From 274cca0040c5845d705af0c12c8b93fffbe0dfb9 Mon Sep 17 00:00:00 2001
From: Steve Baker <sbaker@redhat.com>
Date: Mon, 24 Sep 2018 09:26:52 +1200
Subject: [PATCH] Implement cap_add, cap_drop

Assiging individual capabilities is preferable to making containers
privileged, so lets make that possible.

Change-Id: I244e8e0543d92f4cdf9dbb085fff6e1cbb09a3d0
---
 paunch/builder/compose1.py            | 4 +++-
 paunch/builder/podman.py              | 3 +++
 paunch/tests/test_builder_base.py     | 5 ++++-
 paunch/tests/test_builder_compose1.py | 8 ++++++--
 paunch/tests/test_builder_podman.py   | 8 ++++++--
 5 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/paunch/builder/compose1.py b/paunch/builder/compose1.py
index 9be664f..5376e31 100644
--- a/paunch/builder/compose1.py
+++ b/paunch/builder/compose1.py
@@ -73,8 +73,10 @@ class ComposeV1Builder(base.BaseBuilder):
                         'stop_grace_period', '--stop-timeout',
                         self.duration)
 
+        self.list_arg(cconfig, cmd, 'cap_add', '--cap-add')
+        self.list_arg(cconfig, cmd, 'cap_drop', '--cap-drop')
+
         # TODO(sbaker): add missing compose v1 properties:
-        # cap_add, cap_drop
         # cgroup_parent
         # devices
         # dns, dns_search
diff --git a/paunch/builder/podman.py b/paunch/builder/podman.py
index 131044f..03d97f3 100644
--- a/paunch/builder/podman.py
+++ b/paunch/builder/podman.py
@@ -62,5 +62,8 @@ class PodmanBuilder(base.BaseBuilder):
                         'stop_grace_period', '--stop-timeout',
                         self.duration)
 
+        self.list_arg(cconfig, cmd, 'cap_add', '--cap-add')
+        self.list_arg(cconfig, cmd, 'cap_drop', '--cap-drop')
+
         cmd.append(cconfig.get('image', ''))
         cmd.extend(self.command_argument(cconfig.get('command')))
diff --git a/paunch/tests/test_builder_base.py b/paunch/tests/test_builder_base.py
index 8d4b4d5..86c9acf 100644
--- a/paunch/tests/test_builder_base.py
+++ b/paunch/tests/test_builder_base.py
@@ -457,7 +457,9 @@ three-12345678 three''', '', 0),
                 'ulimit': ['nofile=1024', 'nproc=1024'],
                 'volumes': ['/foo:/foo:rw', '/bar:/bar:ro'],
                 'volumes_from': ['two', 'three'],
-                'group_add': ['docker', 'zuul']
+                'group_add': ['docker', 'zuul'],
+                'cap_add': ['SYS_ADMIN', 'SETUID'],
+                'cap_drop': ['NET_RAW']
             }
         }
         builder = compose1.ComposeV1Builder('foo', config, None)
@@ -473,6 +475,7 @@ three-12345678 three''', '', 0),
              '--group-add=docker', '--group-add=zuul',
              '--volume=/foo:/foo:rw', '--volume=/bar:/bar:ro',
              '--volumes-from=two', '--volumes-from=three',
+             '--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
              'centos:7', 'ls', '-l', '/foo'],
             cmd
         )
diff --git a/paunch/tests/test_builder_compose1.py b/paunch/tests/test_builder_compose1.py
index 74e4ad8..d5b9ca0 100644
--- a/paunch/tests/test_builder_compose1.py
+++ b/paunch/tests/test_builder_compose1.py
@@ -37,7 +37,9 @@ class TestComposeV1Builder(tbb.TestBaseBuilder):
                 'env_file': '/tmp/foo.env',
                 'log_tag': '{{.ImageName}}/{{.Name}}/{{.ID}}',
                 'cpu_shares': 600,
-                'security_opt': 'label:disable'
+                'security_opt': 'label:disable',
+                'cap_add': ['SYS_ADMIN', 'SETUID'],
+                'cap_drop': ['NET_RAW']
             }
         }
         builder = compose1.ComposeV1Builder('foo', config, None)
@@ -53,6 +55,8 @@ class TestComposeV1Builder(tbb.TestBaseBuilder):
              '--privileged=true', '--restart=always', '--user=bar',
              '--log-opt=tag={{.ImageName}}/{{.Name}}/{{.ID}}',
              '--cpu-shares=600',
-             '--security-opt=label:disable', 'centos:7'],
+             '--security-opt=label:disable',
+             '--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
+             'centos:7'],
             cmd
         )
diff --git a/paunch/tests/test_builder_podman.py b/paunch/tests/test_builder_podman.py
index 2cd20e9..15749b5 100644
--- a/paunch/tests/test_builder_podman.py
+++ b/paunch/tests/test_builder_podman.py
@@ -31,7 +31,9 @@ class TestPodmanBuilder(base.TestBaseBuilder):
                 'env_file': '/tmp/foo.env',
                 'log_tag': '{{.ImageName}}/{{.Name}}/{{.ID}}',
                 'cpu_shares': 600,
-                'security_opt': 'label:disable'
+                'security_opt': 'label:disable',
+                'cap_add': ['SYS_ADMIN', 'SETUID'],
+                'cap_drop': ['NET_RAW']
             }
         }
         builder = podman.PodmanBuilder('foo', config, None)
@@ -45,6 +47,8 @@ class TestPodmanBuilder(base.TestBaseBuilder):
              '--uts=host', '--privileged=true', '--user=bar',
              '--log-opt=tag={{.ImageName}}/{{.Name}}/{{.ID}}',
              '--cpu-shares=600',
-             '--security-opt=label:disable', 'centos:7'],
+             '--security-opt=label:disable',
+             '--cap-add=SYS_ADMIN', '--cap-add=SETUID', '--cap-drop=NET_RAW',
+             'centos:7'],
             cmd
         )