mirror of https://github.com/docker/cli.git
cli/container: use github.com/moby/sys/capability for completions
We used a hard-coded list of capabilities that we copied from containerd, but the new "capability" package allows use to have a maintained list of capabilities. There's likely still some improvements to be made; First of all, the capability package could provide a function to get the list of strings. On the completion-side, we need to consider what format is most convenient; currently we use the canonical name (uppercase and "CAP_" prefix), however, tab-completion is case-sensitive by default, so requires the user to type uppercase letters to filter the list of options. Bash completion provides a `completion-ignore-case on` option to make completion case-insensitive (https://askubuntu.com/a/87066), but it looks to be a global option; the current cobra.CompletionOptions also don't provide this as an option to be used in the generated completion-script. Fish completion has `smartcase` (by default?) which matches any case if all of the input is lowercase. Zsh does not have a dedicated option, but allows setting matching-rules (see https://superuser.com/a/1092328). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
f4fab2c7f3
commit
462e08219d
|
@ -1,70 +1,48 @@
|
|||
package container
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/docker/cli/cli/command/completion"
|
||||
"github.com/docker/docker/api/types/container"
|
||||
"github.com/moby/sys/capability"
|
||||
"github.com/moby/sys/signal"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
// allCaps is the magic value for "all capabilities".
|
||||
const allCaps = "ALL"
|
||||
|
||||
// allLinuxCapabilities is a list of all known Linux capabilities.
|
||||
//
|
||||
// This list was based on the containerd pkg/cap package;
|
||||
// https://github.com/containerd/containerd/blob/v1.7.19/pkg/cap/cap_linux.go#L133-L181
|
||||
//
|
||||
// TODO(thaJeztah): add descriptions, and enable descriptions for our completion scripts (cobra.CompletionOptions.DisableDescriptions is currently set to "true")
|
||||
var allLinuxCapabilities = []string{
|
||||
"ALL", // magic value for "all capabilities"
|
||||
|
||||
// caps35 is the caps of kernel 3.5 (37 entries)
|
||||
"CAP_CHOWN", // 2.2
|
||||
"CAP_DAC_OVERRIDE", // 2.2
|
||||
"CAP_DAC_READ_SEARCH", // 2.2
|
||||
"CAP_FOWNER", // 2.2
|
||||
"CAP_FSETID", // 2.2
|
||||
"CAP_KILL", // 2.2
|
||||
"CAP_SETGID", // 2.2
|
||||
"CAP_SETUID", // 2.2
|
||||
"CAP_SETPCAP", // 2.2
|
||||
"CAP_LINUX_IMMUTABLE", // 2.2
|
||||
"CAP_NET_BIND_SERVICE", // 2.2
|
||||
"CAP_NET_BROADCAST", // 2.2
|
||||
"CAP_NET_ADMIN", // 2.2
|
||||
"CAP_NET_RAW", // 2.2
|
||||
"CAP_IPC_LOCK", // 2.2
|
||||
"CAP_IPC_OWNER", // 2.2
|
||||
"CAP_SYS_MODULE", // 2.2
|
||||
"CAP_SYS_RAWIO", // 2.2
|
||||
"CAP_SYS_CHROOT", // 2.2
|
||||
"CAP_SYS_PTRACE", // 2.2
|
||||
"CAP_SYS_PACCT", // 2.2
|
||||
"CAP_SYS_ADMIN", // 2.2
|
||||
"CAP_SYS_BOOT", // 2.2
|
||||
"CAP_SYS_NICE", // 2.2
|
||||
"CAP_SYS_RESOURCE", // 2.2
|
||||
"CAP_SYS_TIME", // 2.2
|
||||
"CAP_SYS_TTY_CONFIG", // 2.2
|
||||
"CAP_MKNOD", // 2.4
|
||||
"CAP_LEASE", // 2.4
|
||||
"CAP_AUDIT_WRITE", // 2.6.11
|
||||
"CAP_AUDIT_CONTROL", // 2.6.11
|
||||
"CAP_SETFCAP", // 2.6.24
|
||||
"CAP_MAC_OVERRIDE", // 2.6.25
|
||||
"CAP_MAC_ADMIN", // 2.6.25
|
||||
"CAP_SYSLOG", // 2.6.37
|
||||
"CAP_WAKE_ALARM", // 3.0
|
||||
"CAP_BLOCK_SUSPEND", // 3.5
|
||||
|
||||
// caps316 is the caps of kernel 3.16 (38 entries)
|
||||
"CAP_AUDIT_READ",
|
||||
|
||||
// caps58 is the caps of kernel 5.8 (40 entries)
|
||||
"CAP_PERFMON",
|
||||
"CAP_BPF",
|
||||
|
||||
// caps59 is the caps of kernel 5.9 (41 entries)
|
||||
"CAP_CHECKPOINT_RESTORE",
|
||||
// TODO(thaJeztah): consider what casing we want to use for completion (see below);
|
||||
//
|
||||
// We need to consider what format is most convenient; currently we use the
|
||||
// canonical name (uppercase and "CAP_" prefix), however, tab-completion is
|
||||
// case-sensitive by default, so requires the user to type uppercase letters
|
||||
// to filter the list of options.
|
||||
//
|
||||
// Bash completion provides a `completion-ignore-case on` option to make completion
|
||||
// case-insensitive (https://askubuntu.com/a/87066), but it looks to be a global
|
||||
// option; the current cobra.CompletionOptions also don't provide this as an option
|
||||
// to be used in the generated completion-script.
|
||||
//
|
||||
// Fish completion has `smartcase` (by default?) which matches any case if
|
||||
// all of the input is lowercase.
|
||||
//
|
||||
// Zsh does not appear have a dedicated option, but allows setting matching-rules
|
||||
// (see https://superuser.com/a/1092328).
|
||||
var allLinuxCapabilities = sync.OnceValue(func() []string {
|
||||
caps := capability.ListKnown()
|
||||
out := make([]string, 0, len(caps)+1)
|
||||
out = append(out, allCaps)
|
||||
for _, c := range caps {
|
||||
out = append(out, "CAP_"+strings.ToUpper(c.String()))
|
||||
}
|
||||
return out
|
||||
})
|
||||
|
||||
// restartPolicies is a list of all valid restart-policies..
