Add ambient and bounding capability support

crosbymichael · crosbymichael · commit 1223f59a6cb0 · 2017-02-02T16:43:53.000-08:00
Closes opencontainers#668 Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
diff --git a/config.md b/config.md
@@ -131,8 +131,11 @@ See links for details about [mountvol](http://ss64.com/nt/mountvol.html) and [Se
 
 For Linux-based systems the process structure supports the following process specific fields:
 
-* **`capabilities`** (array of strings, OPTIONAL) capabilities is an array that specifies Linux capabilities that can be provided to the process inside the container.
+* **`capabilities`** (object, OPTIONAL) capabilities is a whitelist of capabilities for the bounding and ambient sets for Linux processes.
   Valid values are the strings for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html).
+  capabilities contains the following properties:
+    * **`bounding`** (array of strings, OPTIONAL) - the 'bounding' field is the whitelist of bounding capabilities that are kept for the process.
+    * **`ambient`** (array of strings, OPTIONAL) - the 'ambient' field is the whitelist of ambient capabilities that are kept for the process.
 * **`rlimits`** (array of objects, OPTIONAL) allows setting resource limits for a process inside the container.
   Each entry has the following structure:
 
@@ -189,11 +192,15 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
     "apparmorProfile": "acme_secure_profile",
     "selinuxLabel": "system_u:system_r:svirt_lxc_net_t:s0:c124,c675",
     "noNewPrivileges": true,
-    "capabilities": [
-        "CAP_AUDIT_WRITE",
-        "CAP_KILL",
-        "CAP_NET_BIND_SERVICE"
-    ],
+    "capabilities": {
+        "bounding": [
+            "CAP_AUDIT_WRITE",
+            "CAP_KILL",
+        ],
+        "ambient": [
+            "CAP_NET_BIND_SERVICE"
+        ]
+    },
     "rlimits": [
         {
             "type": "RLIMIT_NOFILE",
@@ -443,11 +450,15 @@ Here is a full example `config.json` for reference.
             "TERM=xterm"
         ],
         "cwd": "/",
-        "capabilities": [
-            "CAP_AUDIT_WRITE",
-            "CAP_KILL",
-            "CAP_NET_BIND_SERVICE"
-        ],
+        "capabilities": {
+            "bounding": [
+                "CAP_AUDIT_WRITE",
+                "CAP_KILL",
+            ],
+            "ambient": [
+                "CAP_NET_BIND_SERVICE"
+            ]
+        },
         "rlimits": [
             {
                 "type": "RLIMIT_CORE",
diff --git a/schema/config-schema.json b/schema/config-schema.json
@@ -135,9 +135,22 @@
                 },
                 "capabilities": {
                     "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities",
-                    "type": "array",
-                    "items": {
-                        "$ref": "defs-linux.json#/definitions/Capability"
+                    "type": "object",
+                    "properties": {
+                        "bounding": {
+                            "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/bounding",
+                            "type": "array",
+                            "items": {
+                                "$ref": "defs-linux.json#/definitions/Capability"
+                            }
+                        },
+                        "ambient": {
+                            "id": "https://opencontainers.org/schema/bundle/process/linux/capabilities/ambient",
+                            "type": "array",
+                            "items": {
+                                "$ref": "defs-linux.json#/definitions/Capability"
+                            }
+                        }
                     }
                 },
                 "apparmorProfile": {
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -78,7 +78,7 @@
             }
         },
         "Capability": {
-            "description": "Linux process permissions",
+            "description": "Linux process capabilities",
             "type": "string",
             "pattern": "^CAP_([A-Z]|_)+$"
         },
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -44,8 +44,8 @@ type Process struct {
 	// Cwd is the current working directory for the process and must be
 	// relative to the container's root.
 	Cwd string `json:"cwd"`
-	// Capabilities are Linux capabilities that are kept for the container.
-	Capabilities []string `json:"capabilities,omitempty" platform:"linux"`
+	// Capabilities are Linux capabilities that are kept for the process.
+	Capabilities *LinuxCapabilities `json:"capabilities,omitempty" platform:"linux"`
 	// Rlimits specifies rlimit options to apply to the process.
 	Rlimits []LinuxRlimit `json:"rlimits,omitempty" platform:"linux"`
 	// NoNewPrivileges controls whether additional privileges could be gained by processes in the container.
@@ -56,6 +56,14 @@ type Process struct {
 	SelinuxLabel string `json:"selinuxLabel,omitempty" platform:"linux"`
 }
 
+// LinuxCapabilities specifies the whitelist of capabilities that are kept for a process.
+type LinuxCapabilities struct {
+	// Bounding is the bounding set of capabilities that are kept.
+	Bounding []string `json:"bounding,omitempty" platform:"linux"`
+	// Ambient are the ambient set of capabilities that are kept.
+	Ambient []string `json:"ambient,omitempty" platform:"linux"`
+}
+
 // Box specifies dimensions of a rectangle. Used for specifying the size of a console.
 type Box struct {
 	// Height is the vertical dimension of a box.

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@`
`78`	`78`	`}`
`79`	`79`	`},`
`80`	`80`	`"Capability": {`
`81`		`- "description": "Linux process permissions",`
	`81`	`+ "description": "Linux process capabilities",`
`82`	`82`	`"type": "string",`
`83`	`83`	`"pattern": "^CAP_([A-Z]\|_)+$"`
`84`	`84`	`},`