diff --git a/src/main/java/com/github/dockerjava/api/command/CreateContainerCmd.java b/src/main/java/com/github/dockerjava/api/command/CreateContainerCmd.java index dde2079a2..1cf3098e8 100644 --- a/src/main/java/com/github/dockerjava/api/command/CreateContainerCmd.java +++ b/src/main/java/com/github/dockerjava/api/command/CreateContainerCmd.java @@ -2,9 +2,9 @@ import com.github.dockerjava.api.ConflictException; import com.github.dockerjava.api.NotFoundException; +import com.github.dockerjava.api.model.Capability; import com.github.dockerjava.api.model.ExposedPort; import com.github.dockerjava.api.model.HostConfig; -import com.github.dockerjava.api.model.Links; import com.github.dockerjava.api.model.Volume; public interface CreateContainerCmd extends DockerCmd{ @@ -101,6 +101,25 @@ public interface CreateContainerCmd extends DockerCmd{ public CreateContainerCmd withHostConfig(HostConfig hostConfig); + public Capability[] getCapAdd(); + + /** + * Add linux kernel + * capability to the container. For example: adding {@link Capability#MKNOD} + * allows the container to create special files using the 'mknod' command. + */ + public CreateContainerCmd withCapAdd(Capability... capAdd); + + public Capability[] getCapDrop(); + + /** + * Drop linux kernel + * capability from the container. For example: dropping {@link Capability#CHOWN} + * prevents the container from changing the owner of any files. + */ + public CreateContainerCmd withCapDrop(Capability... capDrop); /** * @throws NotFoundException No such container diff --git a/src/main/java/com/github/dockerjava/api/command/StartContainerCmd.java b/src/main/java/com/github/dockerjava/api/command/StartContainerCmd.java index 8535c8ed2..59aab1ed3 100644 --- a/src/main/java/com/github/dockerjava/api/command/StartContainerCmd.java +++ b/src/main/java/com/github/dockerjava/api/command/StartContainerCmd.java @@ -3,6 +3,7 @@ import com.github.dockerjava.api.NotFoundException; import com.github.dockerjava.api.NotModifiedException; import com.github.dockerjava.api.model.Bind; +import com.github.dockerjava.api.model.Capability; import com.github.dockerjava.api.model.Device; import com.github.dockerjava.api.model.Link; import com.github.dockerjava.api.model.LxcConf; @@ -41,9 +42,9 @@ public interface StartContainerCmd extends DockerCmd { public RestartPolicy getRestartPolicy(); - public String[] getCapAdd(); + public Capability[] getCapAdd(); - public String[] getCapDrop(); + public Capability[] getCapDrop(); public StartContainerCmd withBinds(Bind... binds); @@ -115,18 +116,18 @@ public interface StartContainerCmd extends DockerCmd { /** * Add linux kernel - * capability to the container. For example: adding capability "MKNOD" + * capability to the container. For example: adding {@link Capability#MKNOD} * allows the container to create special files using the 'mknod' command. */ - public StartContainerCmd withCapAdd(String... capAdd); + public StartContainerCmd withCapAdd(Capability... capAdd); /** * Drop linux kernel - * capability from the container. For example: dropping capability - * "CHOWN" prevents the container from changing the owner of any files. + * capability from the container. For example: dropping {@link Capability#CHOWN} + * prevents the container from changing the owner of any files. */ - public StartContainerCmd withCapDrop(String... capDrop); + public StartContainerCmd withCapDrop(Capability... capDrop); /** * @throws NotFoundException diff --git a/src/main/java/com/github/dockerjava/api/model/Capability.java b/src/main/java/com/github/dockerjava/api/model/Capability.java new file mode 100644 index 000000000..c86c07961 --- /dev/null +++ b/src/main/java/com/github/dockerjava/api/model/Capability.java @@ -0,0 +1,329 @@ +package com.github.dockerjava.api.model; + +/** + * The Linux capabilities supported by Docker. + * The list of capabilities is defined in Docker's types.go, + * {@link #ALL} was added manually. + * + * @see http://man7.org/linux/man-pages/man7/capabilities.7.html + */ +public enum Capability { + /** + * This meta capability includes all Linux capabilities. + */ + ALL, + /** + *
    + *
  • Enable and disable kernel auditing. + *
  • Change auditing filter rules. + *
  • Retrieve auditing status and filtering rules. + *
+ */ + AUDIT_CONTROL, + /** + * Write records to kernel auditing log. + */ + AUDIT_WRITE, + /** + * Employ features that can block system suspend. + */ + BLOCK_SUSPEND, + /** + * Make arbitrary changes to file UIDs and GIDs (see chown(2)). + */ + CHOWN, + /** + * Bypass file read, write, and execute permission checks. + * (DAC is an abbreviation of "discretionary access control".) + */ + DAC_OVERRIDE, + /** + * Bypass file read permission checks and directory read and + * execute permission checks. + */ + DAC_READ_SEARCH, + /** + *