|
||||
//
|
||||
|
@ -77,7 +55,7 @@ var restartPolicies = []string{
|
|||
}
|
||||
|
||||
func completeLinuxCapabilityNames(cmd *cobra.Command, args []string, toComplete string) (names []string, _ cobra.ShellCompDirective) {
|
||||
return completion.FromList(allLinuxCapabilities...)(cmd, args, toComplete)
|
||||
return completion.FromList(allLinuxCapabilities()...)(cmd, args, toComplete)
|
||||
}
|
||||
|
||||
func completeRestartPolicies(cmd *cobra.Command, args []string, toComplete string) (names []string, _ cobra.ShellCompDirective) {
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
package container
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
"gotest.tools/v3/assert"
|
||||
is "gotest.tools/v3/assert/cmp"
|
||||
)
|
||||
|
||||
func TestCompleteLinuxCapabilityNames(t *testing.T) {
|
||||
names, directives := completeLinuxCapabilityNames(nil, nil, "")
|
||||
assert.Check(t, is.Equal(directives&cobra.ShellCompDirectiveNoFileComp, cobra.ShellCompDirectiveNoFileComp), "Should not perform file completion")
|
||||
assert.Assert(t, len(names) > 1)
|
||||
assert.Check(t, names[0] == allCaps)
|
||||
for _, name := range names[1:] {
|
||||
assert.Check(t, strings.HasPrefix(name, "CAP_"))
|
||||
assert.Check(t, is.Equal(name, strings.ToUpper(name)), "Should be formatted uppercase")
|
||||
}
|
||||
}
|
|
@ -26,6 +26,7 @@ require (
|
|||
github.com/mattn/go-runewidth v0.0.15
|
||||
github.com/moby/patternmatcher v0.6.0
|
||||
github.com/moby/swarmkit/v2 v2.0.0-20240611172349-ea1a7cec35cb
|
||||
github.com/moby/sys/capability v0.3.0
|
||||
github.com/moby/sys/sequential v0.6.0
|
||||
github.com/moby/sys/signal v0.7.1
|
||||
github.com/moby/term v0.5.0
|
||||
|
|
|
@ -182,6 +182,8 @@ github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkV
|
|||
github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
|
||||
github.com/moby/swarmkit/v2 v2.0.0-20240611172349-ea1a7cec35cb h1:1UTTg2EgO3nuyV03wREDzldqqePzQ4+0a5G1C1y1bIo=
|
||||
github.com/moby/swarmkit/v2 v2.0.0-20240611172349-ea1a7cec35cb/go.mod h1:kNy225f/gWAnF8wPftteMc5nbAHhrH+HUfvyjmhFjeQ=
|
||||
github.com/moby/sys/capability v0.3.0 h1:kEP+y6te0gEXIaeQhIi0s7vKs/w0RPoH1qPa6jROcVg=
|
||||
github.com/moby/sys/capability v0.3.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
|
||||
github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
|
||||
github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
|
||||
github.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0=
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
[codespell]
|
||||
skip = ./.git
|
||||
ignore-words-list = nd
|
|
@ -0,0 +1,6 @@
|
|||
linters:
|
||||
enable:
|
||||
- unconvert
|
||||
- unparam
|
||||
- gofumpt
|
||||
- errorlint
|
|
@ -0,0 +1,90 @@
|
|||
# Changelog
|
||||
This file documents all notable changes made to this project since the initial fork
|
||||
from https://github.com/syndtr/gocapability/commit/42c35b4376354fd5.
|
||||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [0.3.0] - 2024-09-25
|
||||
|
||||
### Added
|
||||
* Added [ListKnown] and [ListSupported] functions. (#153)
|
||||
* [LastCap] is now available on non-Linux platforms (where it returns an error). (#152)
|
||||
|
||||
### Changed
|
||||
* [List] is now deprecated in favor of [ListKnown] and [ListSupported]. (#153)
|
||||
|
||||
### Fixed
|
||||
* Various documentation improvements. (#151)
|
||||
* Fix "generated code" comment. (#153)
|
||||
|
||||
## [0.2.0] - 2024-09-16
|
||||
|
||||
This is the first release after the move to a new home in
|
||||
github.com/moby/sys/capability.
|
||||
|
||||
### Fixed
|
||||
* Fixed URLs in documentation to reflect the new home.
|
||||
|
||||
## [0.1.1] - 2024-08-01
|
||||
|
||||
This is a maintenance release, fixing a few minor issues.
|
||||
|
||||
### Fixed
|
||||
* Fixed future kernel compatibility, for real this time. [#11]
|
||||
* Fixed [LastCap] to be a function. [#12]
|
||||
|
||||
## [0.1.0] - 2024-07-31
|
||||
|
||||
This is an initial release since the fork.
|
||||
|
||||
### Breaking changes
|
||||
|
||||
* The `CAP_LAST_CAP` variable is removed; users need to modify the code to
|
||||
use [LastCap] to get the value. [#6]
|
||||
* The code now requires Go >= 1.21.
|
||||
|
||||
### Added
|
||||
* `go.mod` and `go.sum` files. [#2]
|
||||
* New [LastCap] function. [#6]
|
||||
* Basic CI using GHA infra. [#8], [#9]
|
||||
* README and CHANGELOG. [#10]
|
||||
|
||||
### Fixed
|
||||
* Fixed ambient capabilities error handling in [Apply]. [#3]
|
||||
* Fixed future kernel compatibility. [#1]
|
||||
* Fixed various linter warnings. [#4], [#7]
|
||||
|
||||
### Changed
|
||||
* Go build tags changed from old-style (`+build`) to new Go 1.17+ style (`go:build`). [#2]
|
||||
|
||||
### Removed
|
||||
* Removed support for capabilities v1 and v2. [#1]
|
||||
* Removed init function so programs that use this package start faster. [#6]
|
||||
* Removed `CAP_LAST_CAP` (use [LastCap] instead). [#6]
|
||||
|
||||
<!-- Doc links. -->
|
||||
[Apply]: https://pkg.go.dev/github.com/moby/sys/capability#Capabilities.Apply
|
||||
[LastCap]: https://pkg.go.dev/github.com/moby/sys/capability#LastCap
|
||||
[List]: https://pkg.go.dev/github.com/moby/sys/capability#List
|
||||
[ListKnown]: https://pkg.go.dev/github.com/moby/sys/capability#ListKnown
|
||||
[ListSupported]: https://pkg.go.dev/github.com/moby/sys/capability#ListSupported
|
||||
|
||||
<!-- Minor releases. -->
|
||||
[0.3.0]: https://github.com/moby/sys/releases/tag/capability%2Fv0.3.0
|
||||
[0.2.0]: https://github.com/moby/sys/releases/tag/capability%2Fv0.2.0
|
||||
[0.1.1]: https://github.com/kolyshkin/capability/compare/v0.1.0...v0.1.1
|
||||
[0.1.0]: https://github.com/kolyshkin/capability/compare/42c35b4376354fd5...v0.1.0
|
||||
|
||||
<!-- PRs in 0.1.x releases. -->
|
||||
[#1]: https://github.com/kolyshkin/capability/pull/1
|
||||
[#2]: https://github.com/kolyshkin/capability/pull/2
|
||||
[#3]: https://github.com/kolyshkin/capability/pull/3
|
||||
[#4]: https://github.com/kolyshkin/capability/pull/4
|
||||
[#6]: https://github.com/kolyshkin/capability/pull/6
|
||||
[#7]: https://github.com/kolyshkin/capability/pull/7
|
||||
[#8]: https://github.com/kolyshkin/capability/pull/8
|
||||
[#9]: https://github.com/kolyshkin/capability/pull/9
|
||||
[#10]: https://github.com/kolyshkin/capability/pull/10
|
||||
[#11]: https://github.com/kolyshkin/capability/pull/11
|
||||
[#12]: https://github.com/kolyshkin/capability/pull/12
|
|
@ -0,0 +1,25 @@
|
|||
Copyright 2023 The Capability Authors.
