diff options
author | Fabricio Voznika <fvoznika@google.com> | 2018-09-05 18:31:37 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-09-05 18:32:50 -0700 |
commit | 5f0002fc83a77a39d9a2ef1443bc6c18e22ea779 (patch) | |
tree | 136393f0552951b5da1399c8bb4161eea0e3b156 /runsc/cmd | |
parent | 41b56696c4923276c6269812bb3dfa7643dab65d (diff) |
Use container's capabilities in exec
When no capabilities are specified in exec, use the
container's capabilities to match runc's behavior.
PiperOrigin-RevId: 211735186
Change-Id: Icd372ed64410c81144eae94f432dffc9fe3a86ce
Diffstat (limited to 'runsc/cmd')
-rw-r--r-- | runsc/cmd/exec.go | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/runsc/cmd/exec.go b/runsc/cmd/exec.go index 966d2e258..da1642c08 100644 --- a/runsc/cmd/exec.go +++ b/runsc/cmd/exec.go @@ -115,16 +115,22 @@ func (ex *Exec) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) Fatalf("error loading sandbox: %v", err) } + // Replace empty settings with defaults from container. if e.WorkingDirectory == "" { e.WorkingDirectory = c.Spec.Process.Cwd } - if e.Envv == nil { e.Envv, err = resolveEnvs(c.Spec.Process.Env, ex.env) if err != nil { Fatalf("error getting environment variables: %v", err) } } + if e.Capabilities == nil { + e.Capabilities, err = specutils.Capabilities(c.Spec.Process.Capabilities) + if err != nil { + Fatalf("error creating capabilities: %v", err) + } + } // containerd expects an actual process to represent the container being // executed. If detach was specified, starts a child in non-detach mode, @@ -265,9 +271,13 @@ func (ex *Exec) argsFromCLI(argv []string) (*control.ExecArgs, error) { extraKGIDs = append(extraKGIDs, auth.KGID(kgid)) } - caps, err := capabilities(ex.caps) - if err != nil { - return nil, fmt.Errorf("capabilities error: %v", err) + var caps *auth.TaskCapabilities + if len(ex.caps) > 0 { + var err error + caps, err = capabilities(ex.caps) + if err != nil { + return nil, fmt.Errorf("capabilities error: %v", err) + } } return &control.ExecArgs{ @@ -299,9 +309,13 @@ func (ex *Exec) argsFromProcessFile() (*control.ExecArgs, error) { // to ExecArgs. func argsFromProcess(p *specs.Process) (*control.ExecArgs, error) { // Create capabilities. - caps, err := specutils.Capabilities(p.Capabilities) - if err != nil { - return nil, fmt.Errorf("error creating capabilities: %v", err) + var caps *auth.TaskCapabilities + if p.Capabilities != nil { + var err error + caps, err = specutils.Capabilities(p.Capabilities) + if err != nil { + return nil, fmt.Errorf("error creating capabilities: %v", err) + } } // Convert the spec's additional GIDs to KGIDs. |