github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #5017 from AkihiroSuda/parse-cap

Browse Source 
oci.WithPrivileged: set the current caps, not the known caps
This commit is contained in:
Phil Estes
2021-02-23 09:10:57 -05:00
committed by GitHub
parent 9173d3e929 51f985cb1f
commit 757be0a090
13 changed files with 530 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/cri/server/container_create_linux.go
View File

@@ -217,10 +217,12 @@ func (c *criService) containerSpec(
specOpts = append(specOpts, oci.WithHostDevices, oci.WithAllDevicesAllowed)
} else {
// add requested devices by the config as host devices are not automatically added
specOpts = append(specOpts, customopts.WithDevices(c.os, config), customopts.WithCapabilities(securityContext))
specOpts = append(specOpts, customopts.WithDevices(c.os, config),
customopts.WithCapabilities(securityContext, c.allCaps))
}
} else { // not privileged
specOpts = append(specOpts, customopts.WithDevices(c.os, config), customopts.WithCapabilities(securityContext))
specOpts = append(specOpts, customopts.WithDevices(c.os, config),
customopts.WithCapabilities(securityContext, c.allCaps))
}
// Clear all ambient capabilities. The implication of non-root + caps