add ApplyMode and implement it for AMBIENT

Signed-off-by: lifubang <lifubang@acmcoder.com>
moby · Sep 30, 2024 · be34d2f · be34d2f
1 parent 6d5ac2a
commit be34d2f
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 10 deletions.
diff --git a/capability/capability.go b/capability/capability.go
@@ -59,6 +59,9 @@ type Capabilities interface {
 	// Apply apply the capabilities settings, so all changes will take
 	// effect.
 	Apply(kind CapType) error
+
+	// SetApplyMode set the mode when appling the capabilities settings
+	SetApplyMode(mode ApplyMode)
 }
 
 // NewPid initializes a new [Capabilities] object for given pid when

diff --git a/capability/capability_linux.go b/capability/capability_linux.go
@@ -118,10 +118,11 @@ func newPid(pid int) (c Capabilities, retErr error) {
 }
 
 type capsV3 struct {
-	hdr     capHeader
-	data    [2]capData
-	bounds  [2]uint32
-	ambient [2]uint32
+	hdr       capHeader
+	data      [2]capData
+	bounds    [2]uint32
+	ambient   [2]uint32
+	applyMode ApplyMode
 }
 
 func (c *capsV3) Get(which CapType, what Cap) bool {
@@ -327,7 +328,7 @@ func (c *capsV3) Load() (err error) {
 	return
 }
 
-func (c *capsV3) Apply(kind CapType) (err error) {
+func (c *capsV3) Apply(kind CapType) (retErr error) {
 	last, err := LastCap()
 	if err != nil {
 		return err
@@ -336,7 +337,7 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 		var data [2]capData
 		err = capget(&c.hdr, &data[0])
 		if err != nil {
-			return
+			return err
 		}
 		if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
 			for i := Cap(0); i <= last; i++ {
@@ -350,7 +351,7 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 						err = nil
 						continue
 					}
-					return
+					return err
 				}
 			}
 		}
@@ -359,15 +360,15 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 	if kind&CAPS == CAPS {
 		err = capset(&c.hdr, &c.data[0])
 		if err != nil {
-			return
+			return err
 		}
 	}
 
 	if kind&AMBS == AMBS {
 		err = prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0)
 		if err != nil && err != syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
 			// Ignore EINVAL as not supported on kernels before 4.3
-			return
+			return err
 		}
 		for i := Cap(0); i <= last; i++ {
 			if !c.Get(AMBIENT, i) {
@@ -380,14 +381,23 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 					err = nil
 					continue
 				}
-				return
+				// Stop on error when raising ambient caps.
+				if c.applyMode&CAP_AMBIENT_RAISE_STOPONERROR == CAP_AMBIENT_RAISE_STOPONERROR {
+					return err
+				}
+				// Greedy mode, raise ambient caps as many as possible and return the last error.
+				retErr = err
 			}
 		}
 	}
 
 	return
 }
 
+func (c *capsV3) SetApplyMode(mode ApplyMode) {
+	c.applyMode = mode
+}
+
 func newFile(path string) (c Capabilities, err error) {
 	c = &capsFile{path: path}
 	return
@@ -543,3 +553,7 @@ func (c *capsFile) Apply(kind CapType) (err error) {
 	}
 	return
 }
+
+func (c *capsFile) SetApplyMode(mode ApplyMode) {
+
+}
diff --git a/capability/enum.go b/capability/enum.go
@@ -41,6 +41,17 @@ const (
 	AMBS   = AMBIENT
 )
 
+// For sometimes, we need to ignore the error of raising ambient cap sets,
+// but sometimes are not, so we need this mode to let the user to have a choice.
+// The default mode is a greedy mode, it means raise ambient caps as many as possible
+// and return the last error.
+// Currently, there is only one mode, we keep this to add other modes in the future.
+type ApplyMode uint
+
+const (
+	CAP_AMBIENT_RAISE_STOPONERROR ApplyMode = 1 << iota /* Stop on error when raising ambient caps */
+)
+
 //go:generate go run enumgen/gen.go
 type Cap int