Cli: Support --cap-add, --cap-drop and --privileged on services

olljanat · olljanat · commit 341dadfb26d4 · 2019-11-17T14:34:04.000+02:00
Signed-off-by: Olli Janatuinen &lt;olli.janatuinen@gmail.com&gt;
diff --git a/cli/command/service/create.go b/cli/command/service/create.go
@@ -65,6 +65,13 @@ func newCreateCommand(dockerCli command.Cli) *cobra.Command {
 	flags.Var(&opts.sysctls, flagSysCtl, "Sysctl options")
 	flags.SetAnnotation(flagSysCtl, "version", []string{"1.40"})
 
+	flags.Var(newListOptsVar(), flagCapAdd, "Add Linux capabilities")
+	flags.SetAnnotation(flagCapAdd, "version", []string{"1.41"})
+	flags.Var(newListOptsVar(), flagCapDrop, "Drop Linux capabilities")
+	flags.SetAnnotation(flagCapDrop, "version", []string{"1.41"})
+	flags.Bool(flagPrivileged, false, "Give extended privileges to this container")
+	flags.SetAnnotation(flagPrivileged, "version", []string{"1.41"})
+
 	flags.Var(cliopts.NewListOptsRef(&opts.resources.resGenericResources, ValidateSingleGenericResource), "generic-resource", "User defined resources")
 	flags.SetAnnotation(flagHostAdd, "version", []string{"1.32"})
 
diff --git a/cli/command/service/opts.go b/cli/command/service/opts.go
@@ -14,6 +14,7 @@ import (
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/client"
+	"github.com/docker/docker/oci/caps"
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/api/defaults"
 	gogotypes "github.com/gogo/protobuf/types"
@@ -490,6 +491,7 @@ type serviceOptions struct {
 	hostname        string
 	env             opts.ListOpts
 	envFile         opts.ListOpts
+	capabilities    opts.ListOpts
 	workdir         string
 	user            string
 	groups          opts.ListOpts
@@ -539,6 +541,7 @@ func newServiceOptions() *serviceOptions {
 		containerLabels: opts.NewListOpts(opts.ValidateLabel),
 		env:             opts.NewListOpts(opts.ValidateEnv),
 		envFile:         opts.NewListOpts(nil),
+		capabilities:    opts.NewListOpts(nil),
 		groups:          opts.NewListOpts(nil),
 		logDriver:       newLogDriverOptions(),
 		dns:             opts.NewListOpts(opts.ValidateIPAddress),
@@ -579,6 +582,44 @@ func (options *serviceOptions) ToStopGracePeriod(flags *pflag.FlagSet) *time.Dur
 	return nil
 }
 
+func (options *serviceOptions) ToCapabilities(flags *pflag.FlagSet) ([]string, error) {
+	if flags.Changed(flagCapAdd) || flags.Changed(flagCapDrop) || flags.Changed(flagPrivileged) {
+		privileged, err := strconv.ParseBool(flags.Lookup(flagPrivileged).Value.String())
+		if err != nil {
+			return nil, err
+		}
+		capAdd := flags.Lookup(flagCapAdd).Value.(*opts.ListOpts).GetAll()
+		capDrop := flags.Lookup(flagCapDrop).Value.(*opts.ListOpts).GetAll()
+
+		defaultCapabilities := []string{
+			"CAP_CHOWN",
+			"CAP_DAC_OVERRIDE",
+			"CAP_FSETID",
+			"CAP_FOWNER",
+			"CAP_MKNOD",
+			"CAP_NET_RAW",
+			"CAP_SETGID",
+			"CAP_SETUID",
+			"CAP_SETFCAP",
+			"CAP_SETPCAP",
+			"CAP_NET_BIND_SERVICE",
+			"CAP_SYS_CHROOT",
+			"CAP_KILL",
+			"CAP_AUDIT_WRITE",
+		}
+		capabilities := []string{}
+		if privileged || len(capAdd) > 0 || len(capDrop) > 0 {
+			capabilities, err := caps.TweakCapabilities(defaultCapabilities, capAdd, capDrop, nil, privileged)
+			if err != nil {
+				return nil, err
+			}
+			return capabilities, nil
+		}
+		return capabilities, nil
+	}
+	return nil, nil
+}
+
 func (options *serviceOptions) ToService(ctx context.Context, apiClient client.NetworkAPIClient, flags *pflag.FlagSet) (swarm.ServiceSpec, error) {
 	var service swarm.ServiceSpec
 
