Properly handle default capabilities listed in containers.conf

If user/admin specifies a different list of default capabilties we need to honor these. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-10-20 12:43:58 +08:00 · 2020-04-30 08:40:01 -04:00
parent 730fbc7628
commit 4a2765c498
4 changed files with 49 additions and 84 deletions
--- a/vendor/github.com/containers/buildah/imagebuildah/executor.go
+++ b/vendor/github.com/containers/buildah/imagebuildah/executor.go
@ -113,7 +113,10 @@ func NewExecutor(store storage.Store, options BuildOptions, mainNode *parser.Nod
 	if err != nil {
 		return nil, err
 	}
-	capabilities := defaultContainerConfig.Capabilities("", options.AddCapabilities, options.DropCapabilities)
+	capabilities, err := defaultContainerConfig.Capabilities("", options.AddCapabilities, options.DropCapabilities)
+	if err != nil {
+		return nil, err
+	}

 	devices := []configs.Device{}
 	for _, device := range append(defaultContainerConfig.Containers.Devices, options.Devices...) {
--- a/vendor/github.com/containers/common/pkg/config/config.go
+++ b/vendor/github.com/containers/common/pkg/config/config.go
@ -709,7 +709,7 @@ func (c *Config) GetDefaultEnv() []string {

 // Capabilities returns the capabilities parses the Add and Drop capability
 // list from the default capabiltiies for the container
-func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) []string {
+func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []string) ([]string, error) {

 	userNotRoot := func(user string) bool {
 		if user == "" || user == "root" || user == "0" {
@ -718,36 +718,12 @@ func (c *Config) Capabilities(user string, addCapabilities, dropCapabilities []s
 		return true
 	}

-	var caps []string
 	defaultCapabilities := c.Containers.DefaultCapabilities
 	if userNotRoot(user) {
 		defaultCapabilities = []string{}
 	}

-	mapCap := make(map[string]bool, len(defaultCapabilities))
-	for _, c := range addCapabilities {
-		if strings.ToLower(c) == "all" {
-			defaultCapabilities = capabilities.AllCapabilities()
-			addCapabilities = nil
-			break
-		}
-	}
-
-	for _, c := range append(defaultCapabilities, addCapabilities...) {
-		mapCap[c] = true
-	}
-	for _, c := range dropCapabilities {
-		if "all" == strings.ToLower(c) {
-			return caps
-		}
-		mapCap[c] = false
-	}
-	for cap, add := range mapCap {
-		if add {
-			caps = append(caps, cap)
-		}
-	}
-	return caps
+	return capabilities.MergeCapabilities(defaultCapabilities, addCapabilities, dropCapabilities)
 }

 // Device parses device mapping string to a src, dest & permissions string