diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go index 41ebea6bb..1fa57363f 100644 --- a/cmd/runtimetest/main.go +++ b/cmd/runtimetest/main.go @@ -15,9 +15,9 @@ import ( "syscall" "github.com/mndrix/tap-go" + "github.com/moby/sys/capability" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/sirupsen/logrus" - "github.com/syndtr/gocapability/capability" "github.com/urfave/cli" "github.com/opencontainers/runtime-tools/cmd/runtimetest/mount" @@ -265,10 +265,9 @@ func (c *complianceTester) validateCapabilities(spec *rspec.Spec) error { return nil } - last := capability.CAP_LAST_CAP - // workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap - if last == capability.Cap(63) { - last = capability.CAP_BLOCK_SUSPEND + supportedCaps, err := capability.ListSupported() + if err != nil { + return err } processCaps, err := capability.NewPid2(0) @@ -309,11 +308,7 @@ func (c *complianceTester) validateCapabilities(spec *rspec.Spec) error { expectedCaps[ec] = true } - for _, cap := range capability.List() { - if cap > last { - continue - } - + for _, cap := range supportedCaps { capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) expectedSet := expectedCaps[capKey] actuallySet := processCaps.Get(capType.capType, cap) diff --git a/generate/generate.go b/generate/generate.go index 3e8f9ca64..ae5a9984b 100644 --- a/generate/generate.go +++ b/generate/generate.go @@ -8,10 +8,10 @@ import ( "os" "strings" + "github.com/moby/sys/capability" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate/seccomp" capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities" - "github.com/syndtr/gocapability/capability" ) var ( @@ -1135,10 +1135,11 @@ func (g *Generator) ClearMounts() { func (g *Generator) SetupPrivileged(privileged bool) { if privileged { // Add all capabilities in privileged mode. var finalCapList []string - for _, cap := range capability.List() { - if g.HostSpecific && cap > capsCheck.LastCap() { - continue - } + capList := capability.ListKnown() + if g.HostSpecific { + capList, _ = capability.ListSupported() + } + for _, cap := range capList { finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))) } g.initConfigLinux() diff --git a/go.mod b/go.mod index bcf85b437..1582bcb48 100644 --- a/go.mod +++ b/go.mod @@ -1,18 +1,18 @@ module github.com/opencontainers/runtime-tools -go 1.19 +go 1.21 require ( github.com/blang/semver/v4 v4.0.0 github.com/google/uuid v1.3.0 github.com/hashicorp/go-multierror v1.1.1 github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b + github.com/moby/sys/capability v0.2.1-0.20240925213336-aaea55a66478 github.com/mrunalp/fileutils v0.5.0 github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb github.com/opencontainers/selinux v1.9.1 github.com/sirupsen/logrus v1.8.1 github.com/stretchr/testify v1.3.0 - github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 github.com/urfave/cli v1.19.1 github.com/xeipuuv/gojsonschema v1.2.0 golang.org/x/sys v0.1.0 diff --git a/go.sum b/go.sum index 38309af0f..1ad5dc2ee 100644 --- a/go.sum +++ b/go.sum @@ -11,6 +11,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b h1:Ga1nclDSe8gOw37MVLMhfu2QKWtD6gvtQ298zsKVh8g= github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs= +github.com/moby/sys/capability v0.2.1-0.20240925213336-aaea55a66478 h1:L1of2hA2QHy7I07JaRddpvaDL6D72xYzRLkJp8OibzA= +github.com/moby/sys/capability v0.2.1-0.20240925213336-aaea55a66478/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I= github.com/mrunalp/fileutils v0.5.0 h1:NKzVxiH7eSk+OQ4M+ZYW1K6h27RUV3MI6NUTsHhU6Z4= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb h1:1xSVPOd7/UA+39/hXEGnBJ13p6JFB0E1EvQFlrRDOXI= @@ -25,8 +27,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/urfave/cli v1.19.1 h1:0mKm4ZoB74PxYmZVua162y1dGt1qc10MyymYRBf3lb8= github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= diff --git a/validate/capabilities/lastcap.go b/validate/capabilities/lastcap.go new file mode 100644 index 000000000..34e5d553c --- /dev/null +++ b/validate/capabilities/lastcap.go @@ -0,0 +1,16 @@ +package capabilities + +import ( + "github.com/moby/sys/capability" +) + +// LastCap return last cap of system +// +// Deprecated: use github.com/moby/sys/capability.LastCap instead. +func LastCap() capability.Cap { + last, err := capability.LastCap() + if err != nil { + return -1 + } + return last +} diff --git a/validate/capabilities/validate.go b/validate/capabilities/validate.go index 7fa47b77c..572e70810 100644 --- a/validate/capabilities/validate.go +++ b/validate/capabilities/validate.go @@ -3,29 +3,43 @@ package capabilities import ( "fmt" "strings" + "sync" - "github.com/syndtr/gocapability/capability" + "github.com/moby/sys/capability" ) -// CapValid checks whether a capability is valid +// CapValid checks whether a capability is valid. If hostSpecific is set, +// it also checks that the capability is supported on the current host. func CapValid(c string, hostSpecific bool) error { - isValid := false - if !strings.HasPrefix(c, "CAP_") { return fmt.Errorf("capability %s must start with CAP_", c) } - for _, cap := range capability.List() { - if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) { - if hostSpecific && cap > LastCap() { - return fmt.Errorf("%s is not supported on the current host", c) - } - isValid = true - break - } - } - if !isValid { + if _, ok := knownCaps()[c]; !ok { return fmt.Errorf("invalid capability: %s", c) } + if !hostSpecific { + return nil + } + if _, ok := supportedCaps()[c]; !ok { + return fmt.Errorf("%s is not supported on the current host", c) + } return nil } + +func capSet(list []capability.Cap) map[string]struct{} { + m := make(map[string]struct{}, len(list)) + for _, c := range list { + m["CAP_"+strings.ToUpper(c.String())] = struct{}{} + } + return m +} + +var knownCaps = sync.OnceValue(func() map[string]struct{} { + return capSet(capability.ListKnown()) +}) + +var supportedCaps = sync.OnceValue(func() map[string]struct{} { + list, _ := capability.ListSupported() + return capSet(list) +}) diff --git a/validate/capabilities/validate_linux.go b/validate/capabilities/validate_linux.go deleted file mode 100644 index f6cb0d550..000000000 --- a/validate/capabilities/validate_linux.go +++ /dev/null @@ -1,16 +0,0 @@ -package capabilities - -import ( - "github.com/syndtr/gocapability/capability" -) - -// LastCap return last cap of system -func LastCap() capability.Cap { - last := capability.CAP_LAST_CAP - // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap - if last == capability.Cap(63) { - last = capability.CAP_BLOCK_SUSPEND - } - - return last -} diff --git a/validate/capabilities/validate_unsupported.go b/validate/capabilities/validate_unsupported.go deleted file mode 100644 index e4aed632c..000000000 --- a/validate/capabilities/validate_unsupported.go +++ /dev/null @@ -1,13 +0,0 @@ -//go:build !linux -// +build !linux - -package capabilities - -import ( - "github.com/syndtr/gocapability/capability" -) - -// LastCap return last cap of system -func LastCap() capability.Cap { - return capability.Cap(-1) -} diff --git a/validate/validate.go b/validate/validate.go index ce7b5ed81..065cdea1b 100644 --- a/validate/validate.go +++ b/validate/validate.go @@ -692,6 +692,11 @@ func CapValid(c string, hostSpecific