capability: add some api for ambient cap

Signed-off-by: lifubang <lifubang@acmcoder.com>
moby · Oct 13, 2024 · d3949d0 · d3949d0
1 parent f99b7fb
commit d3949d0
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 2 deletions.
diff --git a/capability/capability.go b/capability/capability.go
@@ -142,3 +142,18 @@ func NewFile2(path string) (Capabilities, error) {
 func LastCap() (Cap, error) {
 	return lastCap()
 }
+
+// AmbientRaise raises specified ambient capabilities for the calling process.
+func AmbientRaise(cap ...Cap) error {
+	return ambientRaise(cap...)
+}
+
+// AmbientLower lowers specified ambient capabilities for the calling process.
+func AmbientLower(cap ...Cap) error {
+	return ambientLower(cap...)
+}
+
+// AmbientClearAll lowers all ambient capabilities for the calling process.
+func AmbientClearAll() error {
+	return ambientClearAll()
+}
diff --git a/capability/capability_linux.go b/capability/capability_linux.go
@@ -367,8 +367,8 @@ func (c *capsV3) Apply(kind CapType) error {
 	}
 
 	if kind&AMBS == AMBS {
-		err = ignoreEINVAL(prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0))
 		// Ignore EINVAL as not supported on kernels before 4.3
+		err = ignoreEINVAL(ambientClearAll())
 		if err != nil {
 			return err
 		}
@@ -377,7 +377,7 @@ func (c *capsV3) Apply(kind CapType) error {
 				continue
 			}
 			// Ignore EINVAL as not supported on kernels before 4.3
-			err = ignoreEINVAL(prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_RAISE, uintptr(i), 0, 0))
+			err = ignoreEINVAL(ambientRaise(i))
 			if err != nil {
 				return err
 			}
@@ -387,6 +387,28 @@ func (c *capsV3) Apply(kind CapType) error {
 	return nil
 }
 
+func setAmbient(op uintptr, cap ...Cap) error {
+	for _, val := range cap {
+		err := prctl(pr_CAP_AMBIENT, op, uintptr(val), 0, 0)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func ambientRaise(cap ...Cap) error {
+	return setAmbient(pr_CAP_AMBIENT_RAISE, cap...)
+}
+
+func ambientLower(cap ...Cap) error {
+	return setAmbient(pr_CAP_AMBIENT_RAISE, cap...)
+}
+
+func ambientClearAll() error {
+	return prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0)
+}
+
 func newFile(path string) (c Capabilities, err error) {
 	c = &capsFile{path: path}
 	return

diff --git a/capability/capability_noop.go b/capability/capability_noop.go
@@ -24,3 +24,15 @@ func newFile(_ string) (Capabilities, error) {
 func lastCap() (Cap, error) {
 	return -1, errNotSup
 }
+
+func ambientRaise(cap ...Cap) error {
+	return errNotSup
+}
+
+func ambientLower(cap ...Cap) error {
+	return errNotSup
+}
+
+func ambientClearAll() error {
+	return errNotSup
+}