|
||||
Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
@ -0,0 +1,13 @@
|
|||
This is a fork of (apparently no longer maintained)
|
||||
https://github.com/syndtr/gocapability package. It provides basic primitives to
|
||||
work with [Linux capabilities][capabilities(7)].
|
||||
|
||||
For changes, see [CHANGELOG.md](./CHANGELOG.md).
|
||||
|
||||
[![Go Reference](https://pkg.go.dev/badge/github.com/moby/sys/capability/capability.svg)](https://pkg.go.dev/github.com/moby/sys/capability)
|
||||
|
||||
## Alternatives
|
||||
|
||||
* https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/cap
|
||||
|
||||
[capabilities(7)]: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
|
@ -0,0 +1,144 @@
|
|||
// Copyright 2023 The Capability Authors.
|
||||
// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
|
||||
// All rights reserved.
|
||||
//
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
// Package capability provides utilities for manipulating POSIX capabilities.
|
||||
package capability
|
||||
|
||||
type Capabilities interface {
|
||||
// Get check whether a capability present in the given
|
||||
// capabilities set. The 'which' value should be one of EFFECTIVE,
|
||||
// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
|
||||
Get(which CapType, what Cap) bool
|
||||
|
||||
// Empty check whether all capability bits of the given capabilities
|
||||
// set are zero. The 'which' value should be one of EFFECTIVE,
|
||||
// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
|
||||
Empty(which CapType) bool
|
||||
|
||||
// Full check whether all capability bits of the given capabilities
|
||||
// set are one. The 'which' value should be one of EFFECTIVE,
|
||||
// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
|
||||
Full(which CapType) bool
|
||||
|
||||
// Set sets capabilities of the given capabilities sets. The
|
||||
// 'which' value should be one or combination (OR'ed) of EFFECTIVE,
|
||||
// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
|
||||
Set(which CapType, caps ...Cap)
|
||||
|
||||
// Unset unsets capabilities of the given capabilities sets. The
|
||||
// 'which' value should be one or combination (OR'ed) of EFFECTIVE,
|
||||
// PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
|
||||
Unset(which CapType, caps ...Cap)
|
||||
|
||||
// Fill sets all bits of the given capabilities kind to one. The
|
||||
// 'kind' value should be one or combination (OR'ed) of CAPS,
|
||||
// BOUNDS or AMBS.
|
||||
Fill(kind CapType)
|
||||
|
||||
// Clear sets all bits of the given capabilities kind to zero. The
|
||||
// 'kind' value should be one or combination (OR'ed) of CAPS,
|
||||
// BOUNDS or AMBS.
|
||||
Clear(kind CapType)
|
||||
|
||||
// String return current capabilities state of the given capabilities
|
||||
// set as string. The 'which' value should be one of EFFECTIVE,
|
||||
// PERMITTED, INHERITABLE BOUNDING or AMBIENT
|
||||
StringCap(which CapType) string
|
||||
|
||||
// String return current capabilities state as string.
|
||||
String() string
|
||||
|
||||
// Load load actual capabilities value. This will overwrite all
|
||||
// outstanding changes.
|
||||
Load() error
|
||||
|
||||
// Apply apply the capabilities settings, so all changes will take
|
||||
// effect.
|
||||
Apply(kind CapType) error
|
||||
}
|
||||
|
||||
// NewPid initializes a new [Capabilities] object for given pid when
|
||||
// it is nonzero, or for the current process if pid is 0.
|
||||
//
|
||||
// Deprecated: Replace with [NewPid2] followed by [Capabilities.Load].
|
||||
// For example, replace:
|
||||
//
|
||||
// c, err := NewPid(0)
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
//
|
||||
// with:
|
||||
//
|
||||
// c, err := NewPid2(0)
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
// err = c.Load()
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
func NewPid(pid int) (Capabilities, error) {
|
||||
c, err := newPid(pid)
|
||||
if err != nil {
|
||||
return c, err
|
||||
}
|
||||
err = c.Load()
|
||||
return c, err
|
||||
}
|
||||
|
||||
// NewPid2 initializes a new [Capabilities] object for given pid when
|
||||
// it is nonzero, or for the current process if pid is 0. This
|
||||
// does not load the process's current capabilities; to do that you
|
||||
// must call [Capabilities.Load] explicitly.
|
||||
func NewPid2(pid int) (Capabilities, error) {
|
||||
return newPid(pid)
|
||||
}
|
||||
|
||||
// NewFile initializes a new Capabilities object for given file path.
|
||||
//
|
||||
// Deprecated: Replace with [NewFile2] followed by [Capabilities.Load].
|
||||
// For example, replace:
|
||||
//
|
||||
// c, err := NewFile(path)
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
//
|
||||
// with:
|
||||
//
|
||||
// c, err := NewFile2(path)
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
// err = c.Load()
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
func NewFile(path string) (Capabilities, error) {
|
||||
c, err := newFile(path)
|
||||
if err != nil {
|
||||
return c, err
|
||||
}
|
||||
err = c.Load()
|
||||
return c, err
|
||||
}
|
||||
|
||||
// NewFile2 creates a new initialized [Capabilities] object for given
|
||||
// file path. This does not load the process's current capabilities;
|
||||
// to do that you must call [Capabilities.Load] explicitly.
|
||||
func NewFile2(path string) (Capabilities, error) {
|
||||
return newFile(path)
|
||||
}
|
||||
|
||||
// LastCap returns highest valid capability of the running kernel,
|
||||
// or an error if it can not be obtained.
|
||||
//
|
||||
// See also: [ListSupported].