@@ -628,6 +669,11 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N
 		return service, err
 	}
 
+	capabilities, err := options.ToCapabilities(flags)
+	if err != nil {
+		return service, err
+	}
+
 	service = swarm.ServiceSpec{
 		Annotations: swarm.Annotations{
 			Name:   options.name,
@@ -659,6 +705,7 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N
 				Healthcheck:     healthConfig,
 				Isolation:       container.Isolation(options.isolation),
 				Sysctls:         opts.ConvertKVStringsToMap(options.sysctls.GetAll()),
+				Capabilities:    capabilities,
 			},
 			Networks:      networks,
 			Resources:     resources,
@@ -841,6 +888,8 @@ const (
 	flagPlacementPref           = "placement-pref"
 	flagPlacementPrefAdd        = "placement-pref-add"
 	flagPlacementPrefRemove     = "placement-pref-rm"
+	flagCapAdd                  = "cap-add"
+	flagCapDrop                 = "cap-drop"
 	flagConstraint              = "constraint"
 	flagConstraintRemove        = "constraint-rm"
 	flagConstraintAdd           = "constraint-add"
@@ -886,6 +935,7 @@ const (
 	flagNetwork                 = "network"
 	flagNetworkAdd              = "network-add"
 	flagNetworkRemove           = "network-rm"
+	flagPrivileged              = "privileged"
 	flagPublish                 = "publish"
 	flagPublishRemove           = "publish-rm"
 	flagPublishAdd              = "publish-add"
diff --git a/cli/command/service/opts_test.go b/cli/command/service/opts_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/oci/caps"
 	"gotest.tools/assert"
 	is "gotest.tools/assert/cmp"
 )
@@ -300,3 +301,48 @@ func TestToServiceSysCtls(t *testing.T) {
 	assert.NilError(t, err)
 	assert.Check(t, is.DeepEqual(service.TaskTemplate.ContainerSpec.Sysctls, expected))
 }
+
+func TestToServiceCapAddAndCapDrop(t *testing.T) {
+	o := newServiceOptions()
+	o.mode = "replicated"
+
+	flags := newCreateCommand(nil).Flags()
+	flags.Set("cap-add", "SYS_NICE")
+	flags.Set("cap-add", "CAP_NET_ADMIN")
+	flags.Set("cap-drop", "CHOWN")
+	flags.Set("cap-drop", "DAC_OVERRIDE")
+	flags.Set("cap-drop", "CAP_FSETID")
+	flags.Set("cap-drop", "CAP_FOWNER")
+
+	expected := []string{
+		"CAP_MKNOD",
+		"CAP_NET_RAW",
+		"CAP_SETGID",
+		"CAP_SETUID",
+		"CAP_SETFCAP",
+		"CAP_SETPCAP",
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_CHROOT",
+		"CAP_KILL",
+		"CAP_AUDIT_WRITE",
+		"CAP_SYS_NICE",
+		"CAP_NET_ADMIN",
+	}
+
+	service, err := o.ToService(context.Background(), &fakeClient{}, flags)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(service.TaskTemplate.ContainerSpec.Capabilities, expected))
+}
+
+func TestToServicePrivileged(t *testing.T) {
+	o := newServiceOptions()
+	o.mode = "replicated"
+
+	flags := newCreateCommand(nil).Flags()
+	flags.Set("privileged", "true")
+
+	expected := caps.GetAllCapabilities()
+	service, err := o.ToService(context.Background(), &fakeClient{}, flags)
+	assert.NilError(t, err)
+	assert.Check(t, is.DeepEqual(service.TaskTemplate.ContainerSpec.Capabilities, expected))
+}
diff --git a/cli/command/service/update.go b/cli/command/service/update.go
@@ -16,6 +16,7 @@ import (
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/versions"
 	"github.com/docker/docker/client"
+	"github.com/docker/docker/oci/caps"
 	"github.com/docker/swarmkit/api/defaults"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -101,6 +102,11 @@ func newUpdateCommand(dockerCli command.Cli) *cobra.Command {
 	flags.Var(newListOptsVar(), flagSysCtlRemove, "Remove a Sysctl option")
 	flags.SetAnnotation(flagSysCtlRemove, "version", []string{"1.40"})
 
