Add WithAmbientCapabilities opt

Closes #2516 This can be used for non-root users binding to low ports. Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2018-08-27 16:35:27 -04:00
parent 0a3f87ec2e
commit 4b9b3e8fc9
2 changed files with 129 additions and 0 deletions
--- a/oci/spec_opts_unix.go
+++ b/oci/spec_opts_unix.go
@@ -486,6 +486,18 @@ func getAllCapabilities() []string {
 	return caps
 }

+// WithAmbientCapabilities set the Linux ambient capabilities for the process
+// Ambient capabilities should only be set for non-root users or the caller should
+// understand how these capabilities are used and set
+func WithAmbientCapabilities(caps []string) SpecOpts {
+	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
+		setCapabilities(s)
+
+		s.Process.Capabilities.Ambient = caps
+		return nil
+	}
+}
+
 var errNoUsersFound = errors.New("no users found")

 func getUIDGIDFromPath(root string, filter func(user.User) bool) (uid, gid uint32, err error) {