|
||||
func LastCap() (Cap, error) {
|
||||
return lastCap()
|
||||
}
|
|
@ -0,0 +1,541 @@
|
|||
// Copyright 2023 The Capability Authors.
|
||||
// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
|
||||
// All rights reserved.
|
||||
//
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package capability
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"syscall"
|
||||
)
|
||||
|
||||
const (
|
||||
linuxCapVer1 = 0x19980330 // No longer supported.
|
||||
linuxCapVer2 = 0x20071026 // No longer supported.
|
||||
linuxCapVer3 = 0x20080522
|
||||
)
|
||||
|
||||
var lastCap = sync.OnceValues(func() (Cap, error) {
|
||||
f, err := os.Open("/proc/sys/kernel/cap_last_cap")
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
|
||||
buf := make([]byte, 11)
|
||||
l, err := f.Read(buf)
|
||||
f.Close()
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
buf = buf[:l]
|
||||
|
||||
last, err := strconv.Atoi(strings.TrimSpace(string(buf)))
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return Cap(last), nil
|
||||
})
|
||||
|
||||
func capUpperMask() uint32 {
|
||||
last, err := lastCap()
|
||||
if err != nil || last < 32 {
|
||||
return 0
|
||||
}
|
||||
return (uint32(1) << (uint(last) - 31)) - 1
|
||||
}
|
||||
|
||||
func mkStringCap(c Capabilities, which CapType) (ret string) {
|
||||
last, err := lastCap()
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
for i, first := Cap(0), true; i <= last; i++ {
|
||||
if !c.Get(which, i) {
|
||||
continue
|
||||
}
|
||||
if first {
|
||||
first = false
|
||||
} else {
|
||||
ret += ", "
|
||||
}
|
||||
ret += i.String()
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func mkString(c Capabilities, max CapType) (ret string) {
|
||||
ret = "{"
|
||||
for i := CapType(1); i <= max; i <<= 1 {
|
||||
ret += " " + i.String() + "=\""
|
||||
if c.Empty(i) {
|
||||
ret += "empty"
|
||||
} else if c.Full(i) {
|
||||
ret += "full"
|
||||
} else {
|
||||
ret += c.StringCap(i)
|
||||
}
|
||||
ret += "\""
|
||||
}
|
||||
ret += " }"
|
||||
return
|
||||
}
|
||||
|
||||
var capVersion = sync.OnceValues(func() (uint32, error) {
|
||||
var hdr capHeader
|
||||
err := capget(&hdr, nil)
|
||||
return hdr.version, err
|
||||
})
|
||||
|
||||
func newPid(pid int) (c Capabilities, retErr error) {
|
||||
ver, err := capVersion()
|
||||
if err != nil {
|
||||
retErr = fmt.Errorf("unable to get capability version from the kernel: %w", err)
|
||||
return
|
||||
}
|
||||
switch ver {
|
||||
case linuxCapVer1, linuxCapVer2:
|
||||
retErr = errors.New("old/unsupported capability version (kernel older than 2.6.26?)")
|
||||
default:
|
||||
// Either linuxCapVer3, or an unknown/future version (such as v4).
|
||||
// In the latter case, we fall back to v3 as the latest version known
|
||||
// to this package, as kernel should be backward-compatible to v3.
|
||||
p := new(capsV3)
|
||||
p.hdr.version = linuxCapVer3
|
||||
p.hdr.pid = int32(pid)
|
||||
c = p
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
type capsV3 struct {
|
||||
hdr capHeader
|
||||
data [2]capData
|
||||
bounds [2]uint32
|
||||
ambient [2]uint32
|
||||
}
|
||||
|
||||
func (c *capsV3) Get(which CapType, what Cap) bool {
|
||||
var i uint
|
||||
if what > 31 {
|
||||
i = uint(what) >> 5
|
||||
what %= 32
|
||||
}
|
||||
|
||||
switch which {
|
||||
case EFFECTIVE:
|
||||
return (1<<uint(what))&c.data[i].effective != 0
|
||||
case PERMITTED:
|
||||
return (1<<uint(what))&c.data[i].permitted != 0
|
||||
case INHERITABLE:
|
||||
return (1<<uint(what))&c.data[i].inheritable != 0
|
||||
case BOUNDING:
|
||||
return (1<<uint(what))&c.bounds[i] != 0
|
||||
case AMBIENT:
|
||||
return (1<<uint(what))&c.ambient[i] != 0
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func (c *capsV3) getData(which CapType, dest []uint32) {
|
||||
switch which {
|
||||
case EFFECTIVE:
|
||||
dest[0] = c.data[0].effective
|
||||
dest[1] = c.data[1].effective
|
||||
case PERMITTED:
|
||||
dest[0] = c.data[0].permitted
|
||||
dest[1] = c.data[1].permitted
|
||||
case INHERITABLE:
|
||||
dest[0] = c.data[0].inheritable
|
||||
dest[1] = c.data[1].inheritable
|
||||
case BOUNDING:
|
||||
dest[0] = c.bounds[0]
|
||||
dest[1] = c.bounds[1]
|
||||
case AMBIENT:
|
||||
dest[0] = c.ambient[0]
|
||||
dest[1] = c.ambient[1]
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsV3) Empty(which CapType) bool {
|
||||
var data [2]uint32
|
||||
c.getData(which, data[:])
|
||||
return data[0] == 0 && data[1] == 0
|
||||
}
|
||||
|
||||
func (c *capsV3) Full(which CapType) bool {
|
||||
var data [2]uint32
|
||||
c.getData(which, data[:])
|
||||
if (data[0] & 0xffffffff) != 0xffffffff {
|
||||
return false
|
||||
}
|
||||
mask := capUpperMask()
|
||||
return (data[1] & mask) == mask
|
||||
}
|
||||
|
||||
func (c *capsV3) Set(which CapType, caps ...Cap) {
|
||||
for _, what := range caps {
|
||||
var i uint
|
||||
if what > 31 {
|
||||
i = uint(what) >> 5
|
||||
what %= 32
|
||||
}
|
||||
|
||||
if which&EFFECTIVE != 0 {
|
||||
c.data[i].effective |= 1 << uint(what)
|
||||
}
|
||||
if which&PERMITTED != 0 {
|
||||
c.data[i].permitted |= 1 << uint(what)
|
||||
}
|
||||
if which&INHERITABLE != 0 {
|
||||
c.data[i].inheritable |= 1 << uint(what)
|
||||
}
|
||||
if which&BOUNDING != 0 {
|
||||
c.bounds[i] |= 1 << uint(what)
|
||||
}
|
||||
if which&AMBIENT != 0 {
|
||||
c.ambient[i] |= 1 << uint(what)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsV3) Unset(which CapType, caps ...Cap) {
|
||||
