exec: honor --privileged

write the capabilities to the configuration passed to the OCI
runtime.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

libpod/oci_conmon_linux.go

@@ -1193,6 +1193,13 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio
 	pspec := c.config.Spec.Process
 	pspec.SelinuxLabel = c.config.ProcessLabel
 	pspec.Args = options.Cmd
+	for _, cap := range options.CapAdd {
+		pspec.Capabilities.Bounding = append(pspec.Capabilities.Bounding, cap)
+		pspec.Capabilities.Effective = append(pspec.Capabilities.Effective, cap)
+		pspec.Capabilities.Inheritable = append(pspec.Capabilities.Inheritable, cap)
+		pspec.Capabilities.Permitted = append(pspec.Capabilities.Permitted, cap)
+		pspec.Capabilities.Ambient = append(pspec.Capabilities.Ambient, cap)
+	}
 	// We need to default this to false else it will inherit terminal as true
 	// from the container.
 	pspec.Terminal = false

test/e2e/exec_test.go

@@ -119,6 +119,21 @@ var _ = Describe("Podman exec", func() {
 		Expect(session.ExitCode()).To(Equal(100))
 	})
 
+	It("podman exec --privileged", func() {
+		hostCap := SystemExec("awk", []string{"/^CapEff/ { print $2 }", "/proc/self/status"})
+		Expect(hostCap.ExitCode()).To(Equal(0))
+
+		setup := podmanTest.RunTopContainer("test-privileged")
+		setup.WaitWithDefaultTimeout()
+		Expect(setup.ExitCode()).To(Equal(0))
+
+		session := podmanTest.Podman([]string{"exec", "--privileged", "test-privileged", "sh", "-c", "grep ^CapEff /proc/self/status | cut -f 2"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+
+		containerCapMatchesHost(session.OutputToString(), hostCap.OutputToString())
+	})
+
 	It("podman exec terminal doesn't hang", func() {
 		setup := podmanTest.Podman([]string{"run", "-dti", "--name", "test1", fedoraMinimal, "sleep", "+Inf"})
 		setup.WaitWithDefaultTimeout()