bool) error { return capsCheck.CapValid(c, hostSpecific) } +// LastCap return last cap of system +// +// Deprecated: use github.com/moby/sys/capability.LastCap directly. +var LastCap = capsCheck.LastCap + func envValid(env string) bool { items := strings.Split(env, "=") if len(items) < 2 { diff --git a/validate/validate_linux.go b/validate/validate_linux.go index e11da5625..9aaff1207 100644 --- a/validate/validate_linux.go +++ b/validate/validate_linux.go @@ -15,16 +15,10 @@ import ( rspec "github.com/opencontainers/runtime-spec/specs-go" osFilepath "github.com/opencontainers/runtime-tools/filepath" "github.com/opencontainers/runtime-tools/specerror" - capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities" "github.com/opencontainers/selinux/go-selinux/label" "github.com/sirupsen/logrus" ) -// LastCap return last cap of system -// -// Deprecated: use github.com/opencontainers/runtime-tools/validate/capabilities.LastCap directly. -var LastCap = capsCheck.LastCap - func deviceValid(d rspec.LinuxDevice) bool { switch d.Type { case "b", "c", "u": diff --git a/validate/validate_unsupported.go b/validate/validate_unsupported.go index 313ec3995..2ffa8811a 100644 --- a/validate/validate_unsupported.go +++ b/validate/validate_unsupported.go @@ -3,15 +3,6 @@ package validate -import ( - "github.com/syndtr/gocapability/capability" -) - -// LastCap return last cap of system -func LastCap() capability.Cap { - return capability.Cap(-1) -} - // CheckLinux is a noop on this platform func (v *Validator) CheckLinux() (errs error) { return nil diff --git a/vendor/github.com/moby/sys/capability/.codespellrc b/vendor/github.com/moby/sys/capability/.codespellrc new file mode 100644 index 000000000..e874be563 --- /dev/null +++ b/vendor/github.com/moby/sys/capability/.codespellrc @@ -0,0 +1,3 @@ +[codespell] +skip = ./.git +ignore-words-list = nd diff --git a/vendor/github.com/moby/sys/capability/.golangci.yml b/vendor/github.com/moby/sys/capability/.golangci.yml new file mode 100644 index 000000000..d775aadd6 --- /dev/null +++ b/vendor/github.com/moby/sys/capability/.golangci.yml @@ -0,0 +1,6 @@ +linters: + enable: + - unconvert + - unparam + - gofumpt + - errorlint diff --git a/vendor/github.com/moby/sys/capability/CHANGELOG.md b/vendor/github.com/moby/sys/capability/CHANGELOG.md new file mode 100644 index 000000000..7e5aed854 --- /dev/null +++ b/vendor/github.com/moby/sys/capability/CHANGELOG.md @@ -0,0 +1,73 @@ +# Changelog +This file documents all notable changes made to this project since the initial fork +from https://github.com/syndtr/gocapability/commit/42c35b4376354fd5. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [0.2.0] - 2024-09-16 + +This is the first release after the move to a new home in +github.com/moby/sys/capability. + +### Fixed + * Fixed URLs in documentation to reflect the new home. + +## [0.1.1] - 2024-08-01 + +This is a maintenance release, fixing a few minor issues. + +### Fixed + * Fixed future kernel compatibility, for real this time. [#11] + * Fixed [LastCap] to be a function. [#12] + +## [0.1.0] - 2024-07-31 + +This is an initial release since the fork. + +### Breaking changes + + * The `CAP_LAST_CAP` variable is removed; users need to modify the code to + use [LastCap] to get the value. [#6] + * The code now requires Go >= 1.21. + +### Added + * `go.mod` and `go.sum` files. [#2] + * New [LastCap] function. [#6] + * Basic CI using GHA infra. [#8], [#9] + * README and CHANGELOG. [#10] + +### Fixed + * Fixed ambient capabilities error handling in [Apply]. [#3] + * Fixed future kernel compatibility. [#1] + * Fixed various linter warnings. [#4], [#7] + +### Changed + * Go build tags changed from old-style (`+build`) to new Go 1.17+ style (`go:build`). [#2] + +### Removed + * Removed support for capabilities v1 and v2. [#1] + * Removed init function so programs that use this package start faster. [#6] + * Removed `CAP_LAST_CAP` (use [LastCap] instead). [#6] + + +[Apply]: https://pkg.go.dev/github.com/moby/sys/capability#Capabilities.Apply +[LastCap]: https://pkg.go.dev/github.com/moby/sys/capability#LastCap + + +[0.2.0]: https://github.com/moby/sys/releases/tag/capability%2Fv0.2.0 +[0.1.1]: https://github.com/kolyshkin/capability/compare/v0.1.0...v0.1.1 +[0.1.0]: https://github.com/kolyshkin/capability/compare/42c35b4376354fd5...v0.1.0 + + +[#1]: https://github.com/kolyshkin/capability/pull/1 +[#2]: https://github.com/kolyshkin/capability/pull/2 +[#3]: https://github.com/kolyshkin/capability/pull/3 +[#4]: https://github.com/kolyshkin/capability/pull/4 +[#6]: https://github.com/kolyshkin/capability/pull/6 +[#7]: https://github.com/kolyshkin/capability/pull/7 +[#8]: https://github.com/kolyshkin/capability/pull/8 +[#9]: https://github.com/kolyshkin/capability/pull/9 +[#10]: https://github.com/kolyshkin/capability/pull/10 +[#11]: https://github.com/kolyshkin/capability/pull/11 +[#12]: https://github.com/kolyshkin/capability/pull/12 diff --git a/vendor/github.com/syndtr/gocapability/LICENSE b/vendor/github.com/moby/sys/capability/LICENSE similarity index 97% rename from vendor/github.com/syndtr/gocapability/LICENSE rename to vendor/github.com/moby/sys/capability/LICENSE index 80dd96de7..08adcd6ec 100644 --- a/vendor/github.com/syndtr/gocapability/LICENSE +++ b/vendor/github.com/moby/sys/capability/LICENSE @@ -1,3 +1,4 @@ +Copyright 2023 The Capability Authors. Copyright 2013 Suryandaru Triandana All rights reserved. diff --git a/vendor/github.com/moby/sys/capability/README.md b/vendor/github.com/moby/sys/capability/README.md new file mode 100644 index 000000000..84b74871a --- /dev/null +++ b/vendor/github.com/moby/sys/capability/README.md @@ -0,0 +1,13 @@ +This is a fork of (apparently no longer maintained) +https://github.com/syndtr/gocapability package. It provides basic primitives to +work with [Linux capabilities][capabilities(7)]. + +For changes, see [CHANGELOG.md](./CHANGELOG.md). + +[![Go Reference](https://pkg.go.dev/badge/github.com/moby/sys/capability/capability.svg)](https://pkg.go.dev/github.com/moby/sys/capability) + +## Alternatives + + * https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap + +[capabilities(7)]: https://man7.org/linux/man-pages/man7/capabilities.7.html diff --git a/vendor/github.com/syndtr/gocapability/capability/capability.go b/vendor/github.com/moby/sys/capability/capability.go similarity index 65% rename from vendor/github.com/syndtr/gocapability/capability/capability.go rename to vendor/github.com/moby/sys/capability/capability.go index 61a90775e..1b36f5f22 100644 --- a/vendor/github.com/syndtr/gocapability/capability/capability.go +++ b/vendor/github.com/moby/sys/capability/capability.go @@ -1,8 +1,9 @@ -// Copyright (c) 2013, Suryandaru Triandana +// Copyright 2023 The Capability Authors. +// Copyright 2013 Suryandaru Triandana // All rights reserved. // -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. // Package capability provides utilities for manipulating POSIX capabilities. package capability @@ -60,26 +61,27 @@ type Capabilities interface { Apply(kind CapType) error } -// NewPid initializes a new Capabilities object for given pid when +// NewPid initializes a new [Capabilities] object for given pid when // it is nonzero, or for the current process if pid is 