for _, what := range caps {
|
||||
var i uint
|
||||
if what > 31 {
|
||||
i = uint(what) >> 5
|
||||
what %= 32
|
||||
}
|
||||
|
||||
if which&EFFECTIVE != 0 {
|
||||
c.data[i].effective &= ^(1 << uint(what))
|
||||
}
|
||||
if which&PERMITTED != 0 {
|
||||
c.data[i].permitted &= ^(1 << uint(what))
|
||||
}
|
||||
if which&INHERITABLE != 0 {
|
||||
c.data[i].inheritable &= ^(1 << uint(what))
|
||||
}
|
||||
if which&BOUNDING != 0 {
|
||||
c.bounds[i] &= ^(1 << uint(what))
|
||||
}
|
||||
if which&AMBIENT != 0 {
|
||||
c.ambient[i] &= ^(1 << uint(what))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsV3) Fill(kind CapType) {
|
||||
if kind&CAPS == CAPS {
|
||||
c.data[0].effective = 0xffffffff
|
||||
c.data[0].permitted = 0xffffffff
|
||||
c.data[0].inheritable = 0
|
||||
c.data[1].effective = 0xffffffff
|
||||
c.data[1].permitted = 0xffffffff
|
||||
c.data[1].inheritable = 0
|
||||
}
|
||||
|
||||
if kind&BOUNDS == BOUNDS {
|
||||
c.bounds[0] = 0xffffffff
|
||||
c.bounds[1] = 0xffffffff
|
||||
}
|
||||
if kind&AMBS == AMBS {
|
||||
c.ambient[0] = 0xffffffff
|
||||
c.ambient[1] = 0xffffffff
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsV3) Clear(kind CapType) {
|
||||
if kind&CAPS == CAPS {
|
||||
c.data[0].effective = 0
|
||||
c.data[0].permitted = 0
|
||||
c.data[0].inheritable = 0
|
||||
c.data[1].effective = 0
|
||||
c.data[1].permitted = 0
|
||||
c.data[1].inheritable = 0
|
||||
}
|
||||
|
||||
if kind&BOUNDS == BOUNDS {
|
||||
c.bounds[0] = 0
|
||||
c.bounds[1] = 0
|
||||
}
|
||||
if kind&AMBS == AMBS {
|
||||
c.ambient[0] = 0
|
||||
c.ambient[1] = 0
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsV3) StringCap(which CapType) (ret string) {
|
||||
return mkStringCap(c, which)
|
||||
}
|
||||
|
||||
func (c *capsV3) String() (ret string) {
|
||||
return mkString(c, BOUNDING)
|
||||
}
|
||||
|
||||
func (c *capsV3) Load() (err error) {
|
||||
err = capget(&c.hdr, &c.data[0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
path := "/proc/self/status"
|
||||
if c.hdr.pid != 0 {
|
||||
path = fmt.Sprintf("/proc/%d/status", c.hdr.pid)
|
||||
}
|
||||
|
||||
f, err := os.Open(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
b := bufio.NewReader(f)
|
||||
for {
|
||||
line, e := b.ReadString('\n')
|
||||
if e != nil {
|
||||
if e != io.EOF {
|
||||
err = e
|
||||
}
|
||||
break
|
||||
}
|
||||
if strings.HasPrefix(line, "CapB") {
|
||||
_, err = fmt.Sscanf(line[4:], "nd: %08x%08x", &c.bounds[1], &c.bounds[0])
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
continue
|
||||
}
|
||||
if strings.HasPrefix(line, "CapA") {
|
||||
_, err = fmt.Sscanf(line[4:], "mb: %08x%08x", &c.ambient[1], &c.ambient[0])
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
continue
|
||||
}
|
||||
}
|
||||
f.Close()
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (c *capsV3) Apply(kind CapType) (err error) {
|
||||
last, err := LastCap()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if kind&BOUNDS == BOUNDS {
|
||||
var data [2]capData
|
||||
err = capget(&c.hdr, &data[0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
|
||||
for i := Cap(0); i <= last; i++ {
|
||||
if c.Get(BOUNDING, i) {
|
||||
continue
|
||||
}
|
||||
err = prctl(syscall.PR_CAPBSET_DROP, uintptr(i), 0, 0, 0)
|
||||
if err != nil {
|
||||
// Ignore EINVAL since the capability may not be supported in this system.
|
||||
if err == syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
|
||||
err = nil
|
||||
continue
|
||||
}
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if kind&CAPS == CAPS {
|
||||
err = capset(&c.hdr, &c.data[0])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if kind&AMBS == AMBS {
|
||||
for i := Cap(0); i <= last; i++ {
|
||||
action := pr_CAP_AMBIENT_LOWER
|
||||
if c.Get(AMBIENT, i) {
|
||||
action = pr_CAP_AMBIENT_RAISE
|
||||
}
|
||||
err = prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
|
||||
if err != nil {
|
||||
// Ignore EINVAL as not supported on kernels before 4.3
|
||||
if err == syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
|
||||
err = nil
|
||||
continue
|
||||
}
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func newFile(path string) (c Capabilities, err error) {
|
||||
c = &capsFile{path: path}
|
||||
return
|
||||
}
|
||||
|
||||
type capsFile struct {
|
||||
path string
|
||||
data vfscapData
|
||||
}
|
||||
|
||||
func (c *capsFile) Get(which CapType, what Cap) bool {
|
||||
var i uint
|
||||
if what > 31 {
|
||||
if c.data.version == 1 {
|
||||
return false
|
||||
}
|
||||
i = uint(what) >> 5
|
||||
what %= 32
|
||||
}
|
||||
|
||||
switch which {
|
||||
case EFFECTIVE:
|
||||
return (1<<uint(what))&c.data.effective[i] != 0
|
||||
case PERMITTED:
|
||||
return (1<<uint(what))&c.data.data[i].permitted != 0
|
||||
case INHERITABLE:
|
||||
return (1<<uint(what))&c.data.data[i].inheritable != 0
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func (c *capsFile) getData(which CapType, dest []uint32) {
|
||||
switch which {
|
||||
case EFFECTIVE:
|
||||
dest[0] = c.data.effective[0]
|
||||
dest[1] = c.data.effective[1]
|
||||
case PERMITTED:
|
||||
dest[0] = c.data.data[0].permitted
|
||||
dest[1] = c.data.data[1].permitted
|
||||
case INHERITABLE:
|
||||
dest[0] = c.data.data[0].inheritable
|
||||
dest[1] = c.data.data[1].inheritable
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsFile) Empty(which CapType) bool {
|
||||
var data [2]uint32
|
||||
c.getData(which, data[:])
|
||||
return data[0] == 0 && data[1] == 0