    + *
  • Bypass permission checks on operations that normally require + * the file system UID of the process to match the UID of the file + * (e.g., chmod(2), utime(2)), excluding those operations covered + * by the {@link #DAC_OVERRIDE} and{@link #DAC_READ_SEARCH}. + *
  • Set extended file attributes (see chattr(1)) on arbitrary files. + *
  • Set Access Control Lists (ACLs) on arbitrary files. + *
  • Ignore directory sticky bit on file deletion. + *
  • Specify O_NOATIME for arbitrary files in open(2)and fcntl(2). + *
+ */ + FOWNER, + /** + *
    + *
  • Don't clear set-user-ID and set-group-ID permission bits when + * a file is modified. + *
  • Set the set-group-ID bit for a file whose GID does not match + * the file system or any of the supplementary GIDs of the calling + * process. + *
+ */ + FSETID, + /** + * Permit memory locking (mlock(2), mlockall(2), mmap(2), shmctl(2)). + */ + IPC_LOCK, + /** + * Bypass permission checks for operations on System V IPC objects. + */ + IPC_OWNER, + /** + * Bypass permission checks for sending signals (see kill(2)). + * This includes use of the ioctl(2) KDSIGACCEPT operation. + */ + KILL, + /** + * Establish leases on arbitrary files (see fcntl(2)). + */ + LEASE, + /** + * Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags (see chattr(1)). + */ + LINUX_IMMUTABLE, + /** + * Override Mandatory Access Control (MAC). + * Implemented for the Smack Linux Security Module (LSM). + */ + MAC_ADMIN, + /** + * Allow MAC configuration or state changes. Implemented for the Smack LSM. + */ + MAC_OVERRIDE, + /** + * Create special files using mknod(2). + */ + MKNOD, + /** + * Perform various network-related operations: + *
    + *
  • Interface configuration. + *
  • Administration of IP firewall, masquerading, and accounting. + *
  • Modify routing tables. + *
  • Bind to any address for transparent proxying. + *
  • Set type-of-service (TOS). + *
  • Clear driver statistics. + *
  • Set promiscuous mode. + *
  • Enabling multicasting. + *
  • Use setsockopt(2) to set the following socket options: SO_DEBUG, + * SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6), + * SO_RCVBUFFORCE, and SO_SNDBUFFORCE. + *
+ */ + NET_ADMIN, + /** + * Bind a socket to Internet domain privileged ports (port numbers less + * than 1024). + */ + NET_BIND_SERVICE, + /** + * (Unused) Make socket broadcasts, and listen to multicasts. + */ + NET_BROADCAST, + /** + *
    + *
  • Use RAW and PACKET sockets. + *
  • Bind to any address for transparent proxying. + *
+ */ + NET_RAW, + /** + * Set file capabilities. + */ + SETFCAP, + /** + *
    + *
  • Make arbitrary manipulations of process GIDs and supplementary + * GID list. + *
  • Forge GID when passing socket credentials via UNIX domain + * sockets. + *
+ */ + SETGID, + /** + * If file capabilities are not supported: + *
    + *
  • grant or remove any capability in the caller's permitted + * capability set to or from any other process. (This property of + * CAP_SETPCAP is not available when the kernel is configured to + * support file capabilities, since CAP_SETPCAP has entirely different + * semantics for such kernels.) + *
+ *

+ * If file capabilities are supported: + *

    + *
  • Add any capability from the calling thread's bounding set to its + * inheritable set. + *
  • Drop capabilities from the bounding set (via prctl(2) + * PR_CAPBSET_DROP). + *
  • Make changes to the securebits flags. + *
+ */ + SETPCAP, + /** + *
    + *
  • Make arbitrary manipulations of process UIDs (setuid(2), + * setreuid(2), setresuid(2), setfsuid(2)). + *
  • Make forged UID when passing socket credentials via UNIX domain + * sockets. + *
+ */ + SETUID, + /** + *
    + *
  • Perform a range of system administration operations including: + * quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), + * and setdomainname(2). + *
  • Perform privileged syslog(2) operations (since Linux 2.6.37, + * CAP_SYSLOG should be used to permit such operations). + *
  • Perform VM86_REQUEST_IRQ vm86(2) command. + *
  • Perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects. + *
  • Perform operations on trusted and security Extended Attributes + * (see attr(5)). + *
  • Use lookup_dcookie(2) + *
