github.com/dougm/docker@v1.5.0/daemon/execdriver/utils.go (about) 1 package execdriver 2 3 import ( 4 "fmt" 5 "strings" 6 7 "github.com/docker/docker/utils" 8 "github.com/docker/libcontainer/security/capabilities" 9 ) 10 11 func TweakCapabilities(basics, adds, drops []string) ([]string, error) { 12 var ( 13 newCaps []string 14 allCaps = capabilities.GetAllCapabilities() 15 ) 16 17 // look for invalid cap in the drop list 18 for _, cap := range drops { 19 if strings.ToLower(cap) == "all" { 20 continue 21 } 22 if !utils.StringsContainsNoCase(allCaps, cap) { 23 return nil, fmt.Errorf("Unknown capability drop: %q", cap) 24 } 25 } 26 27 // handle --cap-add=all 28 if utils.StringsContainsNoCase(adds, "all") { 29 basics = capabilities.GetAllCapabilities() 30 } 31 32 if !utils.StringsContainsNoCase(drops, "all") { 33 for _, cap := range basics { 34 // skip `all` aready handled above 35 if strings.ToLower(cap) == "all" { 36 continue 37 } 38 39 // if we don't drop `all`, add back all the non-dropped caps 40 if !utils.StringsContainsNoCase(drops, cap) { 41 newCaps = append(newCaps, strings.ToUpper(cap)) 42 } 43 } 44 } 45 46 for _, cap := range adds { 47 // skip `all` aready handled above 48 if strings.ToLower(cap) == "all" { 49 continue 50 } 51 52 if !utils.StringsContainsNoCase(allCaps, cap) { 53 return nil, fmt.Errorf("Unknown capability to add: %q", cap) 54 } 55 56 // add cap if not already in the list 57 if !utils.StringsContainsNoCase(newCaps, cap) { 58 newCaps = append(newCaps, strings.ToUpper(cap)) 59 } 60 } 61 62 return newCaps, nil 63 }