Prevent CAP_NET_RAW from appearing in exec

'docker exec' was getting CAP_NET_RAW even when --net-raw=false because it was not filtered out from when copying container's capabilities. PiperOrigin-RevId: 272260451
author: Fabricio Voznika <fvoznika@google.com> 2019-10-01 11:48:24 -0700
committer: gVisor bot <gvisor-bot@google.com> 2019-10-01 11:49:49 -0700
commit: 0b02c3d5e5bae87f5cdbf4ae20dad8344bef32c2 (patch)
tree: a5c60e3e55bbfc6807eabd8a219318d6446d9cd4 /runsc/cmd/exec_test.go
parent: 53cc72da90f5b5a76b024b47fe4e38a81b495eb4 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/runsc/cmd/exec_test.go b/runsc/cmd/exec_test.go
index eb38a431f..a1e980d08 100644
--- a/runsc/cmd/exec_test.go
+++ b/runsc/cmd/exec_test.go
@@ -91,7 +91,7 @@ func TestCLIArgs(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		e, err := tc.ex.argsFromCLI(tc.argv)
+		e, err := tc.ex.argsFromCLI(tc.argv, true)
 		if err != nil {
 			t.Errorf("argsFromCLI(%+v): got error: %+v", tc.ex, err)
 		} else if !cmp.Equal(*e, tc.expected, cmpopts.IgnoreUnexported(os.File{})) {
@@ -144,7 +144,7 @@ func TestJSONArgs(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		e, err := argsFromProcess(&tc.p)
+		e, err := argsFromProcess(&tc.p, true)
 		if err != nil {
 			t.Errorf("argsFromProcess(%+v): got error: %+v", tc.p, err)
 		} else if !cmp.Equal(*e, tc.expected, cmpopts.IgnoreUnexported(os.File{})) {
author	Fabricio Voznika <fvoznika@google.com>	2019-10-01 11:48:24 -0700
committer	gVisor bot <gvisor-bot@google.com>	2019-10-01 11:49:49 -0700
commit	0b02c3d5e5bae87f5cdbf4ae20dad8344bef32c2 (patch)
tree	a5c60e3e55bbfc6807eabd8a219318d6446d9cd4 /runsc/cmd/exec_test.go
parent	53cc72da90f5b5a76b024b47fe4e38a81b495eb4 (diff)