docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add basic support for 'all' 

Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
This commit is contained in:
Victor Vieux 2014-07-10 22:31:01 +00:00
parent f3ff323fb3
commit 222a6f4401
3 changed files with 48 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
daemon/execdriver/utils.go
View File

@ -1,17 +1,28 @@
package execdriver package execdriver
import "github.com/dotcloud/docker/utils" import (
"strings"
"github.com/docker/libcontainer/security/capabilities"
"github.com/dotcloud/docker/utils"
)
func TweakCapabilities(basics, adds, drops []string) []string { func TweakCapabilities(basics, adds, drops []string) []string {
var caps []string var caps []string
for _, cap := range basics { if !utils.StringsContainsNoCase(drops, "all") {
if !utils.StringsContains(drops, cap) { for _, cap := range basics {
caps = append(caps, cap) if !utils.StringsContainsNoCase(drops, cap) {
caps = append(caps, cap)
}
} }
} }
for _, cap := range adds { for _, cap := range adds {
if !utils.StringsContains(caps, cap) { if strings.ToLower(cap) == "all" {
caps = capabilities.GetAllCapabilities()
break
}
if !utils.StringsContainsNoCase(caps, cap) {
caps = append(caps, cap) caps = append(caps, cap)
} }
} }

30
integration-cli/docker_cli_run_test.go
View File

@ -798,6 +798,21 @@ func TestCapDropCannotMknod(t *testing.T) {
logDone("run - test --cap-drop=MKNOD cannot mknod") logDone("run - test --cap-drop=MKNOD cannot mknod")
} }
func TestCapDropALLCannotMknod(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
out, _, err := runCommandWithOutput(cmd)
if err == nil {
t.Fatal(err, out)
}
if actual := strings.Trim(out, "\r\n"); actual == "ok" {
t.Fatalf("expected output not ok received %s", actual)
}
deleteAllContainers()
logDone("run - test --cap-drop=ALL cannot mknod")
}
func TestCapAddCanDownInterface(t *testing.T) { func TestCapAddCanDownInterface(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok") cmd := exec.Command(dockerBinary, "run", "--cap-add=NET_ADMIN", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
out, _, err := runCommandWithOutput(cmd) out, _, err := runCommandWithOutput(cmd)
@ -813,6 +828,21 @@ func TestCapAddCanDownInterface(t *testing.T) {
logDone("run - test --cap-add=NET_ADMIN can set eth0 down") logDone("run - test --cap-add=NET_ADMIN can set eth0 down")
} }
func TestCapAddALLCanDownInterface(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--cap-add=ALL", "busybox", "sh", "-c", "ip link set eth0 down && echo ok")
out, _, err := runCommandWithOutput(cmd)
if err != nil {
t.Fatal(err, out)
}
if actual := strings.Trim(out, "\r\n"); actual != "ok" {
t.Fatalf("expected output ok received %s", actual)
}
deleteAllContainers()
logDone("run - test --cap-add=ALL can set eth0 down")
}
func TestPrivilegedCanMount(t *testing.T) { func TestPrivilegedCanMount(t *testing.T) {
cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok") cmd := exec.Command(dockerBinary, "run", "--privileged", "busybox", "sh", "-c", "mount -t tmpfs none /tmp && echo ok")

4
utils/utils.go
View File

@ -908,9 +908,9 @@ func ValidateContextDirectory(srcPath string) error {
return finalError return finalError
} }
func StringsContains(slice []string, s string) bool { func StringsContainsNoCase(slice []string, s string) bool {
for _, ss := range slice { for _, ss := range slice {
if s == ss { if strings.ToLower(s) == strings.ToLower(ss) {
return true return true
} }
} }