|
||||
}
|
||||
|
||||
func (c *capsFile) Full(which CapType) bool {
|
||||
var data [2]uint32
|
||||
c.getData(which, data[:])
|
||||
if c.data.version == 0 {
|
||||
return (data[0] & 0x7fffffff) == 0x7fffffff
|
||||
}
|
||||
if (data[0] & 0xffffffff) != 0xffffffff {
|
||||
return false
|
||||
}
|
||||
mask := capUpperMask()
|
||||
return (data[1] & mask) == mask
|
||||
}
|
||||
|
||||
func (c *capsFile) Set(which CapType, caps ...Cap) {
|
||||
for _, what := range caps {
|
||||
var i uint
|
||||
if what > 31 {
|
||||
if c.data.version == 1 {
|
||||
continue
|
||||
}
|
||||
i = uint(what) >> 5
|
||||
what %= 32
|
||||
}
|
||||
|
||||
if which&EFFECTIVE != 0 {
|
||||
c.data.effective[i] |= 1 << uint(what)
|
||||
}
|
||||
if which&PERMITTED != 0 {
|
||||
c.data.data[i].permitted |= 1 << uint(what)
|
||||
}
|
||||
if which&INHERITABLE != 0 {
|
||||
c.data.data[i].inheritable |= 1 << uint(what)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsFile) Unset(which CapType, caps ...Cap) {
|
||||
for _, what := range caps {
|
||||
var i uint
|
||||
if what > 31 {
|
||||
if c.data.version == 1 {
|
||||
continue
|
||||
}
|
||||
i = uint(what) >> 5
|
||||
what %= 32
|
||||
}
|
||||
|
||||
if which&EFFECTIVE != 0 {
|
||||
c.data.effective[i] &= ^(1 << uint(what))
|
||||
}
|
||||
if which&PERMITTED != 0 {
|
||||
c.data.data[i].permitted &= ^(1 << uint(what))
|
||||
}
|
||||
if which&INHERITABLE != 0 {
|
||||
c.data.data[i].inheritable &= ^(1 << uint(what))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsFile) Fill(kind CapType) {
|
||||
if kind&CAPS == CAPS {
|
||||
c.data.effective[0] = 0xffffffff
|
||||
c.data.data[0].permitted = 0xffffffff
|
||||
c.data.data[0].inheritable = 0
|
||||
if c.data.version == 2 {
|
||||
c.data.effective[1] = 0xffffffff
|
||||
c.data.data[1].permitted = 0xffffffff
|
||||
c.data.data[1].inheritable = 0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsFile) Clear(kind CapType) {
|
||||
if kind&CAPS == CAPS {
|
||||
c.data.effective[0] = 0
|
||||
c.data.data[0].permitted = 0
|
||||
c.data.data[0].inheritable = 0
|
||||
if c.data.version == 2 {
|
||||
c.data.effective[1] = 0
|
||||
c.data.data[1].permitted = 0
|
||||
c.data.data[1].inheritable = 0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (c *capsFile) StringCap(which CapType) (ret string) {
|
||||
return mkStringCap(c, which)
|
||||
}
|
||||
|
||||
func (c *capsFile) String() (ret string) {
|
||||
return mkString(c, INHERITABLE)
|
||||
}
|
||||
|
||||
func (c *capsFile) Load() (err error) {
|
||||
return getVfsCap(c.path, &c.data)
|
||||
}
|
||||
|
||||
func (c *capsFile) Apply(kind CapType) (err error) {
|
||||
if kind&CAPS == CAPS {
|
||||
return setVfsCap(c.path, &c.data)
|
||||
}
|
||||
return
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
// Copyright 2023 The Capability Authors.
|
||||
// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
|
||||
// All rights reserved.
|
||||
//
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
//go:build !linux
|
||||
|
||||
package capability
|
||||
|
||||
import "errors"
|
||||
|
||||
var errNotSup = errors.New("not supported")
|
||||
|
||||
func newPid(_ int) (Capabilities, error) {
|
||||
return nil, errNotSup
|
||||
}
|
||||
|
||||
func newFile(_ string) (Capabilities, error) {
|
||||
return nil, errNotSup
|
||||
}
|
||||
|
||||
func lastCap() (Cap, error) {
|
||||
return -1, errNotSup
|
||||
}
|
|
@ -0,0 +1,330 @@
|
|||
// Copyright 2024 The Capability Authors.
|
||||
// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
|
||||
// All rights reserved.
|
||||
//
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package capability
|
||||
|
||||
import "slices"
|
||||
|
||||
type CapType uint
|
||||
|
||||
func (c CapType) String() string {
|
||||
switch c {
|
||||
case EFFECTIVE:
|
||||
return "effective"
|
||||
case PERMITTED:
|
||||
return "permitted"
|
||||
case INHERITABLE:
|
||||
return "inheritable"
|
||||
case BOUNDING:
|
||||
return "bounding"
|
||||
case CAPS:
|
||||
return "caps"
|
||||
case AMBIENT:
|
||||
return "ambient"
|
||||
}
|
||||
return "unknown"
|
||||
}
|
||||
|
||||
const (
|
||||
EFFECTIVE CapType = 1 << iota
|
||||
PERMITTED
|
||||
INHERITABLE
|
||||
BOUNDING
|
||||
AMBIENT
|
||||
|
||||
CAPS = EFFECTIVE | PERMITTED | INHERITABLE
|
||||
BOUNDS = BOUNDING
|
||||
AMBS = AMBIENT
|
||||
)
|
||||
|
||||
//go:generate go run enumgen/gen.go
|
||||
type Cap int
|
||||
|
||||
// POSIX-draft defined capabilities and Linux extensions.
|
||||
//
|
||||
// Defined in https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h
|
||||
const (
|
||||
// In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
|
||||
// overrides the restriction of changing file ownership and group
|
||||
// ownership.
|
||||
CAP_CHOWN = Cap(0)
|
||||
|
||||
// Override all DAC access, including ACL execute access if
|
||||
// [_POSIX_ACL] is defined. Excluding DAC access covered by
|
||||
// CAP_LINUX_IMMUTABLE.
|
||||
CAP_DAC_OVERRIDE = Cap(1)
|
||||
|
||||
// Overrides all DAC restrictions regarding read and search on files
|
||||
// and directories, including ACL restrictions if [_POSIX_ACL] is
|
||||
// defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
|
||||
CAP_DAC_READ_SEARCH = Cap(2)
|
||||
|
||||
// Overrides all restrictions about allowed operations on files, where
|
||||
// file owner ID must be equal to the user ID, except where CAP_FSETID
|
||||
// is applicable. It doesn't override MAC and DAC restrictions.
