Merge pull request #481 from giuseppe/get-bounding-caps
capabilities: add new method BoundingSet()
This commit is contained in:
OpenShift Merge Robot
GitHub
commit
636a5caea2
|
|
@ -16,6 +16,9 @@ var (
|
|||
// Used internally and populated during init().
|
||||
capabilityList []string
|
||||
|
||||
// Used internally and populated during init().
|
||||
capsList []capability.Cap
|
||||
|
||||
// ErrUnknownCapability is thrown when an unknown capability is processed.
|
||||
ErrUnknownCapability = errors.New("unknown capability")
|
||||
|
||||
|
|
@ -28,6 +31,10 @@ var (
|
|||
// Useful on the CLI for `--cap-add=all` etc.
|
||||
const All = "ALL"
|
||||
|
||||
func getCapName(c capability.Cap) string {
|
||||
return "CAP_" + strings.ToUpper(c.String())
|
||||
}
|
||||
|
||||
func init() {
|
||||
last := capability.CAP_LAST_CAP
|
||||
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
|
||||
|
|
@ -38,7 +45,8 @@ func init() {
|
|||
if cap > last {
|
||||
continue
|
||||
}
|
||||
capabilityList = append(capabilityList, "CAP_"+strings.ToUpper(cap.String()))
|
||||
capsList = append(capsList, cap)
|
||||
capabilityList = append(capabilityList, getCapName(cap))
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -52,6 +60,26 @@ func stringInSlice(s string, sl []string) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
// BoundingSet returns the capabilities in the current bounding set
|
||||
func BoundingSet() ([]string, error) {
|
||||
currentCaps, err := capability.NewPid2(0)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
err = currentCaps.Load()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var r []string
|
||||
for _, c := range capsList {
|
||||
if !currentCaps.Get(capability.BOUNDING, c) {
|
||||
continue
|
||||
}
|
||||
r = append(r, getCapName(c))
|
||||
}
|
||||
return r, nil
|
||||
}
|
||||
|
||||
// AllCapabilities returns all known capabilities.
|
||||
func AllCapabilities() []string {
|
||||
return capabilityList
|
||||
|
|
|
|||
|
|
@ -14,6 +14,12 @@ func TestAllCapabilities(t *testing.T) {
|
|||
require.Nil(t, err)
|
||||
}
|
||||
|
||||
func TestBoundingCapabilities(t *testing.T) {
|
||||
caps, err := BoundingSet()
|
||||
require.Nil(t, err)
|
||||
assert.True(t, len(caps) > 0)
|
||||
}
|
||||
|
||||
func TestMergeCapabilitiesDropVerify(t *testing.T) {
|
||||
adds := []string{"CAP_SYS_ADMIN", "CAP_SETUID"}
|
||||
drops := []string{"CAP_NET_ADMIN", "cap_chown"}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
package version
|
||||
|
||||
// Version is the version of the build.
|
||||
const Version = "0.35.3-dev"
|
||||
const Version = "0.35.4-dev"
|
||||
|
|
|
|||
Loading…
Reference in New Issue