From b9f7648308500b743ef74988b42df094d9af584a Mon Sep 17 00:00:00 2001
From: Luca Bruno <lucab@debian.org>
Date: Fri, 8 Jul 2016 15:22:19 +0200
Subject: [PATCH] actool: allow patch-manifest to override caps isolators

This commit unifies patch-manifest behavior so that --capability
and --revoke-capability are able to override existing isolators.
It will also remove one possible way of generating invalid
manifests with multiple conflicting capabilitiess isolators.
---
 actool/manifest.go | 50 +++++++++++++++++++---------------------------
 1 file changed, 21 insertions(+), 29 deletions(-)

diff --git a/actool/manifest.go b/actool/manifest.go
index cfc69f15..feae1144 100644
--- a/actool/manifest.go
+++ b/actool/manifest.go
@@ -18,6 +18,7 @@ import (
 	"archive/tar"
 	"compress/gzip"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -205,41 +206,32 @@ func patchManifest(im *schema.ImageManifest) error {
 		}
 	}
 
-	if patchCaps != "" {
-		isolator := app.Isolators.GetByName(types.LinuxCapabilitiesRetainSetName)
-		if isolator != nil {
-			return fmt.Errorf("isolator already exists (os/linux/capabilities-retain-set)")
-		}
-
-		// Instantiate a Isolator with the content specified by the --capability
-		// parameter.
-		caps, err := types.NewLinuxCapabilitiesRetainSet(strings.Split(patchCaps, ",")...)
-		if err != nil {
-			return fmt.Errorf("cannot parse capability %q: %v", patchCaps, err)
-		}
-		isolator, err = caps.AsIsolator()
-		if err != nil {
-			return err
-		}
-		app.Isolators = append(app.Isolators, *isolator)
+	if patchCaps != "" && patchRevokeCaps != "" {
+		return errors.New("conflicting capabilities isolators provided")
 	}
-	if patchRevokeCaps != "" {
-		isolator := app.Isolators.GetByName(types.LinuxCapabilitiesRevokeSetName)
-		if isolator != nil {
-			return fmt.Errorf("isolator already exists (os/linux/capabilities-remove-set)")
+	if patchCaps != "" || patchRevokeCaps != "" {
+		var capsAsIsolator types.AsIsolator
+		var err error
+		if patchCaps != "" {
+			// Instantiate Isolator with content specified by --capability
+			capsAsIsolator, err = types.NewLinuxCapabilitiesRetainSet(strings.Split(patchCaps, ",")...)
+			if err != nil {
+				return fmt.Errorf("cannot parse capability retain set %q: %v", patchCaps, err)
+			}
 		}
-
-		// Instantiate a Isolator with the content specified by the --revoke-capability
-		// parameter.
-		caps, err := types.NewLinuxCapabilitiesRevokeSet(strings.Split(patchRevokeCaps, ",")...)
-		if err != nil {
-			return fmt.Errorf("cannot parse capability %q: %v", patchRevokeCaps, err)
+		if patchRevokeCaps != "" {
+			// Instantiate Isolator with content specified by --revoke-capability
+			capsAsIsolator, err = types.NewLinuxCapabilitiesRevokeSet(strings.Split(patchRevokeCaps, ",")...)
+			if err != nil {
+				return fmt.Errorf("cannot parse capability remove set %q: %v", patchRevokeCaps, err)
+			}
 		}
-		isolator, err = caps.AsIsolator()
+		capsIsolator, err := capsAsIsolator.AsIsolator()
 		if err != nil {
 			return err
 		}
-		app.Isolators = append(app.Isolators, *isolator)
+		capsKeys := []types.ACIdentifier{types.LinuxCapabilitiesRevokeSetName, types.LinuxCapabilitiesRetainSetName}
+		app.Isolators.ReplaceIsolatorsByName(*capsIsolator, capsKeys)
 	}
 
 	if patchMounts != "" {