+	flags.Var(newListOptsVar(), flagCapAdd, "Add Linux capabilities")
+	flags.SetAnnotation(flagCapAdd, "version", []string{"1.41"})
+	flags.Var(newListOptsVar(), flagCapDrop, "Drop Linux capabilities")
+	flags.SetAnnotation(flagCapDrop, "version", []string{"1.41"})
+
 	// Add needs parsing, Remove only needs the key
 	flags.Var(newListOptsVar(), flagGenericResourcesRemove, "Remove a Generic resource")
 	flags.SetAnnotation(flagHostAdd, "version", []string{"1.32"})
@@ -336,6 +342,9 @@ func updateService(ctx context.Context, apiClient client.NetworkAPIClient, flags
 	if err := updateMounts(flags, &cspec.Mounts); err != nil {
 		return err
 	}
+	if err := updateCapabilities(flags, &task.ContainerSpec.Capabilities); err != nil {
+		return err
+	}
 
 	updateSysCtls(flags, &task.ContainerSpec.Sysctls)
 
@@ -713,6 +722,22 @@ func updateEnvironment(flags *pflag.FlagSet, field *[]string) {
 	*field = removeItems(*field, toRemove, envKey)
 }
 
+func updateCapabilities(flags *pflag.FlagSet, capabilities *[]string) error {
+	if flags.Changed(flagCapAdd) || flags.Changed(flagCapDrop) {
+		capAdd := flags.Lookup(flagCapAdd).Value.(*opts.ListOpts).GetAll()
+		capDrop := flags.Lookup(flagCapDrop).Value.(*opts.ListOpts).GetAll()
+
+		if len(capAdd) > 0 || len(capDrop) > 0 {
+			var err error
+			*capabilities, err = caps.TweakCapabilities(*capabilities, capAdd, capDrop, nil, false)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
 func getUpdatedSecrets(apiClient client.SecretAPIClient, flags *pflag.FlagSet, secrets []*swarm.SecretReference) ([]*swarm.SecretReference, error) {
 	newSecrets := []*swarm.SecretReference{}
 
diff --git a/cli/command/service/update_test.go b/cli/command/service/update_test.go
@@ -1248,3 +1248,18 @@ func TestUpdateCredSpec(t *testing.T) {
 		})
 	}
 }
+
+func TestUpdateCapabilities(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("cap-add", "CAP_SYS_NICE")
+	flags.Set("cap-drop", "MKNOD")
+
+	containerSpec := &swarm.ContainerSpec{
+		Capabilities: []string{"CAP_MKNOD", "CAP_NET_RAW"},
+	}
+
+	updateCapabilities(flags, &containerSpec.Capabilities)
+	assert.Assert(t, is.Len(containerSpec.Capabilities, 2))
+	assert.Check(t, is.Equal("CAP_NET_RAW", containerSpec.Capabilities[0]))
+	assert.Check(t, is.Equal("CAP_SYS_NICE", containerSpec.Capabilities[1]))
+}