0. // -// Deprecated: Replace with NewPid2. For example, replace: +// Deprecated: Replace with [NewPid2] followed by [Capabilities.Load]. +// For example, replace: // -// c, err := NewPid(0) -// if err != nil { -// return err -// } +// c, err := NewPid(0) +// if err != nil { +// return err +// } // // with: // -// c, err := NewPid2(0) -// if err != nil { -// return err -// } -// err = c.Load() -// if err != nil { -// return err -// } +// c, err := NewPid2(0) +// if err != nil { +// return err +// } +// err = c.Load() +// if err != nil { +// return err +// } func NewPid(pid int) (Capabilities, error) { c, err := newPid(pid) if err != nil { @@ -89,33 +91,34 @@ func NewPid(pid int) (Capabilities, error) { return c, err } -// NewPid2 initializes a new Capabilities object for given pid when -// it is nonzero, or for the current process if pid is 0. This +// NewPid2 initializes a new [Capabilities] object for given pid when +// it is nonzero, or for the current process if pid is 0. This // does not load the process's current capabilities; to do that you -// must call Load explicitly. +// must call [Capabilities.Load] explicitly. func NewPid2(pid int) (Capabilities, error) { return newPid(pid) } // NewFile initializes a new Capabilities object for given file path. // -// Deprecated: Replace with NewFile2. For example, replace: +// Deprecated: Replace with [NewFile2] followed by [Capabilities.Load]. +// For example, replace: // -// c, err := NewFile(path) -// if err != nil { -// return err -// } +// c, err := NewFile(path) +// if err != nil { +// return err +// } // // with: // -// c, err := NewFile2(path) -// if err != nil { -// return err -// } -// err = c.Load() -// if err != nil { -// return err -// } +// c, err := NewFile2(path) +// if err != nil { +// return err +// } +// err = c.Load() +// if err != nil { +// return err +// } func NewFile(path string) (Capabilities, error) { c, err := newFile(path) if err != nil { @@ -125,9 +128,17 @@ func NewFile(path string) (Capabilities, error) { return c, err } -// NewFile2 creates a new initialized Capabilities object for given -// file path. This does not load the process's current capabilities; -// to do that you must call Load explicitly. +// NewFile2 creates a new initialized [Capabilities] object for given +// file path. This does not load the process's current capabilities; +// to do that you must call [Capabilities.Load] explicitly. func NewFile2(path string) (Capabilities, error) { return newFile(path) } + +// LastCap returns highest valid capability of the running kernel, +// or an error if it can not be obtained. +// +// See also: [ListSupported]. +func LastCap() (Cap, error) { + return lastCap() +} diff --git a/vendor/github.com/syndtr/gocapability/capability/capability_linux.go b/vendor/github.com/moby/sys/capability/capability_linux.go similarity index 68% rename from vendor/github.com/syndtr/gocapability/capability/capability_linux.go rename to vendor/github.com/moby/sys/capability/capability_linux.go index 1567dc810..aa600e1d9 100644 --- a/vendor/github.com/syndtr/gocapability/capability/capability_linux.go +++ b/vendor/github.com/moby/sys/capability/capability_linux.go @@ -1,8 +1,9 @@ -// Copyright (c) 2013, Suryandaru Triandana +// Copyright 2023 The Capability Authors. +// Copyright 2013 Suryandaru Triandana // All rights reserved. // -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. package capability @@ -12,62 +13,53 @@ import ( "fmt" "io" "os" + "strconv" "strings" + "sync" "syscall" ) -var errUnknownVers = errors.New("unknown capability version") - const ( - linuxCapVer1 = 0x19980330 - linuxCapVer2 = 