  • Use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) + * IOPRIO_CLASS_IDLE I/O scheduling classes. + *
  • Forge UID when passing socket credentials. + *
  • Exceed /proc/sys/fs/file-max, the system-wide limit on the number of + * open files, in system calls that open files (e.g., accept(2), execve(2), + * open(2), pipe(2)). + *
  • Employ CLONE_* flags that create new namespaces with clone(2) and + * unshare(2). + *
  • Call perf_event_open(2). + *
  • Access privileged perf event information. + *
  • Call setns(2). + *
  • Call fanotify_init(2). + *
  • Perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations. + *
  • Perform madvise(2) MADV_HWPOISON operation. + *
  • Employ the TIOCSTI ioctl(2) to insert characters into the input queue + * of a terminal other than the caller's controlling terminal. + *
  • Employ the obsolete nfsservctl(2) system call. + *
  • Employ the obsolete bdflush(2) system call. + *
  • Perform various privileged block-device ioctl(2) operations. + *
  • Perform various privileged file-system ioctl(2) operations. + *
  • Perform administrative operations on many device drivers. + *
+ */ + SYS_ADMIN, + /** + * Use reboot(2) and kexec_load(2). + */ + SYS_BOOT, + /** + * Use chroot(2). + */ + SYS_CHROOT, + /** + *
    + *
  • Perform privileged syslog(2) operations. See syslog(2) for information + * on which operations require privilege. + *
  • View kernel addresses exposed via /proc and other interfaces when + * /proc/sys/kernel/kptr_restrict has the value 1. (See the discussion of the + * kptr_restrict in proc(5).) + *
+ */ + SYSLOG, + /** + *
    + *
  • Load and unload kernel modules (see init_module(2) and delete_module(2)) + *
  • In kernels before 2.6.25: drop capabilities from the system-wide + * capability bounding set. + *
+ */ + SYS_MODULE, + /** + *
    + *
  • Raise process nice value (nice(2), setpriority(2)) and change the nice + * value for arbitrary processes. + *
  • Set real-time scheduling policies for calling process, and set scheduling + * policies and priorities for arbitrary processes (sched_setscheduler(2), + * sched_setparam(2)). + *
  • Set CPU affinity for arbitrary processes (sched_setaffinity(2)). + *
  • Set I/O scheduling class and priority for arbitrary processes + * (ioprio_set(2)). + *
  • Apply migrate_pages(2) to arbitrary processes and allow processes to be + * migrated to arbitrary nodes. + *
  • Apply move_pages(2) to arbitrary processes. + *
  • Use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2). + *
+ */ + SYS_NICE, + /** + * Use acct(2). + */ + SYS_PACCT, + /** + *
    + *
  • Trace arbitrary processes using ptrace(2). + *
  • Apply get_robust_list(2) to arbitrary processes. + *
  • Inspect processes using kcmp(2). + *
+ */ + SYS_PTRACE, + /** + *
    + *
  • Perform I/O port operations (iopl(2) and ioperm(2)). + *
  • Access /proc/kcore. + *
  • Employ the FIBMAP ioctl(2) operation. + *
  • Open devices for accessing x86 model-specific registers (MSRs, see + * msr(4)). + *
  • Update /proc/sys/vm/mmap_min_addr. + *
  • Create memory mappings at addresses below the value specified by + * /proc/sys/vm/mmap_min_addr. + *
  • Map files in /proc/pci/bus. + *
  • Open /dev/mem and /dev/kmem. + *
  • Perform various SCSI device commands. + *
  • Perform certain operations on hpsa(4) and cciss(4) devices. + *
  • Perform a range of device-specific operations on other devices. + *
+ */ + SYS_RAWIO, + /** + *
    + *
  • Use reserved space on ext2 file systems. + *
  • Make ioctl(2) calls controlling ext3 journaling. + *
  • Override disk quota limits. + *
  • Increase resource limits (see setrlimit(2)). + *
  • Override RLIMIT_NPROC resource limit. + *
  • Override maximum number of consoles on console allocation. + *
  • Override maximum number of keymaps. + *
  • Allow more than 64hz interrupts from the real-time clock. + *
  • Raise msg_qbytes limit for a System V message queue above the limit + * in /proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2)). + *
  • Override the /proc/sys/fs/pipe-size-max limit when setting the capacity + * of a pipe using the F_SETPIPE_SZ fcntl(2) command. + *
  • Use F_SETPIPE_SZ to increase the capacity of a pipe above the limit + * specified by /proc/sys/fs/pipe-max-size. + *
  • Override /proc/sys/fs/mqueue/queues_max limit when creating POSIX + * message queues (see mq_overview(7)). + *
  • Employ prctl(2) PR_SET_MM operation. + *
  • Set /proc/PID/oom_score_adj to a value lower than the value last set + * by a process with CAP_SYS_RESOURCE. + *
+ */ + SYS_RESOURCE, + /** + *
