Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to github.com/moby/sys/capability #777

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
strategy:
fail-fast: false
matrix:
go-version: [1.19.x, 1.22.x, 1.23.x]
go-version: [1.21.x, 1.22.x, 1.23.x]
race: ["-race", ""]

steps:
Expand Down
15 changes: 5 additions & 10 deletions cmd/runtimetest/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ import (
"syscall"

"github.com/mndrix/tap-go"
"github.com/moby/sys/capability"
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/sirupsen/logrus"
"github.com/syndtr/gocapability/capability"
"github.com/urfave/cli"

"github.com/opencontainers/runtime-tools/cmd/runtimetest/mount"
Expand Down Expand Up @@ -265,10 +265,9 @@ func (c *complianceTester) validateCapabilities(spec *rspec.Spec) error {
return nil
}

last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
supportedCaps, err := capability.ListSupported()
if err != nil {
return err
}

processCaps, err := capability.NewPid2(0)
Expand Down Expand Up @@ -309,11 +308,7 @@ func (c *complianceTester) validateCapabilities(spec *rspec.Spec) error {
expectedCaps[ec] = true
}

for _, cap := range capability.List() {
if cap > last {
continue
}

for _, cap := range supportedCaps {
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
expectedSet := expectedCaps[capKey]
actuallySet := processCaps.Get(capType.capType, cap)
Expand Down
11 changes: 6 additions & 5 deletions generate/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ import (
"os"
"strings"

"github.com/moby/sys/capability"
rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate/seccomp"
capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
"github.com/syndtr/gocapability/capability"
)

var (
Expand Down Expand Up @@ -1135,10 +1135,11 @@ func (g *Generator) ClearMounts() {
func (g *Generator) SetupPrivileged(privileged bool) {
if privileged { // Add all capabilities in privileged mode.
var finalCapList []string
for _, cap := range capability.List() {
if g.HostSpecific && cap > capsCheck.LastCap() {
continue
}
capList := capability.ListKnown()
if g.HostSpecific {
capList, _ = capability.ListSupported()
}
for _, cap := range capList {
finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
}
g.initConfigLinux()
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
module github.com/opencontainers/runtime-tools

go 1.19
go 1.21

require (
github.com/blang/semver/v4 v4.0.0
github.com/google/uuid v1.3.0
github.com/hashicorp/go-multierror v1.1.1
github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b
github.com/moby/sys/capability v0.4.0
github.com/mrunalp/fileutils v0.5.0
github.com/opencontainers/runtime-spec v1.1.0
github.com/opencontainers/selinux v1.9.1
github.com/sirupsen/logrus v1.8.1
github.com/stretchr/testify v1.3.0
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
github.com/urfave/cli v1.19.1
github.com/xeipuuv/gojsonschema v1.2.0
golang.org/x/sys v0.1.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b h1:Ga1nclDSe8gOw37MVLMhfu2QKWtD6gvtQ298zsKVh8g=
github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk=
github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4=
github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg=
Expand All @@ -25,8 +27,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/urfave/cli v1.19.1 h1:0mKm4ZoB74PxYmZVua162y1dGt1qc10MyymYRBf3lb8=
github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
Expand Down
16 changes: 16 additions & 0 deletions validate/capabilities/lastcap.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
package capabilities

import (
"github.com/moby/sys/capability"
)

// LastCap returns last cap of system.
//
// Deprecated: use github.com/moby/sys/capability.LastCap instead.
func LastCap() capability.Cap {
last, err := capability.LastCap()
if err != nil {
return -1
}
return last
}
42 changes: 28 additions & 14 deletions validate/capabilities/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,29 +3,43 @@ package capabilities
import (
"fmt"
"strings"
"sync"

"github.com/syndtr/gocapability/capability"
"github.com/moby/sys/capability"
)

// CapValid checks whether a capability is valid
// CapValid checks whether a capability is valid. If hostSpecific is set,
// it also checks that the capability is supported on the current host.
func CapValid(c string, hostSpecific bool) error {
isValid := false

if !strings.HasPrefix(c, "CAP_") {
return fmt.Errorf("capability %s must start with CAP_", c)
}
for _, cap := range capability.List() {
if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
if hostSpecific && cap > LastCap() {
return fmt.Errorf("%s is not supported on the current host", c)
}
isValid = true
break
}
}

if !isValid {
if _, ok := knownCaps()[c]; !ok {
return fmt.Errorf("invalid capability: %s", c)
}
if !hostSpecific {
return nil
}
if _, ok := supportedCaps()[c]; !ok {
return fmt.Errorf("%s is not supported on the current host", c)
}
return nil
}

func capSet(list []capability.Cap) map[string]struct{} {
m := make(map[string]struct{}, len(list))
for _, c := range list {
m["CAP_"+strings.ToUpper(c.String())] = struct{}{}
}
return m
}

var knownCaps = sync.OnceValue(func() map[string]struct{} {
return capSet(capability.ListKnown())
})

var supportedCaps = sync.OnceValue(func() map[string]struct{} {
list, _ := capability.ListSupported()
return capSet(list)
})
16 changes: 0 additions & 16 deletions validate/capabilities/validate_linux.go

This file was deleted.

13 changes: 0 additions & 13 deletions validate/capabilities/validate_unsupported.go

This file was deleted.

5 changes: 5 additions & 0 deletions validate/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -692,6 +692,11 @@ func CapValid(c string, hostSpecific bool) error {
return capsCheck.CapValid(c, hostSpecific)
}

// LastCap returns last cap of system.
//
// Deprecated: use github.com/moby/sys/capability.LastCap directly.
var LastCap = capsCheck.LastCap

func envValid(env string) bool {
items := strings.Split(env, "=")
if len(items) < 2 {
Expand Down
6 changes: 0 additions & 6 deletions validate/validate_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,10 @@ import (
rspec "github.com/opencontainers/runtime-spec/specs-go"
osFilepath "github.com/opencontainers/runtime-tools/filepath"
"github.com/opencontainers/runtime-tools/specerror"
capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
"github.com/opencontainers/selinux/go-selinux/label"
"github.com/sirupsen/logrus"
)

// LastCap return last cap of system
//
// Deprecated: use github.com/opencontainers/runtime-tools/validate/capabilities.LastCap directly.
var LastCap = capsCheck.LastCap

func deviceValid(d rspec.LinuxDevice) bool {
switch d.Type {
case "b", "c", "u":
Expand Down
9 changes: 0 additions & 9 deletions validate/validate_unsupported.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,6 @@

package validate

import (
"github.com/syndtr/gocapability/capability"
)

// LastCap return last cap of system
func LastCap() capability.Cap {
return capability.Cap(-1)
}

// CheckLinux is a noop on this platform
func (v *Validator) CheckLinux() (errs error) {
return nil
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading