Add support for defining package capabilities #95
+1,717
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds the ability to add filesystem capabilities to packages.
Specifically this allows running podman in rootless mode as newuidmap
and newgidmap are required in rootless mode for testing.
I have made a reimplementation of the programs here
https://gitea.narnian.us/lordwelch/Podman
The internal/cap package is modified from the libcap project to allow
cross-platform marshalling to/from the kernel vfs format to write squashfs
xattr values and for parsing the text format used with the setcap command
Adding a capability to a package happens in the package config using the
Capabilitieskey and takes the same format as the setcap command see https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap#FromText, the setcap/cap_from_text manpage or the FromText funciton in internal/cap/text.go in this repositoryHere is an example of how it would be used with the newgidmap and newuidmap programs
{ ... "PackageConfig": { "gitea.narnian.us/lordwelch/Podman/newgidmap": { "Capabilities": "CAP_SETGID+ep" }, "gitea.narnian.us/lordwelch/Podman/newuidmap": { "Capabilities": "CAP_SETUID+ep" } }, ... }Note this PR depends on gokrazy/internal#27 and will not compile without a sufficient replace directive or until it is merged and the go.mod file updated