|
||||
CAP_FOWNER = Cap(3)
|
||||
|
||||
// Overrides the following restrictions that the effective user ID
|
||||
// shall match the file owner ID when setting the S_ISUID and S_ISGID
|
||||
// bits on that file; that the effective group ID (or one of the
|
||||
// supplementary group IDs) shall match the file owner ID when setting
|
||||
// the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
|
||||
// cleared on successful return from chown(2) (not implemented).
|
||||
CAP_FSETID = Cap(4)
|
||||
|
||||
// Overrides the restriction that the real or effective user ID of a
|
||||
// process sending a signal must match the real or effective user ID
|
||||
// of the process receiving the signal.
|
||||
CAP_KILL = Cap(5)
|
||||
|
||||
// Allows setgid(2) manipulation
|
||||
// Allows setgroups(2)
|
||||
// Allows forged gids on socket credentials passing.
|
||||
CAP_SETGID = Cap(6)
|
||||
|
||||
// Allows set*uid(2) manipulation (including fsuid).
|
||||
// Allows forged pids on socket credentials passing.
|
||||
CAP_SETUID = Cap(7)
|
||||
|
||||
// Linux-specific capabilities
|
||||
|
||||
// Without VFS support for capabilities:
|
||||
// Transfer any capability in your permitted set to any pid,
|
||||
// remove any capability in your permitted set from any pid
|
||||
// With VFS support for capabilities (neither of above, but)
|
||||
// Add any capability from current's capability bounding set
|
||||
// to the current process' inheritable set
|
||||
// Allow taking bits out of capability bounding set
|
||||
// Allow modification of the securebits for a process
|
||||
CAP_SETPCAP = Cap(8)
|
||||
|
||||
// Allow modification of S_IMMUTABLE and S_APPEND file attributes
|
||||
CAP_LINUX_IMMUTABLE = Cap(9)
|
||||
|
||||
// Allows binding to TCP/UDP sockets below 1024
|
||||
// Allows binding to ATM VCIs below 32
|
||||
CAP_NET_BIND_SERVICE = Cap(10)
|
||||
|
||||
// Allow broadcasting, listen to multicast
|
||||
CAP_NET_BROADCAST = Cap(11)
|
||||
|
||||
// Allow interface configuration
|
||||
// Allow administration of IP firewall, masquerading and accounting
|
||||
// Allow setting debug option on sockets
|
||||
// Allow modification of routing tables
|
||||
// Allow setting arbitrary process / process group ownership on
|
||||
// sockets
|
||||
// Allow binding to any address for transparent proxying (also via NET_RAW)
|
||||
// Allow setting TOS (type of service)
|
||||
// Allow setting promiscuous mode
|
||||
// Allow clearing driver statistics
|
||||
// Allow multicasting
|
||||
// Allow read/write of device-specific registers
|
||||
// Allow activation of ATM control sockets
|
||||
CAP_NET_ADMIN = Cap(12)
|
||||
|
||||
// Allow use of RAW sockets
|
||||
// Allow use of PACKET sockets
|
||||
// Allow binding to any address for transparent proxying (also via NET_ADMIN)
|
||||
CAP_NET_RAW = Cap(13)
|
||||
|
||||
// Allow locking of shared memory segments
|
||||
// Allow mlock and mlockall (which doesn't really have anything to do
|
||||
// with IPC)
|
||||
CAP_IPC_LOCK = Cap(14)
|
||||
|
||||
// Override IPC ownership checks
|
||||
CAP_IPC_OWNER = Cap(15)
|
||||
|
||||
// Insert and remove kernel modules - modify kernel without limit
|
||||
CAP_SYS_MODULE = Cap(16)
|
||||
|
||||
// Allow ioperm/iopl access
|
||||
// Allow sending USB messages to any device via /proc/bus/usb
|
||||
CAP_SYS_RAWIO = Cap(17)
|
||||
|
||||
// Allow use of chroot()
|
||||
CAP_SYS_CHROOT = Cap(18)
|
||||
|
||||
// Allow ptrace() of any process
|
||||
CAP_SYS_PTRACE = Cap(19)
|
||||
|
||||
// Allow configuration of process accounting
|
||||
CAP_SYS_PACCT = Cap(20)
|
||||
|
||||
// Allow configuration of the secure attention key
|
||||
// Allow administration of the random device
|
||||
// Allow examination and configuration of disk quotas
|
||||
// Allow setting the domainname
|
||||
// Allow setting the hostname
|
||||
// Allow calling bdflush()
|
||||
// Allow mount() and umount(), setting up new smb connection
|
||||
// Allow some autofs root ioctls
|
||||
// Allow nfsservctl
|
||||
// Allow VM86_REQUEST_IRQ
|
||||
// Allow to read/write pci config on alpha
|
||||
// Allow irix_prctl on mips (setstacksize)
|
||||
// Allow flushing all cache on m68k (sys_cacheflush)
|
||||
// Allow removing semaphores
|
||||
// Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores
|
||||
// and shared memory
|
||||
// Allow locking/unlocking of shared memory segment
|
||||
// Allow turning swap on/off
|
||||
// Allow forged pids on socket credentials passing
|
||||
// Allow setting readahead and flushing buffers on block devices
|
||||
// Allow setting geometry in floppy driver
|
||||
// Allow turning DMA on/off in xd driver
|
||||
// Allow administration of md devices (mostly the above, but some
|
||||
// extra ioctls)
|
||||
// Allow tuning the ide driver
|
||||
// Allow access to the nvram device
|
||||
// Allow administration of apm_bios, serial and bttv (TV) device
|
||||
// Allow manufacturer commands in isdn CAPI support driver
|
||||
// Allow reading non-standardized portions of pci configuration space
|
||||
// Allow DDI debug ioctl on sbpcd driver
|
||||
// Allow setting up serial ports
|
||||
// Allow sending raw qic-117 commands
|
||||
// Allow enabling/disabling tagged queuing on SCSI controllers and sending
|
||||
// arbitrary SCSI commands
|
||||
// Allow setting encryption key on loopback filesystem
|
||||
// Allow setting zone reclaim policy
|
||||
// Allow everything under CAP_BPF and CAP_PERFMON for backward compatibility
|
||||
CAP_SYS_ADMIN = Cap(21)
|
||||
|
||||
// Allow use of reboot()
|
||||
CAP_SYS_BOOT = Cap(22)
|
||||
|
||||
// Allow raising priority and setting priority on other (different
|
||||
// UID) processes
|
||||
// Allow use of FIFO and round-robin (realtime) scheduling on own
|
||||
// processes and setting the scheduling algorithm used by another
|
||||
// process.
