containers · rhatdan · Nov 5, 2017 · Nov 3, 2017 · baude · Nov 3, 2017
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"strings"
 
+	"github.com/docker/docker/daemon/caps"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/projectatomic/libpod/libpod"
@@ -15,6 +16,25 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+func setupCapabilities(config *createConfig, configSpec *spec.Spec) error {
+	var err error
+	var caplist []string
+	if config.privileged {
+		caplist = caps.GetAllCapabilities()
+	} else {
+		caplist, err = caps.TweakCapabilities(defaultCapabilities(), config.capAdd, config.capDrop)
+		if err != nil {
+			return err
+		}
+	}
+
+	configSpec.Process.Capabilities.Bounding = caplist
+	configSpec.Process.Capabilities.Permitted = caplist
+	configSpec.Process.Capabilities.Inheritable = caplist
+	configSpec.Process.Capabilities.Effective = caplist
+	return nil
+}
+
 // Parses information needed to create a container into an OCI runtime spec
 func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 	configSpec := config.GetDefaultLinuxSpec()
@@ -30,9 +50,6 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 
 	configSpec.Process.Env = config.env
 
-	//TODO
-	// Need examples of capacity additions so I can load that properly
-
 	configSpec.Root.Readonly = config.readOnlyRootfs
 	configSpec.Hostname = config.hostname
 
@@ -110,8 +127,12 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
 		configSpec.Linux.Seccomp = &seccompConfig
 	}
 
+	// HANDLE CAPABILITIES
+	if err := setupCapabilities(config, &configSpec); err != nil {
+		return nil, err
+	}
+
 	/*
-				Capabilities: &configSpec.LinuxCapabilities{
 				// Rlimits []PosixRlimit // Where does this come from
 				// Type string
 				// Hard uint64

diff --git a/test/kpod_run.bats b/test/kpod_run.bats
@@ -36,3 +36,23 @@ ALPINE="docker.io/library/alpine:latest"
     [ "$status" -eq 0 ]
 
 }
+
+@test "run selinux test" {
+
+    run ${KPOD_BINARY} ${KPOD_OPTIONS} run --cap-add all ${ALPINE} cat /proc/self/status
+    echo "$output"
+    [ "$status" -eq 0 ]
+
+    run ${KPOD_BINARY} ${KPOD_OPTIONS} run --cap-add sys_admin ${ALPINE} cat /proc/self/status
+    echo "$output"
+    [ "$status" -eq 0 ]
+
+    run ${KPOD_BINARY} ${KPOD_OPTIONS} run --cap-drop all ${ALPINE} cat /proc/self/status
+    echo "$output"
+    [ "$status" -eq 0 ]
+
+    run ${KPOD_BINARY} ${KPOD_OPTIONS} run --cap-drop setuid ${ALPINE} cat /proc/self/status
+    echo "$output"
+    [ "$status" -eq 0 ]
+
+}
diff --git a/vendor/github.com/docker/docker/daemon/caps/utils_unix.go b/vendor/github.com/docker/docker/daemon/caps/utils_unix.go
diff --git a/vendor/github.com/docker/docker/hack/README.md b/vendor/github.com/docker/docker/hack/README.md
diff --git a/vendor/github.com/docker/docker/hack/integration-cli-on-swarm/README.md b/vendor/github.com/docker/docker/hack/integration-cli-on-swarm/README.md
diff --git a/vendor/github.com/docker/docker/hack/integration-cli-on-swarm/agent/vendor.conf b/vendor/github.com/docker/docker/hack/integration-cli-on-swarm/agent/vendor.conf