From 373811bad4269de59d9ea572edc7837085563aaf Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 19 Sep 2020 10:43:31 +0200 Subject: [PATCH 1/5] libcontainer: rename cap variable as it collides with built-in Signed-off-by: Sebastiaan van Stijn --- libcontainer/capabilities_linux.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities_linux.go index 9daef29e480..2996fef41d6 100644 --- a/libcontainer/capabilities_linux.go +++ b/libcontainer/capabilities_linux.go @@ -21,12 +21,12 @@ func init() { if last == capability.Cap(63) { last = capability.CAP_BLOCK_SUSPEND } - for _, cap := range capability.List() { - if cap > last { + for _, c := range capability.List() { + if c > last { continue } - capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) - capabilityMap[capKey] = cap + capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(c.String())) + capabilityMap[capKey] = c } } From b9e26ad8c6fc6f131d100b40f5bb46102bcf8a18 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 19 Sep 2020 10:45:38 +0200 Subject: [PATCH 2/5] libcontainer: remove workaround for RHEL6 kernels This was a workaround for RHEL6 (2.6.xx) kernels, which have not been supported by container runtimes for a long time, so should be safe to remove this workaround. Signed-off-by: Sebastiaan van Stijn --- libcontainer/capabilities_linux.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities_linux.go index 2996fef41d6..a74c32efd3b 100644 --- a/libcontainer/capabilities_linux.go +++ b/libcontainer/capabilities_linux.go @@ -16,13 +16,8 @@ var capabilityMap map[string]capability.Cap func init() { capabilityMap = make(map[string]capability.Cap) - last := capability.CAP_LAST_CAP - // workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap - if last == capability.Cap(63) { - last = capability.CAP_BLOCK_SUSPEND - } for _, c := range capability.List() { - if c > last { + if c > capability.CAP_LAST_CAP { continue } capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(c.String())) From f5c96b746068c24861d8dd2142015f295c7351b5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 19 Sep 2020 10:58:56 +0200 Subject: [PATCH 3/5] libcontainer: remove unneeded sprintf and intermediate variable Signed-off-by: Sebastiaan van Stijn --- libcontainer/capabilities_linux.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities_linux.go index a74c32efd3b..19361738397 100644 --- a/libcontainer/capabilities_linux.go +++ b/libcontainer/capabilities_linux.go @@ -20,8 +20,7 @@ func init() { if c > capability.CAP_LAST_CAP { continue } - capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(c.String())) - capabilityMap[capKey] = c + capabilityMap["CAP_"+strings.ToUpper(c.String())] = c } } From 8820a1459a6ad8fa95f43d38d26f8c6553737ace Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 19 Sep 2020 11:04:29 +0200 Subject: [PATCH 4/5] libcontainer: initialize slices with length Signed-off-by: Sebastiaan van Stijn --- libcontainer/capabilities_linux.go | 32 +++++++++++++++--------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities_linux.go index 19361738397..a353a5b3a4a 100644 --- a/libcontainer/capabilities_linux.go +++ b/libcontainer/capabilities_linux.go @@ -15,7 +15,7 @@ const allCapabilityTypes = capability.CAPS | capability.BOUNDS | capability.AMBS var capabilityMap map[string]capability.Cap func init() { - capabilityMap = make(map[string]capability.Cap) + capabilityMap = make(map[string]capability.Cap, capability.CAP_LAST_CAP+1) for _, c := range capability.List() { if c > capability.CAP_LAST_CAP { continue @@ -25,45 +25,45 @@ func init() { } func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilities, error) { - bounding := []capability.Cap{} - for _, c := range capConfig.Bounding { + bounding := make([]capability.Cap, len(capConfig.Bounding)) + for i, c := range capConfig.Bounding { v, ok := capabilityMap[c] if !ok { return nil, fmt.Errorf("unknown capability %q", c) } - bounding = append(bounding, v) + bounding[i] = v } - effective := []capability.Cap{} - for _, c := range capConfig.Effective { + effective := make([]capability.Cap, len(capConfig.Effective)) + for i, c := range capConfig.Effective { v, ok := capabilityMap[c] if !ok { return nil, fmt.Errorf("unknown capability %q", c) } - effective = append(effective, v) + effective[i] = v } - inheritable := []capability.Cap{} - for _, c := range capConfig.Inheritable { + inheritable := make([]capability.Cap, len(capConfig.Inheritable)) + for i, c := range capConfig.Inheritable { v, ok := capabilityMap[c] if !ok { return nil, fmt.Errorf("unknown capability %q", c) } - inheritable = append(inheritable, v) + inheritable[i] = v } - permitted := []capability.Cap{} - for _, c := range capConfig.Permitted { + permitted := make([]capability.Cap, len(capConfig.Permitted)) + for i, c := range capConfig.Permitted { v, ok := capabilityMap[c] if !ok { return nil, fmt.Errorf("unknown capability %q", c) } - permitted = append(permitted, v) + permitted[i] = v } - ambient := []capability.Cap{} - for _, c := range capConfig.Ambient { + ambient := make([]capability.Cap, len(capConfig.Ambient)) + for i, c := range capConfig.Ambient { v, ok := capabilityMap[c] if !ok { return nil, fmt.Errorf("unknown capability %q", c) } - ambient = append(ambient, v) + ambient[i] = v } pid, err := capability.NewPid2(0) if err != nil { From 1c3af2751957ecdf9a40580983b35a4c1e1d6be8 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 19 Sep 2020 11:15:29 +0200 Subject: [PATCH 5/5] libcontainer: newContainerCapList() refactor to reduce duplicated code Signed-off-by: Sebastiaan van Stijn --- libcontainer/capabilities_linux.go | 77 ++++++++++++------------------ 1 file changed, 30 insertions(+), 47 deletions(-) diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities_linux.go index a353a5b3a4a..551f9a809da 100644 --- a/libcontainer/capabilities_linux.go +++ b/libcontainer/capabilities_linux.go @@ -25,62 +25,45 @@ func init() { } func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilities, error) { - bounding := make([]capability.Cap, len(capConfig.Bounding)) - for i, c := range capConfig.Bounding { - v, ok := capabilityMap[c] - if !ok { - return nil, fmt.Errorf("unknown capability %q", c) - } - bounding[i] = v + var ( + err error + caps containerCapabilities + ) + + if caps.bounding, err = capSlice(capConfig.Bounding); err != nil { + return nil, err } - effective := make([]capability.Cap, len(capConfig.Effective)) - for i, c := range capConfig.Effective { - v, ok := capabilityMap[c] - if !ok { - return nil, fmt.Errorf("unknown capability %q", c) - } - effective[i] = v + if caps.effective, err = capSlice(capConfig.Effective); err != nil { + return nil, err } - inheritable := make([]capability.Cap, len(capConfig.Inheritable)) - for i, c := range capConfig.Inheritable { - v, ok := capabilityMap[c] - if !ok { - return nil, fmt.Errorf("unknown capability %q", c) - } - inheritable[i] = v + if caps.inheritable, err = capSlice(capConfig.Inheritable); err != nil { + return nil, err } - permitted := make([]capability.Cap, len(capConfig.Permitted)) - for i, c := range capConfig.Permitted { - v, ok := capabilityMap[c] - if !ok { - return nil, fmt.Errorf("unknown capability %q", c) - } - permitted[i] = v + if caps.permitted, err = capSlice(capConfig.Permitted); err != nil { + return nil, err } - ambient := make([]capability.Cap, len(capConfig.Ambient)) - for i, c := range capConfig.Ambient { - v, ok := capabilityMap[c] - if !ok { - return nil, fmt.Errorf("unknown capability %q", c) - } - ambient[i] = v + if caps.ambient, err = capSlice(capConfig.Ambient); err != nil { + return nil, err } - pid, err := capability.NewPid2(0) - if err != nil { + if caps.pid, err = capability.NewPid2(0); err != nil { return nil, err } - err = pid.Load() - if err != nil { + if err = caps.pid.Load(); err != nil { return nil, err } - return &containerCapabilities{ - bounding: bounding, - effective: effective, - inheritable: inheritable, - permitted: permitted, - ambient: ambient, - pid: pid, - }, nil + return &caps, nil +} + +func capSlice(caps []string) ([]capability.Cap, error) { + out := make([]capability.Cap, len(caps)) + for i, c := range caps { + v, ok := capabilityMap[c] + if !ok { + return nil, fmt.Errorf("unknown capability %q", c) + } + out[i] = v + } + return out, nil } type containerCapabilities struct {