilitiesList() {
861-
if err := specgen.DropProcessCapabilityAmbient(c); err != nil {
862-
return nil, err
863-
}
864-
if err := specgen.DropProcessCapabilityBounding(c); err != nil {
865-
return nil, err
866-
}
867-
if err := specgen.DropProcessCapabilityEffective(c); err != nil {
868-
return nil, err
869-
}
870-
if err := specgen.DropProcessCapabilityInheritable(c); err != nil {
871-
return nil, err
872-
}
873-
if err := specgen.DropProcessCapabilityPermitted(c); err != nil {
874-
return nil, err
875-
}
876-
}
877-
}
878-
879-
if capabilities != nil {
880-
for _, cap := range capabilities.GetAddCapabilities() {
881-
if strings.ToUpper(cap) == "ALL" {
882-
continue
883-
}
884-
if err := specgen.AddProcessCapabilityAmbient(toCAPPrefixed(cap)); err != nil {
885-
return nil, err
886-
}
887-
if err := specgen.AddProcessCapabilityBounding(toCAPPrefixed(cap)); err != nil {
888-
return nil, err
889-
}
890-
if err := specgen.AddProcessCapabilityEffective(toCAPPrefixed(cap)); err != nil {
891-
return nil, err
892-
}
893-
if err := specgen.AddProcessCapabilityInheritable(toCAPPrefixed(cap)); err != nil {
894-
return nil, err
895-
}
896-
if err := specgen.AddProcessCapabilityPermitted(toCAPPrefixed(cap)); err != nil {
897-
return nil, err
898-
}
899-
}
900-
901-
for _, cap := range capabilities.GetDropCapabilities() {
902-
if strings.ToUpper(cap) == "ALL" {
903-
continue
904-
}
905-
if err := specgen.DropProcessCapabilityAmbient(toCAPPrefixed(cap)); err != nil {
906-
return nil, fmt.Errorf("failed to drop cap %s %v", toCAPPrefixed(cap), err)
907-
}
908-
if err := specgen.DropProcessCapabilityBounding(toCAPPrefixed(cap)); err != nil {
909-
return nil, fmt.Errorf("failed to drop cap %s %v", toCAPPrefixed(cap), err)
910-
}
911-
if err := specgen.DropProcessCapabilityEffective(toCAPPrefixed(cap)); err != nil {
912-
return nil, fmt.Errorf("failed to drop cap %s %v", toCAPPrefixed(cap), err)
913-
}
914-
if err := specgen.DropProcessCapabilityInheritable(toCAPPrefixed(cap)); err != nil {
915-
return nil, fmt.Errorf("failed to drop cap %s %v", toCAPPrefixed(cap), err)
916-
}
917-
if err := specgen.DropProcessCapabilityPermitted(toCAPPrefixed(cap)); err != nil {
918-
return nil, fmt.Errorf("failed to drop cap %s %v", toCAPPrefixed(cap), err)
919-
}
920-
}
930+
err = setupCapabilities(&specgen, linux.GetSecurityContext().GetCapabilities())
931+
if err != nil {
932+
return nil, err
921933
}
922934
}
923935
specgen.SetProcessSelinuxLabel(processLabel)

0 commit comments

Comments
 (0)