Skip to content

libcontainer: move capabilities to separate package #2607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cyphar merged 1 commit into from
Feb 1, 2021
Merged

libcontainer: move capabilities to separate package #2607

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions libcontainer/capabilities_linux.go → libcontainer/capabilities/capabilities.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// +build linux

package libcontainer
package capabilities

import (
"fmt"
Expand All @@ -24,10 +24,11 @@ func init() {
}
}

func newContainerCapList(capConfig *configs.Capabilities) (*containerCapabilities, error) {
// New creates a new Caps from the given Capabilities config.
func New(capConfig *configs.Capabilities) (*Caps, error) {
var (
err error
caps containerCapabilities
caps Caps
)

if caps.bounding, err = capSlice(capConfig.Bounding); err != nil {
Expand Down Expand Up @@ -66,7 +67,8 @@ func capSlice(caps []string) ([]capability.Cap, error) {
return out, nil
}

type containerCapabilities struct {
// Caps holds the capabilities for a container.
type Caps struct {
pid capability.Capabilities
bounding []capability.Cap
effective []capability.Cap
Expand All @@ -76,14 +78,14 @@ type containerCapabilities struct {
}

// ApplyBoundingSet sets the capability bounding set to those specified in the whitelist.
func (c *containerCapabilities) ApplyBoundingSet() error {
func (c *Caps) ApplyBoundingSet() error {
c.pid.Clear(capability.BOUNDS)
c.pid.Set(capability.BOUNDS, c.bounding...)
return c.pid.Apply(capability.BOUNDS)
}

// Apply sets all the capabilities for the current process in the config.
func (c *containerCapabilities) ApplyCaps() error {
func (c *Caps) ApplyCaps() error {
c.pid.Clear(allCapabilityTypes)
c.pid.Set(capability.BOUNDS, c.bounding...)
c.pid.Set(capability.PERMITTED, c.permitted...)
Expand Down
3 changes: 3 additions & 0 deletions libcontainer/capabilities/capabilities_unsupported.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
// +build !linux

package capabilities
12 changes: 6 additions & 6 deletions libcontainer/init_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,8 @@ import (
"strings"
"unsafe"

"golang.org/x/sys/unix"

"github.com/containerd/console"
"github.com/opencontainers/runc/libcontainer/capabilities"
"github.com/opencontainers/runc/libcontainer/cgroups"
"github.com/opencontainers/runc/libcontainer/configs"
"github.com/opencontainers/runc/libcontainer/system"
Expand All @@ -25,6 +24,7 @@ import (
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"github.com/vishvananda/netlink"
"golang.org/x/sys/unix"
)

type initType string
Expand Down Expand Up @@ -129,13 +129,13 @@ func finalizeNamespace(config *initConfig) error {
return errors.Wrap(err, "close exec fds")
}

capabilities := &configs.Capabilities{}
caps := &configs.Capabilities{}
if config.Capabilities != nil {
capabilities = config.Capabilities
caps = config.Capabilities
} else if config.Config.Capabilities != nil {
capabilities = config.Config.Capabilities
caps = config.Config.Capabilities
}
w, err := newContainerCapList(capabilities)
w, err := capabilities.New(caps)
if err != nil {
return err
}
Expand Down