0x20071026 + linuxCapVer1 = 0x19980330 // No longer supported. + linuxCapVer2 = 0x20071026 // No longer supported. linuxCapVer3 = 0x20080522 ) -var ( - capVers uint32 - capLastCap Cap -) - -func init() { - var hdr capHeader - capget(&hdr, nil) - capVers = hdr.version - - if initLastCap() == nil { - CAP_LAST_CAP = capLastCap - if capLastCap > 31 { - capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1 - } else { - capUpperMask = 0 - } - } -} - -func initLastCap() error { - if capLastCap != 0 { - return nil - } - +var lastCap = sync.OnceValues(func() (Cap, error) { f, err := os.Open("/proc/sys/kernel/cap_last_cap") if err != nil { - return err + return 0, err } - defer f.Close() - var b []byte = make([]byte, 11) - _, err = f.Read(b) + buf := make([]byte, 11) + l, err := f.Read(buf) + f.Close() if err != nil { - return err + return 0, err } + buf = buf[:l] - fmt.Sscanf(string(b), "%d", &capLastCap) + last, err := strconv.Atoi(strings.TrimSpace(string(buf))) + if err != nil { + return 0, err + } + return Cap(last), nil +}) - return nil +func capUpperMask() uint32 { + last, err := lastCap() + if err != nil || last < 32 { + return 0 + } + return (uint32(1) << (uint(last) - 31)) - 1 } func mkStringCap(c Capabilities, which CapType) (ret string) { - for i, first := Cap(0), true; i <= CAP_LAST_CAP; i++ { + last, err := lastCap() + if err != nil { + return "" + } + for i, first := Cap(0), true; i <= last; i++ { if !c.Get(which, i) { continue } @@ -98,138 +90,33 @@ func mkString(c Capabilities, max CapType) (ret string) { return } -func newPid(pid int) (c Capabilities, err error) { - switch capVers { - case linuxCapVer1: - p := new(capsV1) - p.hdr.version = capVers - p.hdr.pid = int32(pid) - c = p - case linuxCapVer2, linuxCapVer3: +var capVersion = sync.OnceValues(func() (uint32, error) { + var hdr capHeader + err := capget(&hdr, nil) + return hdr.version, err +}) + +func newPid(pid int) (c Capabilities, retErr error) { + ver, err := capVersion() + if err != nil { + retErr = fmt.Errorf("unable to get capability version from the kernel: %w", err) + return + } + switch ver { + case linuxCapVer1, linuxCapVer2: + retErr = errors.New("old/unsupported capability version (kernel older than 2.6.26?)") + default: + // Either linuxCapVer3, or an unknown/future version (such as v4). + // In the latter case, we fall back to v3 as the latest version known + // to this package, as kernel should be backward-compatible to v3. p := new(capsV3) - p.hdr.version = capVers + p.hdr.version = linuxCapVer3 p.hdr.pid = int32(pid) c = p - default: - err = errUnknownVers - return - } - return -} - -type capsV1 struct { - hdr capHeader - data capData -} - -func (c *capsV1) Get(which CapType, what Cap) bool { - if what > 32 { - return false - } - - switch which { - case EFFECTIVE: - return (1< 32 { - continue - } - - if which&EFFECTIVE != 0 { - c.data.effective |= 1 << uint(what) - } - if which&PERMITTED != 0 { - c.data.permitted |= 1 << uint(what) - } - if which&INHERITABLE != 0 { - c.data.inheritable |= 1 << uint(what) - } - } -} - -func (c *capsV1) Unset(which CapType, caps ...Cap) { - for _, what := range caps { - if what > 32 { - continue - } - - if which&EFFECTIVE != 0 { - c.data.effective &= ^(1 << uint(what)) - } - if which&PERMITTED != 0 { - c.data.permitted &= ^(1 << uint(what)) - } - if which&INHERITABLE != 0 { - c.data.inheritable &= ^(1 << uint(what)) - } - } -} - -func (c *capsV1) Fill(kind CapType) { - if kind&CAPS == CAPS { - c.data.effective = 0x7fffffff - c.data.permitted = 0x7fffffff - c.data.inheritable = 0 - } -} - -func (c *capsV1) Clear(kind CapType) { - if kind&CAPS == CAPS { - c.data.effective = 0 - c.data.permitted = 0 - c.data.inheritable = 0 - } -} - -func (c *capsV1) StringCap(which CapType) (ret string) { - return mkStringCap(c, which) -} - -func (c *capsV1) String() (ret string) { - return mkString(c, BOUNDING) -} - -func (c *capsV1) Load() (err error) { - return capget(&c.hdr, &c.data) -} - -func (c *capsV1) Apply(kind CapType) error { - if kind&CAPS == CAPS { - return capset(&c.hdr, &c.data) - } - return nil -} - type capsV3 struct { hdr capHeader data [2]capData @@ -292,7 +179,8 @@ func (c *capsV3) Full(which CapType) bool { if (data[0] & 0xffffffff) != 0xffffffff { return false } - return (data[1] & capUpperMask) == capUpperMask + mask := capUpperMask() + return (data[1] & mask) == mask } func (c *capsV3) Set(which CapType, caps ...Cap) { @@ -401,15 +289,12 @@ func (c *capsV3) Load() (err error) { return } - var status_path string - - if c.hdr.pid == 0 { - status_path = fmt.Sprintf("/proc/self/status") - } else { - status_path = fmt.Sprintf("/proc/%d/status", c.hdr.pid) + path := "/proc/self/status" + if c.hdr.pid != 0 { + path = fmt.Sprintf("/proc/%d/status", c.hdr.pid) } - f, err := os.Open(status_path) + f, err := os.Open(path) if err != nil { return } @@ -423,11 +308,17 @@ func (c *capsV3) Load() (err error) { break } if strings.HasPrefix(line, "CapB") { - fmt.Sscanf(line[4:], "nd: %08x%08x", &c.bounds[1], &c.bounds[0]) + _, err = fmt.Sscanf(line[4:], "nd: %08x%08x", &c.bounds[1], &c.bounds[0]) + if err != nil { + break + } continue } if strings.HasPrefix(line, "CapA") { - fmt.Sscanf(line[4:], "mb: %08x%08x", &c.ambient[1], &c.ambient[0]) + _, err = fmt.Sscanf(line[4:], "mb: %08x%08x", &c.ambient[1], &c.ambient[0]) + if err != nil { + break + } continue } } @@ -437,6 +328,10 @@ func (c *capsV3) Load() (err error) { } func (c *capsV3) Apply(kind CapType) (err error) { + last, err := LastCap() + if err != nil { + return err + } if kind&BOUNDS == BOUNDS { var data [2]capData err = capget(&c.hdr, &data[0]) @@ -444,14 +339,14 @@ func (c *capsV3) Apply(kind CapType) (err error) { return } if (1< +// All rights reserved. +// +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !linux + +package capability + +import "errors" + +var errNotSup = errors.New("not supported") + +func newPid(_ int) (Capabilities, error) { + return nil, errNotSup +} + +func newFile(_ string) (Capabilities, error) { + return nil, errNotSup +} + +func lastCap() (Cap, error) { + return -1, errNotSup +} diff --git a/vendor/github.com/syndtr/gocapability/capability/enum.go b/vendor/github.com/moby/sys/capability/enum.go similarity index 91% rename from vendor/github.com/syndtr/gocapability/capability/enum.go rename to vendor/github.com/moby/sys/capability/enum.go index ad1078531..f89f0273a 100644 --- a/vendor/github.com/syndtr/gocapability/capability/enum.go +++ b/vendor/github.com/moby/sys/capability/enum.go @@ -1,11 +1,14 @@ -// Copyright (c) 2013, Suryandaru Triandana +// Copyright 2024 The Capability Authors. +// Copyright 2013 Suryandaru Triandana // All rights reserved. // -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. package capability +import "slices" + type CapType uint func (c CapType) String() string { @@ -301,9 +304,27 @@ const ( CAP_CHECKPOINT_RESTORE = Cap(40) ) -var ( - // Highest valid capability of the running kernel. - CAP_LAST_CAP = Cap(63) +// List returns the list of all capabilities known to the package. +// +// Deprecated: use [ListKnown] or [ListSupported] instead. +func List() []Cap { + return ListKnown() +} - capUpperMask = ^uint32(0) -) +// ListKnown returns the list of all capabilities known to the package. +func