daemon/execdriver/utils.go - third_party/github.com/moby/moby - Git at Google

 package execdriver

 import (
 	"fmt"
 	"strings"

 	"github.com/docker/docker/utils"
 	"github.com/docker/libcontainer/security/capabilities"
 )

 func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
 	var (
 		newCaps []string
 		allCaps = capabilities.GetAllCapabilities()
 	)

 	// look for invalid cap in the drop list
 	for _, cap := range drops {
 		if strings.ToLower(cap) == "all" {
 			continue
 		}
 		if !utils.StringsContainsNoCase(allCaps, cap) {
 			return nil, fmt.Errorf("Unknown capability drop: %q", cap)
 		}
 	}

 	// handle --cap-add=all
 	if utils.StringsContainsNoCase(adds, "all") {
 		basics = capabilities.GetAllCapabilities()
 	}

 	if !utils.StringsContainsNoCase(drops, "all") {
 		for _, cap := range basics {
 			// skip `all` aready handled above
 			if strings.ToLower(cap) == "all" {
 				continue
 			}

 			// if we don't drop `all`, add back all the non-dropped caps
 			if !utils.StringsContainsNoCase(drops, cap) {
 				newCaps = append(newCaps, strings.ToUpper(cap))
 			}
 		}
 	}

 	for _, cap := range adds {
 		// skip `all` aready handled above
 		if strings.ToLower(cap) == "all" {
 			continue
 		}

 		if !utils.StringsContainsNoCase(allCaps, cap) {
 			return nil, fmt.Errorf("Unknown capability to add: %q", cap)
 		}

 		// add cap if not already in the list
 		if !utils.StringsContainsNoCase(newCaps, cap) {
 			newCaps = append(newCaps, strings.ToUpper(cap))
 		}
 	}

 	return newCaps, nil
 }
	package execdriver

	import (
	"fmt"
	"strings"

	"github.com/docker/docker/utils"
	"github.com/docker/libcontainer/security/capabilities"
	)

	func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
	var (
	newCaps []string
	allCaps = capabilities.GetAllCapabilities()
	)

	// look for invalid cap in the drop list
	for _, cap := range drops {
	if strings.ToLower(cap) == "all" {
	continue
	}
	if !utils.StringsContainsNoCase(allCaps, cap) {
	return nil, fmt.Errorf("Unknown capability drop: %q", cap)
	}
	}

	// handle --cap-add=all
	if utils.StringsContainsNoCase(adds, "all") {
	basics = capabilities.GetAllCapabilities()
	}

	if !utils.StringsContainsNoCase(drops, "all") {
	for _, cap := range basics {
	// skip `all` aready handled above
	if strings.ToLower(cap) == "all" {
	continue
	}

	// if we don't drop `all`, add back all the non-dropped caps
	if !utils.StringsContainsNoCase(drops, cap) {
	newCaps = append(newCaps, strings.ToUpper(cap))
	}
	}
	}

	for _, cap := range adds {
	// skip `all` aready handled above
	if strings.ToLower(cap) == "all" {
	continue
	}

	if !utils.StringsContainsNoCase(allCaps, cap) {
	return nil, fmt.Errorf("Unknown capability to add: %q", cap)
	}

	// add cap if not already in the list
	if !utils.StringsContainsNoCase(newCaps, cap) {
	newCaps = append(newCaps, strings.ToUpper(cap))
	}
	}

	return newCaps, nil
	}