Merge pull request #302 from mrunalp/cap_list

Update github.com/syndtr/gocapability/capability to 2c00daeb6c3b4
This commit is contained in:
Alexander Morozov 2015-09-25 08:49:44 -07:00
commit 902ccd0f18
7 changed files with 246 additions and 130 deletions

2
Godeps/Godeps.json generated
View File

@ -62,7 +62,7 @@
},
{
"ImportPath": "github.com/syndtr/gocapability/capability",
"Rev": "e55e5833692b49e49a0073ad5baf7803f21bebf4"
"Rev": "2c00daeb6c3b45114c80ac44119e7b8801fdd852"
},
{
"ImportPath": "github.com/vishvananda/netlink",

View File

@ -417,10 +417,6 @@ func (c *capsV3) Load() (err error) {
}
func (c *capsV3) Apply(kind CapType) (err error) {
err = initLastCap()
if err != nil {
return
}
if kind&BOUNDS == BOUNDS {
var data [2]capData
err = capget(&c.hdr, &data[0])
@ -428,7 +424,7 @@ func (c *capsV3) Apply(kind CapType) (err error) {
return
}
if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
for i := Cap(0); i <= capLastCap; i++ {
for i := Cap(0); i <= CAP_LAST_CAP; i++ {
if c.Get(BOUNDING, i) {
continue
}

View File

@ -34,90 +34,9 @@ const (
BOUNDS = BOUNDING
)
//go:generate go run enumgen/gen.go
type Cap int
func (c Cap) String() string {
switch c {
case CAP_CHOWN:
return "chown"
case CAP_DAC_OVERRIDE:
return "dac_override"
case CAP_DAC_READ_SEARCH:
return "dac_read_search"
case CAP_FOWNER:
return "fowner"
case CAP_FSETID:
return "fsetid"
case CAP_KILL:
return "kill"
case CAP_SETGID:
return "setgid"
case CAP_SETUID:
return "setuid"
case CAP_SETPCAP:
return "setpcap"
case CAP_LINUX_IMMUTABLE:
return "linux_immutable"
case CAP_NET_BIND_SERVICE:
return "net_bind_service"
case CAP_NET_BROADCAST:
return "net_broadcast"
case CAP_NET_ADMIN:
return "net_admin"
case CAP_NET_RAW:
return "net_raw"
case CAP_IPC_LOCK:
return "ipc_lock"
case CAP_IPC_OWNER:
return "ipc_owner"
case CAP_SYS_MODULE:
return "sys_module"
case CAP_SYS_RAWIO:
return "sys_rawio"
case CAP_SYS_CHROOT:
return "sys_chroot"
case CAP_SYS_PTRACE:
return "sys_ptrace"
case CAP_SYS_PACCT:
return "sys_psacct"
case CAP_SYS_ADMIN:
return "sys_admin"
case CAP_SYS_BOOT:
return "sys_boot"
case CAP_SYS_NICE:
return "sys_nice"
case CAP_SYS_RESOURCE:
return "sys_resource"
case CAP_SYS_TIME:
return "sys_time"
case CAP_SYS_TTY_CONFIG:
return "sys_tty_config"
case CAP_MKNOD:
return "mknod"
case CAP_LEASE:
return "lease"
case CAP_AUDIT_WRITE:
return "audit_write"
case CAP_AUDIT_CONTROL:
return "audit_control"
case CAP_SETFCAP:
return "setfcap"
case CAP_MAC_OVERRIDE:
return "mac_override"
case CAP_MAC_ADMIN:
return "mac_admin"
case CAP_SYSLOG:
return "syslog"
case CAP_WAKE_ALARM:
return "wake_alarm"
case CAP_BLOCK_SUSPEND:
return "block_suspend"
case CAP_AUDIT_READ:
return "audit_read"
}
return "unknown"
}
// POSIX-draft defined capabilities.
const (
// In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this