ListKnown() []Cap { + return list() +} + +// ListSupported retuns the list of all capabilities known to the package, +// except those that are not supported by the currently running Linux kernel. +func ListSupported() ([]Cap, error) { + last, err := LastCap() + if err != nil { + return nil, err + } + return slices.DeleteFunc(list(), func(c Cap) bool { + // Remove caps not supported by the kernel. + return c > last + }), nil +} diff --git a/vendor/github.com/syndtr/gocapability/capability/enum_gen.go b/vendor/github.com/moby/sys/capability/enum_gen.go similarity index 94% rename from vendor/github.com/syndtr/gocapability/capability/enum_gen.go rename to vendor/github.com/moby/sys/capability/enum_gen.go index 2ff9bf4d8..f72cd43a6 100644 --- a/vendor/github.com/syndtr/gocapability/capability/enum_gen.go +++ b/vendor/github.com/moby/sys/capability/enum_gen.go @@ -1,4 +1,4 @@ -// generated file; DO NOT EDIT - use go generate in directory with source +// Code generated by go generate; DO NOT EDIT. package capability @@ -90,8 +90,7 @@ func (c Cap) String() string { return "unknown" } -// List returns list of all supported capabilities -func List() []Cap { +func list() []Cap { return []Cap{ CAP_CHOWN, CAP_DAC_OVERRIDE, diff --git a/vendor/github.com/syndtr/gocapability/capability/syscall_linux.go b/vendor/github.com/moby/sys/capability/syscall_linux.go similarity index 93% rename from vendor/github.com/syndtr/gocapability/capability/syscall_linux.go rename to vendor/github.com/moby/sys/capability/syscall_linux.go index 3d2bf6927..d6b6932a9 100644 --- a/vendor/github.com/syndtr/gocapability/capability/syscall_linux.go +++ b/vendor/github.com/moby/sys/capability/syscall_linux.go @@ -1,8 +1,9 @@ -// Copyright (c) 2013, Suryandaru Triandana +// Copyright 2024 The Capability Authors. +// Copyright 2013 Suryandaru Triandana // All rights reserved. // -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. package capability @@ -79,9 +80,7 @@ type vfscapData struct { version int8 } -var ( - _vfsXattrName *byte -) +var _vfsXattrName *byte func init() { _vfsXattrName, _ = syscall.BytePtrFromString(vfsXattrName) diff --git a/vendor/github.com/syndtr/gocapability/capability/capability_noop.go b/vendor/github.com/syndtr/gocapability/capability/capability_noop.go deleted file mode 100644 index 9bb3070c5..000000000 --- a/vendor/github.com/syndtr/gocapability/capability/capability_noop.go +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright (c) 2013, Suryandaru Triandana -// All rights reserved. -// -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -// +build !linux - -package capability - -import "errors" - -func newPid(pid int) (Capabilities, error) { - return nil, errors.New("not supported") -} - -func newFile(path string) (Capabilities, error) { - return nil, errors.New("not supported") -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 4d41c6e04..50a357ff4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -16,6 +16,9 @@ github.com/hashicorp/go-multierror # github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b ## explicit github.com/mndrix/tap-go +# github.com/moby/sys/capability v0.2.1-0.20240925213336-aaea55a66478 +## explicit; go 1.21 +github.com/moby/sys/capability # github.com/mrunalp/fileutils v0.5.0 ## explicit; go 1.13 github.com/mrunalp/fileutils @@ -37,9 +40,6 @@ github.com/sirupsen/logrus # github.com/stretchr/testify v1.3.0 ## explicit github.com/stretchr/testify/assert -# github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 -## explicit -github.com/syndtr/gocapability/capability # github.com/urfave/cli v1.19.1 ## explicit github.com/urfave/cli