summaryrefslogtreecommitdiffhomepage
path: root/runsc/cmd
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2018-09-05 18:31:37 -0700
committerShentubot <shentubot@google.com>2018-09-05 18:32:50 -0700
commit5f0002fc83a77a39d9a2ef1443bc6c18e22ea779 (patch)
tree136393f0552951b5da1399c8bb4161eea0e3b156 /runsc/cmd
parent41b56696c4923276c6269812bb3dfa7643dab65d (diff)
Use container's capabilities in exec
When no capabilities are specified in exec, use the container's capabilities to match runc's behavior. PiperOrigin-RevId: 211735186 Change-Id: Icd372ed64410c81144eae94f432dffc9fe3a86ce
Diffstat (limited to 'runsc/cmd')
-rw-r--r--runsc/cmd/exec.go28
1 files changed, 21 insertions, 7 deletions
diff --git a/runsc/cmd/exec.go b/runsc/cmd/exec.go
index 966d2e258..da1642c08 100644
--- a/runsc/cmd/exec.go
+++ b/runsc/cmd/exec.go
@@ -115,16 +115,22 @@ func (ex *Exec) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
Fatalf("error loading sandbox: %v", err)
}
+ // Replace empty settings with defaults from container.
if e.WorkingDirectory == "" {
e.WorkingDirectory = c.Spec.Process.Cwd
}
-
if e.Envv == nil {
e.Envv, err = resolveEnvs(c.Spec.Process.Env, ex.env)
if err != nil {
Fatalf("error getting environment variables: %v", err)
}
}
+ if e.Capabilities == nil {
+ e.Capabilities, err = specutils.Capabilities(c.Spec.Process.Capabilities)
+ if err != nil {
+ Fatalf("error creating capabilities: %v", err)
+ }
+ }
// containerd expects an actual process to represent the container being
// executed. If detach was specified, starts a child in non-detach mode,
@@ -265,9 +271,13 @@ func (ex *Exec) argsFromCLI(argv []string) (*control.ExecArgs, error) {
extraKGIDs = append(extraKGIDs, auth.KGID(kgid))
}
- caps, err := capabilities(ex.caps)
- if err != nil {
- return nil, fmt.Errorf("capabilities error: %v", err)
+ var caps *auth.TaskCapabilities
+ if len(ex.caps) > 0 {
+ var err error
+ caps, err = capabilities(ex.caps)
+ if err != nil {
+ return nil, fmt.Errorf("capabilities error: %v", err)
+ }
}
return &control.ExecArgs{
@@ -299,9 +309,13 @@ func (ex *Exec) argsFromProcessFile() (*control.ExecArgs, error) {
// to ExecArgs.
func argsFromProcess(p *specs.Process) (*control.ExecArgs, error) {
// Create capabilities.
- caps, err := specutils.Capabilities(p.Capabilities)
- if err != nil {
- return nil, fmt.Errorf("error creating capabilities: %v", err)
+ var caps *auth.TaskCapabilities
+ if p.Capabilities != nil {
+ var err error
+ caps, err = specutils.Capabilities(p.Capabilities)
+ if err != nil {
+ return nil, fmt.Errorf("error creating capabilities: %v", err)
+ }
}
// Convert the spec's additional GIDs to KGIDs.