Add support for --cap-drop

ddl-ebrown · ddl-ebrown · commit b109714b8fa8 · 2023-10-24T11:20:52.000-07:00
- Support for --cap-add was added as part of #327 - This rounds out the feature set to also include support for --cap-drop - Updates tests to drop "chown" capability and verify doing so works - closes #389
diff --git a/README.md b/README.md
@@ -303,6 +303,8 @@ containerRunOptions:
     - OTHER_SECRET_BAR
   capabilities:                 # Add list of Linux capabilities (--cap-add)
     - NET_BIND_SERVICE
+  drop_capabilities:            # Drop list of Linux capabilities (--cap-drop)
+    - NET_BIND_SERVICE
   bindMounts:                   # Bind mount a volume (--volume, -v)
     - /etc/example/dir:/etc/dir
 ```
diff --git a/pkg/drivers/docker_driver.go b/pkg/drivers/docker_driver.go
@@ -19,13 +19,14 @@ import (
 	"bufio"
 	"bytes"
 	"fmt"
-	"github.com/joho/godotenv"
 	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 
+	"github.com/joho/godotenv"
+
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 
@@ -66,17 +67,19 @@ func NewDockerDriver(args DriverConfig) (Driver, error) {
 func (d *DockerDriver) hostConfig() *docker.HostConfig {
 	if d.runOpts.IsSet() && d.runtime != "" {
 		return &docker.HostConfig{
-			Capabilities: d.runOpts.Capabilities,
-			Binds:        d.runOpts.BindMounts,
-			Privileged:   d.runOpts.Privileged,
-			Runtime:      d.runtime,
+			CapAdd:     d.runOpts.CapAdd,
+			CapDrop:    d.runOpts.CapDrop,
+			Binds:      d.runOpts.BindMounts,
+			Privileged: d.runOpts.Privileged,
+			Runtime:    d.runtime,
 		}
 	}
 	if d.runOpts.IsSet() {
 		return &docker.HostConfig{
-			Capabilities: d.runOpts.Capabilities,
-			Binds:        d.runOpts.BindMounts,
-			Privileged:   d.runOpts.Privileged,
+			CapAdd:     d.runOpts.CapAdd,
+			CapDrop:    d.runOpts.CapDrop,
+			Binds:      d.runOpts.BindMounts,
+			Privileged: d.runOpts.Privileged,
 		}
 	}
 	if d.runtime != "" {
diff --git a/pkg/types/unversioned/types.go b/pkg/types/unversioned/types.go
@@ -45,13 +45,14 @@ type Config struct {
 }
 
 type ContainerRunOptions struct {
-	User         string
-	Privileged   bool
-	TTY          bool     `yaml:"allocateTty"`
-	EnvVars      []string `yaml:"envVars"`
-	EnvFile      string   `yaml:"envFile"`
-	Capabilities []string
-	BindMounts   []string `yaml:"bindMounts"`
+	User       string
+	Privileged bool
+	TTY        bool     `yaml:"allocateTty"`
+	EnvVars    []string `yaml:"envVars"`
+	EnvFile    string   `yaml:"envFile"`
+	CapAdd     []string `yaml:"capabilities"`
+	CapDrop    []string `yaml:"drop_capabilities"`
+	BindMounts []string `yaml:"bindMounts"`
 }
 
 func (opts *ContainerRunOptions) IsSet() bool {
@@ -60,7 +61,8 @@ func (opts *ContainerRunOptions) IsSet() bool {
 		opts.TTY ||
 		len(opts.EnvFile) > 0 ||
 		(opts.EnvVars != nil && len(opts.EnvVars) > 0) ||
-		(opts.Capabilities != nil && len(opts.Capabilities) > 0) ||
+		(opts.CapAdd != nil && len(opts.CapAdd) > 0) ||
+		(opts.CapDrop != nil && len(opts.CapDrop) > 0) ||
 		(opts.BindMounts != nil && len(opts.BindMounts) > 0)
 }
 
diff --git a/tests/amd64/ubuntu_20_04_containeropts_test.yaml b/tests/amd64/ubuntu_20_04_containeropts_test.yaml
@@ -5,6 +5,8 @@ commandTests:
   args: ["--print"]
   expectedOutput:
     - ".*cap_sys_admin.*"
+  excludedOutput:
+    - ".*chown.*"
 - name: "Test bindMounts containerRunOptions"
   command: "test"
   args:
@@ -15,5 +17,7 @@ containerRunOptions:
   privileged: true
   capabilities:
     - "sys_admin"
+  drop_capabilities:
+    - "chown"
   bindMounts:
     - "/tmp/test:/tmp/test"
diff --git a/tests/arm64/ubuntu_20_04_containeropts_test.yaml b/tests/arm64/ubuntu_20_04_containeropts_test.yaml
@@ -5,6 +5,8 @@ commandTests:
   args: ["--print"]
   expectedOutput:
     - ".*cap_sys_admin.*"
+  excludedOutput:
+    - ".*chown.*"
 - name: "Test bindMounts containerRunOptions"
   command: "test"
   args:
@@ -15,5 +17,7 @@ containerRunOptions:
   privileged: true
   capabilities:
     - "sys_admin"
+  drop_capabilities:
+    - "chown"
   bindMounts:
     - "/tmp/test:/tmp/test"
diff --git a/tests/ppc64le/ubuntu_20_04_containeropts_test.yaml b/tests/ppc64le/ubuntu_20_04_containeropts_test.yaml
@@ -5,6 +5,8 @@ commandTests:
   args: ["--print"]
   expectedOutput:
     - ".*cap_sys_admin.*"
+  excludedOutput:
+    - ".*chown.*"
 - name: "Test bindMounts containerRunOptions"
   command: "test"
   args:
@@ -15,5 +17,7 @@ containerRunOptions:
   privileged: true
   capabilities:
     - "sys_admin"
+  drop_capabilities:
+    - "chown"
   bindMounts:
     - "/tmp/test:/tmp/test"
diff --git a/tests/s390x/ubuntu_20_04_containeropts_test.yaml b/tests/s390x/ubuntu_20_04_containeropts_test.yaml
@@ -5,6 +5,8 @@ commandTests:
   args: ["--print"]
   expectedOutput:
     - ".*cap_sys_admin.*"
+  excludedOutput:
+    - ".*chown.*"
 - name: "Test bindMounts containerRunOptions"
   command: "test"
   args:
@@ -15,5 +17,7 @@ containerRunOptions:
   privileged: true
   capabilities:
     - "sys_admin"
+  drop_capabilities:
+    - "chown"
   bindMounts:
     - "/tmp/test:/tmp/test"
