1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
package caps // import "github.com/docker/docker/oci/caps"
import (
"context"
"sync"
ccaps "github.com/containerd/containerd/pkg/cap"
"github.com/containerd/log"
)
var initCapsOnce sync.Once
func initCaps() {
initCapsOnce.Do(func() {
rawCaps := ccaps.Known()
curCaps, err := ccaps.Current()
if err != nil {
log.G(context.TODO()).WithError(err).Error("failed to get capabilities from current environment")
allCaps = rawCaps
} else {
allCaps = curCaps
}
knownCaps = make(map[string]*struct{}, len(rawCaps))
for _, capName := range rawCaps {
// For now, we assume the capability is available if we failed to
// get the capabilities from the current environment. This keeps the
// old (pre-detection) behavior, and prevents creating containers with
// no capabilities. The OCI runtime or kernel may still refuse capa-
// bilities that are not available, and produce an error in that case.
if len(curCaps) > 0 && !inSlice(curCaps, capName) {
knownCaps[capName] = nil
continue
}
knownCaps[capName] = &struct{}{}
}
})
}
|
