docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support add and drop in both order 

Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
This commit is contained in:
Victor Vieux 2014-07-10 23:02:39 +00:00
parent 222a6f4401
commit 064b5f870d
2 changed files with 36 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
daemon/execdriver/utils.go
View File

@ -9,6 +9,11 @@ import (
func TweakCapabilities(basics, adds, drops []string) []string { func TweakCapabilities(basics, adds, drops []string) []string {
var caps []string var caps []string
if utils.StringsContainsNoCase(adds, "all") {
basics = capabilities.GetAllCapabilities()
}
if !utils.StringsContainsNoCase(drops, "all") { if !utils.StringsContainsNoCase(drops, "all") {
for _, cap := range basics { for _, cap := range basics {
if !utils.StringsContainsNoCase(drops, cap) { if !utils.StringsContainsNoCase(drops, cap) {
@ -19,8 +24,7 @@ func TweakCapabilities(basics, adds, drops []string) []string {
for _, cap := range adds { for _, cap := range adds {
if strings.ToLower(cap) == "all" { if strings.ToLower(cap) == "all" {
caps = capabilities.GetAllCapabilities() continue
break
} }
if !utils.StringsContainsNoCase(caps, cap) { if !utils.StringsContainsNoCase(caps, cap) {
caps = append(caps, cap) caps = append(caps, cap)

30
integration-cli/docker_cli_run_test.go
View File

@ -813,6 +813,21 @@ func TestCapDropALLCannotMknod(t *testing.T) {
logDone("run - test --cap-drop=ALL cannot mknod") logDone("run - test --cap-drop=ALL cannot mknod")
} }
func TestCapDropALLAddMknodCannotMknod(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL --cap-add=MKNOD", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
out, _, err := runCommandWithOutput(cmd)
if err != nil {
t.Fatal(err, out)
}
if actual := strings.Trim(out, "\r\n"); actual != "ok" {
t.Fatalf("expected output ok received %s", actual)
}
deleteAllContainers()
logDone("run - test --cap-drop=ALL --cap-add=MKNOD can mknod")
}
func TestCapAddCanDownInterface(t *testing.T) { func TestCapAddCanDownInterface(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok") cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
out, _, err := runCommandWithOutput(cmd) out, _, err := runCommandWithOutput(cmd)
@ -843,6 +858,21 @@ func TestCapAddALLCanDownInterface(t *testing.T) {
logDone("run - test --cap-add=ALL can set eth0 down") logDone("run - test --cap-add=ALL can set eth0 down")
} }
func TestCapAddALLDropNetAdminCanDownInterface(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--cap-add=ALL --cap-drop=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
out, _, err := runCommandWithOutput(cmd)
if err == nil {
t.Fatal(err, out)
}
if actual := strings.Trim(out, "\r\n"); actual == "ok" {
t.Fatalf("expected output not ok received %s", actual)
}
deleteAllContainers()
logDone("run - test --cap-add=ALL --cap-drop=NET_ADMIN cannot set eth0 down")
}
func TestPrivilegedCanMount(t *testing.T) { func TestPrivilegedCanMount(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok") cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")