containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #481 from giuseppe/get-bounding-caps 

capabilities: add new method BoundingSet()
This commit is contained in:
OpenShift Merge Robot 2021-03-19 02:04:44 -07:00 committed by GitHub
parent 80839d7fbe f49cb0aeef
commit 636a5caea2
3 changed files with 36 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
common/pkg/capabilities/capabilities.go
View File

@ -16,6 +16,9 @@ var (
// Used internally and populated during init(). // Used internally and populated during init().
capabilityList []string capabilityList []string
// Used internally and populated during init().
capsList []capability.Cap
// ErrUnknownCapability is thrown when an unknown capability is processed. // ErrUnknownCapability is thrown when an unknown capability is processed.
ErrUnknownCapability = errors.New("unknown capability") ErrUnknownCapability = errors.New("unknown capability")
@ -28,6 +31,10 @@ var (
// Useful on the CLI for `--cap-add=all` etc. // Useful on the CLI for `--cap-add=all` etc.
const All = "ALL" const All = "ALL"
func getCapName(c capability.Cap) string {
return "CAP_" + strings.ToUpper(c.String())
}
func init() { func init() {
last := capability.CAP_LAST_CAP last := capability.CAP_LAST_CAP
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
@ -38,7 +45,8 @@ func init() {
if cap > last { if cap > last {
continue continue
} }
capabilityList = append(capabilityList, "CAP_"+strings.ToUpper(cap.String())) capsList = append(capsList, cap)
capabilityList = append(capabilityList, getCapName(cap))
} }
} }
@ -52,6 +60,26 @@ func stringInSlice(s string, sl []string) bool {
return false return false
} }
// BoundingSet returns the capabilities in the current bounding set
func BoundingSet() ([]string, error) {
currentCaps, err := capability.NewPid2(0)
if err != nil {
return nil, err
}
err = currentCaps.Load()
if err != nil {
return nil, err
}
var r []string
for _, c := range capsList {
if !currentCaps.Get(capability.BOUNDING, c) {
continue
}
r = append(r, getCapName(c))
}
return r, nil
}
// AllCapabilities returns all known capabilities. // AllCapabilities returns all known capabilities.
func AllCapabilities() []string { func AllCapabilities() []string {
return capabilityList return capabilityList

6
common/pkg/capabilities/capabilities_test.go
View File

@ -14,6 +14,12 @@ func TestAllCapabilities(t *testing.T) {
require.Nil(t, err) require.Nil(t, err)
} }
func TestBoundingCapabilities(t *testing.T) {
caps, err := BoundingSet()
require.Nil(t, err)
assert.True(t, len(caps) > 0)
}
func TestMergeCapabilitiesDropVerify(t *testing.T) { func TestMergeCapabilitiesDropVerify(t *testing.T) {
adds := []string{"CAP_SYS_ADMIN", "CAP_SETUID"} adds := []string{"CAP_SYS_ADMIN", "CAP_SETUID"}
drops := []string{"CAP_NET_ADMIN", "cap_chown"} drops := []string{"CAP_NET_ADMIN", "cap_chown"}

2
common/version/version.go
View File

@ -1,4 +1,4 @@
package version package version
// Version is the version of the build. // Version is the version of the build.
const Version = "0.35.3-dev" const Version = "0.35.4-dev"