From 1897217731bee50252b161a0e72df4aeee76258e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 29 Sep 2020 11:02:48 +0200 Subject: [PATCH] libcontainer: move capabilities to separate package Signed-off-by: Sebastiaan van Stijn --- .../capabilities.go} | 14 ++++++++------ .../capabilities/capabilities_unsupported.go | 3 +++ libcontainer/init_linux.go | 12 ++++++------ 3 files changed, 17 insertions(+), 12 deletions(-) rename libcontainer/{capabilities_linux.go => capabilities/capabilities.go} (88%) create mode 100644 libcontainer/capabilities/capabilities_unsupported.go diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities/capabilities.go similarity index 88% rename from libcontainer/capabilities_linux.go rename to libcontainer/capabilities/capabilities.go index 551f9a809da..adbf6330c48 100644 --- a/libcontainer/capabilities_linux.go +++ b/libcontainer/capabilities/capabilities.go @@ -1,6 +1,6 @@ // +build linux -package libcontainer +package capabilities import ( "fmt" @@ -24,10 +24,11 @@ func init() { } } -func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilities, error) { +// New creates a new Caps from the given Capabilities config. +func New(capConfig *configs.Capabilities) (*Caps, error) { var ( err error - caps containerCapabilities + caps Caps ) if caps.bounding, err = capSlice(capConfig.Bounding); err != nil { @@ -66,7 +67,8 @@ func capSlice(caps []string) ([]capability.Cap, error) { return out, nil } -type containerCapabilities struct { +// Caps holds the capabilities for a container. +type Caps struct { pid capability.Capabilities bounding []capability.Cap effective []capability.Cap @@ -76,14 +78,14 @@ type containerCapabilities struct { } // ApplyBoundingSet sets the capability bounding set to those specified in the whitelist. -func (c *containerCapabilities) ApplyBoundingSet() error { +func (c *Caps) ApplyBoundingSet() error { c.pid.Clear(capability.BOUNDS) c.pid.Set(capability.BOUNDS, c.bounding...) return c.pid.Apply(capability.BOUNDS) } // Apply sets all the capabilities for the current process in the config. -func (c *containerCapabilities) ApplyCaps() error { +func (c *Caps) ApplyCaps() error { c.pid.Clear(allCapabilityTypes) c.pid.Set(capability.BOUNDS, c.bounding...) c.pid.Set(capability.PERMITTED, c.permitted...) diff --git a/libcontainer/capabilities/capabilities_unsupported.go b/libcontainer/capabilities/capabilities_unsupported.go new file mode 100644 index 00000000000..a3e82ac1fd4 --- /dev/null +++ b/libcontainer/capabilities/capabilities_unsupported.go @@ -0,0 +1,3 @@ +// +build !linux + +package capabilities diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go index bb8ff0b5266..301e6c4fd8d 100644 --- a/libcontainer/init_linux.go +++ b/libcontainer/init_linux.go @@ -13,9 +13,8 @@ import ( "strings" "unsafe" - "golang.org/x/sys/unix" - "github.com/containerd/console" + "github.com/opencontainers/runc/libcontainer/capabilities" "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/opencontainers/runc/libcontainer/configs" "github.com/opencontainers/runc/libcontainer/system" @@ -25,6 +24,7 @@ import ( "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/vishvananda/netlink" + "golang.org/x/sys/unix" ) type initType string @@ -129,13 +129,13 @@ func finalizeNamespace(config *initConfig) error { return errors.Wrap(err, "close exec fds") } - capabilities := &configs.Capabilities{} + caps := &configs.Capabilities{} if config.Capabilities != nil { - capabilities = config.Capabilities + caps = config.Capabilities } else if config.Config.Capabilities != nil { - capabilities = config.Config.Capabilities + caps = config.Config.Capabilities } - w, err := newContainerCapList(capabilities) + w, err := capabilities.New(caps) if err != nil { return err }