View File

@ -0,0 +1,129 @@
// generated file; DO NOT EDIT - use go generate in directory with source
package capability
func (c Cap) String() string {
switch c {
case CAP_CHOWN:
return "chown"
case CAP_DAC_OVERRIDE:
return "dac_override"
case CAP_DAC_READ_SEARCH:
return "dac_read_search"
case CAP_FOWNER:
return "fowner"
case CAP_FSETID:
return "fsetid"
case CAP_KILL:
return "kill"
case CAP_SETGID:
return "setgid"
case CAP_SETUID:
return "setuid"
case CAP_SETPCAP:
return "setpcap"
case CAP_LINUX_IMMUTABLE:
return "linux_immutable"
case CAP_NET_BIND_SERVICE:
return "net_bind_service"
case CAP_NET_BROADCAST:
return "net_broadcast"
case CAP_NET_ADMIN:
return "net_admin"
case CAP_NET_RAW:
return "net_raw"
case CAP_IPC_LOCK:
return "ipc_lock"
case CAP_IPC_OWNER:
return "ipc_owner"
case CAP_SYS_MODULE:
return "sys_module"
case CAP_SYS_RAWIO:
return "sys_rawio"
case CAP_SYS_CHROOT:
return "sys_chroot"
case CAP_SYS_PTRACE:
return "sys_ptrace"
case CAP_SYS_PACCT:
return "sys_pacct"
case CAP_SYS_ADMIN:
return "sys_admin"
case CAP_SYS_BOOT:
return "sys_boot"
case CAP_SYS_NICE:
return "sys_nice"
case CAP_SYS_RESOURCE:
return "sys_resource"
case CAP_SYS_TIME:
return "sys_time"
case CAP_SYS_TTY_CONFIG:
return "sys_tty_config"
case CAP_MKNOD:
return "mknod"
case CAP_LEASE:
return "lease"
case CAP_AUDIT_WRITE:
return "audit_write"
case CAP_AUDIT_CONTROL:
return "audit_control"
case CAP_SETFCAP:
return "setfcap"
case CAP_MAC_OVERRIDE:
return "mac_override"
case CAP_MAC_ADMIN:
return "mac_admin"
case CAP_SYSLOG:
return "syslog"
case CAP_WAKE_ALARM:
return "wake_alarm"
case CAP_BLOCK_SUSPEND:
return "block_suspend"
case CAP_AUDIT_READ:
return "audit_read"
}
return "unknown"
}
// List returns list of all supported capabilities
func List() []Cap {
return []Cap{
CAP_CHOWN,
CAP_DAC_OVERRIDE,
CAP_DAC_READ_SEARCH,
CAP_FOWNER,
CAP_FSETID,
CAP_KILL,
CAP_SETGID,
CAP_SETUID,
CAP_SETPCAP,
CAP_LINUX_IMMUTABLE,
CAP_NET_BIND_SERVICE,
CAP_NET_BROADCAST,
CAP_NET_ADMIN,
CAP_NET_RAW,
CAP_IPC_LOCK,
CAP_IPC_OWNER,
CAP_SYS_MODULE,
CAP_SYS_RAWIO,
CAP_SYS_CHROOT,
CAP_SYS_PTRACE,
CAP_SYS_PACCT,
CAP_SYS_ADMIN,
CAP_SYS_BOOT,
CAP_SYS_NICE,
CAP_SYS_RESOURCE,
CAP_SYS_TIME,
CAP_SYS_TTY_CONFIG,
CAP_MKNOD,
CAP_LEASE,
CAP_AUDIT_WRITE,
CAP_AUDIT_CONTROL,
CAP_SETFCAP,
CAP_MAC_OVERRIDE,
CAP_MAC_ADMIN,
CAP_SYSLOG,
CAP_WAKE_ALARM,
CAP_BLOCK_SUSPEND,
CAP_AUDIT_READ,
}
}

View File

@ -0,0 +1,92 @@
package main
import (
"bytes"
"fmt"
"go/ast"
"go/format"
"go/parser"
"go/token"
"io/ioutil"
"log"
"os"
"strings"
)
const fileName = "enum.go"
const genName = "enum_gen.go"
type generator struct {
buf bytes.Buffer
caps []string
}
func (g *generator) writeHeader() {
g.buf.WriteString("// generated file; DO NOT EDIT - use go generate in directory with source\n")
g.buf.WriteString("\n")
g.buf.WriteString("package capability")
}
func (g *generator) writeStringFunc() {
g.buf.WriteString("\n")
g.buf.WriteString("func (c Cap) String() string {\n")
g.buf.WriteString("switch c {\n")
for _, cap := range g.caps {
fmt.Fprintf(&g.buf, "case %s:\n", cap)
fmt.Fprintf(&g.buf, "return \"%s\"\n", strings.ToLower(cap[4:]))
}
g.buf.WriteString("}\n")
g.buf.WriteString("return \"unknown\"\n")
g.buf.WriteString("}\n")
}
func (g *generator) writeListFunc() {
g.buf.WriteString("\n")
g.buf.WriteString("// List returns list of all supported capabilities\n")
g.buf.WriteString("func List() []Cap {\n")
g.buf.WriteString("return []Cap{\n")
for _, cap := range g.caps {
fmt.Fprintf(&g.buf, "%s,\n", cap)
}
g.buf.WriteString("}\n")
g.buf.WriteString("}\n")
}
func main() {
fs := token.NewFileSet()
parsedFile, err := parser.ParseFile(fs, fileName, nil, 0)
if err != nil {
log.Fatal(err)
}
var caps []string
for _, decl := range parsedFile.Decls {
decl, ok := decl.(*ast.GenDecl)
if !ok || decl.Tok != token.CONST {
continue
}
for _, spec := range decl.Specs {
vspec := spec.(*ast.ValueSpec)
name := vspec.Names[0].Name
if strings.HasPrefix(name, "CAP_") {
caps = append(caps, name)
}
}
}
g := &generator{caps: caps}
g.writeHeader()
g.writeStringFunc()
g.writeListFunc()
src, err := format.Source(g.buf.Bytes())
if err != nil {
fmt.Println("generated invalid Go code")
fmt.Println(g.buf.String())
log.Fatal(err)
}
fi, err := os.Stat(fileName)
if err != nil {
log.Fatal(err)
}
if err := ioutil.WriteFile(genName, src, fi.Mode().Perm()); err != nil {
log.Fatal(err)
}
}

