mirror of
https://github.com/containers/podman
synced 2024-10-19 08:44:11 +00:00
Properly handle --cap-add all when running with a --user flag
Handle the ALL Flag when running with an account as a user. Currently we throw an error when the user specifies podman run --user bin --cap-add all fedora echo hello Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
parent
9abbe0728c
commit
1ace9e3ba6
|
@ -141,7 +141,7 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
|
|||
configSpec.Process.Capabilities.Effective = caplist
|
||||
configSpec.Process.Capabilities.Permitted = caplist
|
||||
} else {
|
||||
userCaps, err := capabilities.NormalizeCapabilities(s.CapAdd)
|
||||
userCaps, err := capabilities.MergeCapabilities(nil, s.CapAdd, nil)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "capabilities requested by user are not valid: %q", strings.Join(s.CapAdd, ","))
|
||||
}
|
||||
|
|
|
@ -90,6 +90,18 @@ var _ = Describe("Podman privileged container tests", func() {
|
|||
containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
|
||||
})
|
||||
|
||||
It("podman cap-add CapEff with --user", func() {
|
||||
// Get caps of current process
|
||||
host_cap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
|
||||
Expect(host_cap.ExitCode()).To(Equal(0))
|
||||
|
||||
session := podmanTest.Podman([]string{"run", "--user=bin", "--cap-add", "all", "busybox", "awk", "/^CapEff/ { print $2 }", "/proc/self/status"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
Expect(session.ExitCode()).To(Equal(0))
|
||||
|
||||
containerCapMatchesHost(session.OutputToString(), host_cap.OutputToString())
|
||||
})
|
||||
|
||||
It("podman cap-drop CapEff", func() {
|
||||
session := podmanTest.Podman([]string{"run", "--cap-drop", "all", "busybox", "grep", "CapEff", "/proc/self/status"})
|
||||
session.WaitWithDefaultTimeout()
|
||||
|
|
Loading…
Reference in a new issue