driver/exec: inherit capabilities of nomad process

hashicorp · May 24, 2019 · 54232c0 · 54232c0
1 parent 3e1b136
commit 54232c0
Showing 1 changed file with 4 additions and 27 deletions.
diff --git a/drivers/shared/executor/executor_linux.go b/drivers/shared/executor/executor_linux.go
@@ -31,7 +31,6 @@ import (
 	lconfigs "github.com/opencontainers/runc/libcontainer/configs"
 	ldevices "github.com/opencontainers/runc/libcontainer/devices"
 	lutils "github.com/opencontainers/runc/libcontainer/utils"
-	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
 )
 
@@ -551,34 +550,12 @@ func (l *LibcontainerExecutor) handleExecWait(ch chan *waitResult, process *libc
 
 func configureCapabilities(cfg *lconfigs.Config, command *ExecCommand) error {
 	// TODO: allow better control of these
-	// use capabilities list as prior to adopting libcontainer in 0.9
-	allCaps := supportedCaps()
-	cfg.Capabilities = &lconfigs.Capabilities{
-		Bounding:    allCaps,
-		Permitted:   nil,
-		Inheritable: nil,
-		Ambient:     nil,
-		Effective:   nil,
-	}
 
-	return nil
-}
+	// By default, inherit nomad process linux capabilities, the behavior
+	// prior to adopting libcontainer, in Nomad 0.8
+	cfg.Capabilities = nil
 
-// supportedCaps returns a list of all supported capabilities in kernel
-func supportedCaps() []string {
-	allCaps := []string{}
-	last := capability.CAP_LAST_CAP
-	// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
-	if last == capability.Cap(63) {
-		last = capability.CAP_BLOCK_SUSPEND
-	}
-	for _, cap := range capability.List() {
-		if cap > last {
-			continue
-		}
-		allCaps = append(allCaps, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
-	}
-	return allCaps
+	return nil
 }
 
 // configureIsolation prepares the isolation primitives of the container.