View File

@ -86,6 +86,10 @@ func getVfsCap(path string, dest *vfscapData) (err error) {
}
r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_vfsXattrName)), uintptr(unsafe.Pointer(dest)), vfscapDataSizeV2, 0, 0)
if e1 != 0 {
if e1 == syscall.ENODATA {
dest.version = 2
return
}
err = e1
}
switch dest.magic & vfsCapVerMask {
@ -128,8 +132,6 @@ func setVfsCap(path string, data *vfscapData) (err error) {
data.magic = vfsCapVer2
if data.effective[0] != 0 || data.effective[1] != 0 {
data.magic |= vfsCapFlageffective
data.data[0].permitted |= data.effective[0]
data.data[1].permitted |= data.effective[1]
}
size = vfscapDataSizeV2
} else {

View File

@ -5,57 +5,35 @@ package libcontainer
import (
"fmt"
"os"
"strings"
"github.com/syndtr/gocapability/capability"
)
const allCapabilityTypes = capability.CAPS | capability.BOUNDS
var capabilityList = map[string]capability.Cap{
"CAP_SETPCAP": capability.CAP_SETPCAP,
"CAP_SYS_MODULE": capability.CAP_SYS_MODULE,
"CAP_SYS_RAWIO": capability.CAP_SYS_RAWIO,
"CAP_SYS_PACCT": capability.CAP_SYS_PACCT,
"CAP_SYS_ADMIN": capability.CAP_SYS_ADMIN,
"CAP_SYS_NICE": capability.CAP_SYS_NICE,
"CAP_SYS_RESOURCE": capability.CAP_SYS_RESOURCE,
"CAP_SYS_TIME": capability.CAP_SYS_TIME,
"CAP_SYS_TTY_CONFIG": capability.CAP_SYS_TTY_CONFIG,
"CAP_MKNOD": capability.CAP_MKNOD,
"CAP_AUDIT_WRITE": capability.CAP_AUDIT_WRITE,
"CAP_AUDIT_CONTROL": capability.CAP_AUDIT_CONTROL,
"CAP_MAC_OVERRIDE": capability.CAP_MAC_OVERRIDE,
"CAP_MAC_ADMIN": capability.CAP_MAC_ADMIN,
"CAP_NET_ADMIN": capability.CAP_NET_ADMIN,
"CAP_SYSLOG": capability.CAP_SYSLOG,
"CAP_CHOWN": capability.CAP_CHOWN,
"CAP_NET_RAW": capability.CAP_NET_RAW,
"CAP_DAC_OVERRIDE": capability.CAP_DAC_OVERRIDE,
"CAP_FOWNER": capability.CAP_FOWNER,
"CAP_DAC_READ_SEARCH": capability.CAP_DAC_READ_SEARCH,
"CAP_FSETID": capability.CAP_FSETID,
"CAP_KILL": capability.CAP_KILL,
"CAP_SETGID": capability.CAP_SETGID,
"CAP_SETUID": capability.CAP_SETUID,
"CAP_LINUX_IMMUTABLE": capability.CAP_LINUX_IMMUTABLE,
"CAP_NET_BIND_SERVICE": capability.CAP_NET_BIND_SERVICE,
"CAP_NET_BROADCAST": capability.CAP_NET_BROADCAST,
"CAP_IPC_LOCK": capability.CAP_IPC_LOCK,
"CAP_IPC_OWNER": capability.CAP_IPC_OWNER,
"CAP_SYS_CHROOT": capability.CAP_SYS_CHROOT,
"CAP_SYS_PTRACE": capability.CAP_SYS_PTRACE,
"CAP_SYS_BOOT": capability.CAP_SYS_BOOT,
"CAP_LEASE": capability.CAP_LEASE,
"CAP_SETFCAP": capability.CAP_SETFCAP,
"CAP_WAKE_ALARM": capability.CAP_WAKE_ALARM,
"CAP_BLOCK_SUSPEND": capability.CAP_BLOCK_SUSPEND,
"CAP_AUDIT_READ": capability.CAP_AUDIT_READ,
var capabilityMap map[string]capability.Cap
func init() {
capabilityMap = make(map[string]capability.Cap)
last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
capabilityMap[capKey] = cap
}
}
func newCapWhitelist(caps []string) (*whitelist, error) {
l := []capability.Cap{}
for _, c := range caps {
v, ok := capabilityList[c]
v, ok := capabilityMap[c]
if !ok {
return nil, fmt.Errorf("unknown capability %q", c)
}