security: accept empty capabilities list

allow the image to specify an empty list of capabilities, currently
podman chokes when the io.containers.capabilities specified in an
image does not contain at least one capability.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

pkg/specgen/generate/security_linux.go

@@ -125,7 +125,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 				capsRequiredRequested = strings.Split(val, ",")
 			}
 		}
-		if !s.Privileged && len(capsRequiredRequested) > 0 {
+		if !s.Privileged && len(capsRequiredRequested) == 1 && capsRequiredRequested[0] == "" {
+			caplist = []string{}
+		} else if !s.Privileged && len(capsRequiredRequested) > 0 {
 			// Pass capRequiredRequested in CapAdd field to normalize capabilities names
 			capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil)
 			if err != nil {

test/e2e/run_security_labels_test.go

@@ -11,6 +11,23 @@ import (
 
 var _ = Describe("Podman generate kube", func() {
 
+	It("podman empty security labels", func() {
+		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=", "--name", "test1", "alpine", "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1).Should(Exit(0))
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).Should(Exit(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		Expect(ctr[0].EffectiveCaps).To(BeNil())
+
+		test2 := podmanTest.Podman([]string{"run", "--label", "io.containers.capabilities=", "alpine", "grep", "^CapEff", "/proc/self/status"})
+		test2.WaitWithDefaultTimeout()
+		Expect(test2.OutputToString()).To(ContainSubstring("0000000000000000"))
+	})
+
 	It("podman security labels", func() {
 		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"})
 		test1.WaitWithDefaultTimeout()