libct: straighten Caps inheritance

kolyshkin · kolyshkin · commit 181bd4b912e7 · 2025-01-07T19:32:27.000-08:00
For all other properties that are available in both Config and Process,
the merging is performed by newInitConfig.

Let's do the same for Capabilities for the sake of code uniformity.

While at it, allow nil capabilities to be passed (this is covered by the
test case

Signed-off-by: Kir Kolyshkin &lt;kolyshkin@gmail.com&gt;
diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
@@ -45,6 +45,9 @@ func KnownCapabilities() []string {
 // printing a warning instead.
 func New(capConfig *configs.Capabilities) (*Caps, error) {
 	var c Caps
+	if capConfig == nil {
+		return &c, nil
+	}
 
 	_, err := capMap()
 	if err != nil {
diff --git a/libcontainer/container_linux.go b/libcontainer/container_linux.go
@@ -691,7 +691,7 @@ func (c *Container) newInitConfig(process *Process) *initConfig {
 		User:             process.User,
 		AdditionalGroups: process.AdditionalGroups,
 		Cwd:              process.Cwd,
-		Capabilities:     process.Capabilities,
+		Capabilities:     c.config.Capabilities,
 		PassedFilesCount: len(process.ExtraFiles),
 		ContainerID:      c.ID(),
 		NoNewPrivileges:  c.config.NoNewPrivileges,
@@ -707,6 +707,9 @@ func (c *Container) newInitConfig(process *Process) *initConfig {
 
 	// Overwrite config properties with ones from process.
 
+	if process.Capabilities != nil {
+		cfg.Capabilities = process.Capabilities
+	}
 	if process.NoNewPrivileges != nil {
 		cfg.NoNewPrivileges = *process.NoNewPrivileges
 	}
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
@@ -351,13 +351,7 @@ func finalizeNamespace(config *initConfig) error {
 		}
 	}
 
-	caps := &configs.Capabilities{}
-	if config.Capabilities != nil {
-		caps = config.Capabilities
-	} else if config.Config.Capabilities != nil {
-		caps = config.Config.Capabilities
-	}
-	w, err := capabilities.New(caps)
+	w, err := capabilities.New(config.Capabilities)
 	if err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -351,13 +351,7 @@ func finalizeNamespace(config *initConfig) error {`
`351`	`351`	`}`
`352`	`352`	`}`
`353`	`353`
`354`		`- caps := &configs.Capabilities{}`
`355`		`- if config.Capabilities != nil {`
`356`		`- caps = config.Capabilities`
`357`		`- } else if config.Config.Capabilities != nil {`
`358`		`- caps = config.Config.Capabilities`
`359`		`- }`
`360`		`- w, err := capabilities.New(caps)`
	`354`	`+ w, err := capabilities.New(config.Capabilities)`
`361`	`355`	`if err != nil {`
`362`	`356`	`return err`
`363`	`357`	`}`