From 5f0002fc83a77a39d9a2ef1443bc6c18e22ea779 Mon Sep 17 00:00:00 2001
From: Fabricio Voznika <fvoznika@google.com>
Date: Wed, 5 Sep 2018 18:31:37 -0700
Subject: Use container's capabilities in exec

When no capabilities are specified in exec, use the
container's capabilities to match runc's behavior.

PiperOrigin-RevId: 211735186
Change-Id: Icd372ed64410c81144eae94f432dffc9fe3a86ce
---
 runsc/cmd/exec.go | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

(limited to 'runsc/cmd')

diff --git a/runsc/cmd/exec.go b/runsc/cmd/exec.go
index 966d2e258..da1642c08 100644
--- a/runsc/cmd/exec.go
+++ b/runsc/cmd/exec.go
@@ -115,16 +115,22 @@ func (ex *Exec) Execute(_ context.Context, f *flag.FlagSet, args ...interface{})
 		Fatalf("error loading sandbox: %v", err)
 	}
 
+	// Replace empty settings with defaults from container.
 	if e.WorkingDirectory == "" {
 		e.WorkingDirectory = c.Spec.Process.Cwd
 	}
-
 	if e.Envv == nil {
 		e.Envv, err = resolveEnvs(c.Spec.Process.Env, ex.env)
 		if err != nil {
 			Fatalf("error getting environment variables: %v", err)
 		}
 	}
+	if e.Capabilities == nil {
+		e.Capabilities, err = specutils.Capabilities(c.Spec.Process.Capabilities)
+		if err != nil {
+			Fatalf("error creating capabilities: %v", err)
+		}
+	}
 
 	// containerd expects an actual process to represent the container being
 	// executed. If detach was specified, starts a child in non-detach mode,
@@ -265,9 +271,13 @@ func (ex *Exec) argsFromCLI(argv []string) (*control.ExecArgs, error) {
 		extraKGIDs = append(extraKGIDs, auth.KGID(kgid))
 	}
 
-	caps, err := capabilities(ex.caps)
-	if err != nil {
-		return nil, fmt.Errorf("capabilities error: %v", err)
+	var caps *auth.TaskCapabilities
+	if len(ex.caps) > 0 {
+		var err error
+		caps, err = capabilities(ex.caps)
+		if err != nil {
+			return nil, fmt.Errorf("capabilities error: %v", err)
+		}
 	}
 
 	return &control.ExecArgs{
@@ -299,9 +309,13 @@ func (ex *Exec) argsFromProcessFile() (*control.ExecArgs, error) {
 // to ExecArgs.
 func argsFromProcess(p *specs.Process) (*control.ExecArgs, error) {
 	// Create capabilities.
-	caps, err := specutils.Capabilities(p.Capabilities)
-	if err != nil {
-		return nil, fmt.Errorf("error creating capabilities: %v", err)
+	var caps *auth.TaskCapabilities
+	if p.Capabilities != nil {
+		var err error
+		caps, err = specutils.Capabilities(p.Capabilities)
+		if err != nil {
+			return nil, fmt.Errorf("error creating capabilities: %v", err)
+		}
 	}
 
 	// Convert the spec's additional GIDs to KGIDs.
-- 
cgit v1.2.3