    + *
  • Set system clock (settimeofday(2), stime(2), adjtimex(2)). + *
  • Set real-time (hardware) clock. + *
+ */ + SYS_TIME, + /** + *
    + *
  • Use vhangup(2). + *
  • Employ various privileged ioctl(2) operations on virtual terminals. + *
+ */ + SYS_TTY_CONFIG, + /** + * Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and + * CLOCK_BOOTTIME_ALARM timers). + */ + WAKE_ALARM +} diff --git a/src/main/java/com/github/dockerjava/api/model/HostConfig.java b/src/main/java/com/github/dockerjava/api/model/HostConfig.java index 6344caab5..3d1865017 100644 --- a/src/main/java/com/github/dockerjava/api/model/HostConfig.java +++ b/src/main/java/com/github/dockerjava/api/model/HostConfig.java @@ -39,10 +39,10 @@ public class HostConfig { private String containerIDFile; @JsonProperty("CapAdd") - private String[] capAdd; + private Capability[] capAdd; @JsonProperty("CapDrop") - private String[] capDrop; + private Capability[] capDrop; @JsonProperty("RestartPolicy") private RestartPolicy restartPolicy; @@ -58,7 +58,7 @@ public HostConfig() { public HostConfig(String[] binds, Links links, LxcConf[] lxcConf, Ports portBindings, boolean publishAllPorts, boolean privileged, String[] dns, String[] dnsSearch, String[] volumesFrom, String containerIDFile, - String[] capAdd, String[] capDrop, RestartPolicy restartPolicy, String networkMode, Device[] devices) { + Capability[] capAdd, Capability[] capDrop, RestartPolicy restartPolicy, String networkMode, Device[] devices) { this.binds = binds; this.links = links; this.lxcConf = lxcConf; @@ -128,11 +128,11 @@ public RestartPolicy getRestartPolicy() { return restartPolicy; } - public String[] getCapAdd() { + public Capability[] getCapAdd() { return capAdd; } - public String[] getCapDrop() { + public Capability[] getCapDrop() { return capDrop; } @@ -176,11 +176,11 @@ public void setContainerIDFile(String containerIDFile) { this.containerIDFile = containerIDFile; } - public void setCapAdd(String[] capAdd) { + public void setCapAdd(Capability[] capAdd) { this.capAdd = capAdd; } - public void setCapDrop(String[] capDrop) { + public void setCapDrop(Capability[] capDrop) { this.capDrop = capDrop; } diff --git a/src/main/java/com/github/dockerjava/core/command/CreateContainerCmdImpl.java b/src/main/java/com/github/dockerjava/core/command/CreateContainerCmdImpl.java index e022bdeab..0fab7e695 100644 --- a/src/main/java/com/github/dockerjava/core/command/CreateContainerCmdImpl.java +++ b/src/main/java/com/github/dockerjava/core/command/CreateContainerCmdImpl.java @@ -8,6 +8,7 @@ import com.github.dockerjava.api.NotFoundException; import com.github.dockerjava.api.command.CreateContainerCmd; import com.github.dockerjava.api.command.CreateContainerResponse; +import com.github.dockerjava.api.model.Capability; import com.github.dockerjava.api.model.ExposedPort; import com.github.dockerjava.api.model.ExposedPorts; import com.github.dockerjava.api.model.HostConfig; @@ -312,6 +313,28 @@ public CreateContainerCmd withHostConfig(HostConfig hostConfig) { return this; } + @Override + public Capability[] getCapAdd() { + return hostConfig.getCapAdd(); + } + + @Override + public CreateContainerCmd withCapAdd(Capability... capAdd) { + hostConfig.setCapAdd(capAdd); + return this; + } + + @Override + public Capability[] getCapDrop() { + return hostConfig.getCapDrop(); + } + + @Override + public CreateContainerCmd withCapDrop(Capability... capDrop) { + hostConfig.setCapDrop(capDrop); + return this; + } + @Override public String toString() { return new ToStringBuilder(this).append("create container ") @@ -328,4 +351,5 @@ public String toString() { public CreateContainerResponse exec() throws NotFoundException, ConflictException { return super.exec(); } + } diff --git a/src/main/java/com/github/dockerjava/core/command/StartContainerCmdImpl.java b/src/main/java/com/github/dockerjava/core/command/StartContainerCmdImpl.java index 74fbd6790..60d728f0f 100644 --- a/src/main/java/com/github/dockerjava/core/command/StartContainerCmdImpl.java +++ b/src/main/java/com/github/dockerjava/core/command/StartContainerCmdImpl.java @@ -9,6 +9,7 @@ import com.github.dockerjava.api.command.StartContainerCmd; import com.github.dockerjava.api.model.Bind; import com.github.dockerjava.api.model.Binds; +import com.github.dockerjava.api.model.Capability; import com.github.dockerjava.api.model.Device; import com.github.dockerjava.api.model.Link; import com.github.dockerjava.api.model.Links; @@ -62,10 +63,10 @@ public class StartContainerCmdImpl extends AbstrDockerCmd