|
||||
// Allow setting cpu affinity on other processes
|
||||
CAP_SYS_NICE = Cap(23)
|
||||
|
||||
// Override resource limits. Set resource limits.
|
||||
// Override quota limits.
|
||||
// Override reserved space on ext2 filesystem
|
||||
// Modify data journaling mode on ext3 filesystem (uses journaling
|
||||
// resources)
|
||||
// NOTE: ext2 honors fsuid when checking for resource overrides, so
|
||||
// you can override using fsuid too
|
||||
// Override size restrictions on IPC message queues
|
||||
// Allow more than 64hz interrupts from the real-time clock
|
||||
// Override max number of consoles on console allocation
|
||||
// Override max number of keymaps
|
||||
// Control memory reclaim behavior
|
||||
CAP_SYS_RESOURCE = Cap(24)
|
||||
|
||||
// Allow manipulation of system clock
|
||||
// Allow irix_stime on mips
|
||||
// Allow setting the real-time clock
|
||||
CAP_SYS_TIME = Cap(25)
|
||||
|
||||
// Allow configuration of tty devices
|
||||
// Allow vhangup() of tty
|
||||
CAP_SYS_TTY_CONFIG = Cap(26)
|
||||
|
||||
// Allow the privileged aspects of mknod()
|
||||
CAP_MKNOD = Cap(27)
|
||||
|
||||
// Allow taking of leases on files
|
||||
CAP_LEASE = Cap(28)
|
||||
|
||||
CAP_AUDIT_WRITE = Cap(29)
|
||||
CAP_AUDIT_CONTROL = Cap(30)
|
||||
CAP_SETFCAP = Cap(31)
|
||||
|
||||
// Override MAC access.
|
||||
// The base kernel enforces no MAC policy.
|
||||
// An LSM may enforce a MAC policy, and if it does and it chooses
|
||||
// to implement capability based overrides of that policy, this is
|
||||
// the capability it should use to do so.
|
||||
CAP_MAC_OVERRIDE = Cap(32)
|
||||
|
||||
// Allow MAC configuration or state changes.
|
||||
// The base kernel requires no MAC configuration.
|
||||
// An LSM may enforce a MAC policy, and if it does and it chooses
|
||||
// to implement capability based checks on modifications to that
|
||||
// policy or the data required to maintain it, this is the
|
||||
// capability it should use to do so.
|
||||
CAP_MAC_ADMIN = Cap(33)
|
||||
|
||||
// Allow configuring the kernel's syslog (printk behaviour)
|
||||
CAP_SYSLOG = Cap(34)
|
||||
|
||||
// Allow triggering something that will wake the system
|
||||
CAP_WAKE_ALARM = Cap(35)
|
||||
|
||||
// Allow preventing system suspends
|
||||
CAP_BLOCK_SUSPEND = Cap(36)
|
||||
|
||||
// Allow reading the audit log via multicast netlink socket
|
||||
CAP_AUDIT_READ = Cap(37)
|
||||
|
||||
// Allow system performance and observability privileged operations
|
||||
// using perf_events, i915_perf and other kernel subsystems
|
||||
CAP_PERFMON = Cap(38)
|
||||
|
||||
// CAP_BPF allows the following BPF operations:
|
||||
// - Creating all types of BPF maps
|
||||
// - Advanced verifier features
|
||||
// - Indirect variable access
|
||||
// - Bounded loops
|
||||
// - BPF to BPF function calls
|
||||
// - Scalar precision tracking
|
||||
// - Larger complexity limits
|
||||
// - Dead code elimination
|
||||
// - And potentially other features
|
||||
// - Loading BPF Type Format (BTF) data
|
||||
// - Retrieve xlated and JITed code of BPF programs
|
||||
// - Use bpf_spin_lock() helper
|
||||
//
|
||||
// CAP_PERFMON relaxes the verifier checks further:
|
||||
// - BPF progs can use of pointer-to-integer conversions
|
||||
// - speculation attack hardening measures are bypassed
|
||||
// - bpf_probe_read to read arbitrary kernel memory is allowed
|
||||
// - bpf_trace_printk to print kernel memory is allowed
|
||||
//
|
||||
// CAP_SYS_ADMIN is required to use bpf_probe_write_user.
|
||||
//
|
||||
// CAP_SYS_ADMIN is required to iterate system wide loaded
|
||||
// programs, maps, links, BTFs and convert their IDs to file descriptors.
|
||||
//
|
||||
// CAP_PERFMON and CAP_BPF are required to load tracing programs.
|
||||
// CAP_NET_ADMIN and CAP_BPF are required to load networking programs.
|
||||
CAP_BPF = Cap(39)
|
||||
|
||||
// Allow checkpoint/restore related operations.
|
||||
// Introduced in kernel 5.9
|
||||
CAP_CHECKPOINT_RESTORE = Cap(40)
|
||||
)
|
||||
|
||||
// List returns the list of all capabilities known to the package.
|
||||
//
|
||||
// Deprecated: use [ListKnown] or [ListSupported] instead.
|
||||
func List() []Cap {
|
||||
return ListKnown()
|
||||
}
|
||||
|
||||
// ListKnown returns the list of all capabilities known to the package.
|
||||
func ListKnown() []Cap {
|
||||
return list()
|
||||
}
|
||||
|
||||
// ListSupported retuns the list of all capabilities known to the package,
|
||||
// except those that are not supported by the currently running Linux kernel.
|
||||
func ListSupported() ([]Cap, error) {
|
||||
last, err := LastCap()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return slices.DeleteFunc(list(), func(c Cap) bool {
|
||||
// Remove caps not supported by the kernel.
|
||||
return c > last
|
||||
}), nil
|
||||
}
|
|
@ -0,0 +1,137 @@
|
|||
// Code generated by go generate; DO NOT EDIT.
|
||||
|
||||
package capability
|
||||
|
||||
func (c Cap) String() string {
|
||||
switch c {
|
||||
case CAP_CHOWN:
|
||||
return "chown"
|
||||
case CAP_DAC_OVERRIDE:
|
||||
return "dac_override"
|
||||
case CAP_DAC_READ_SEARCH:
|
||||
return "dac_read_search"
|
||||
case CAP_FOWNER:
|
||||
return "fowner"
|
||||
case CAP_FSETID:
|
||||
return "fsetid"
|
||||
case CAP_KILL:
|
||||
return "kill"
|
||||
case CAP_SETGID:
|
||||
return "setgid"
|
||||
case CAP_SETUID:
|
||||
return "setuid"
|
||||
case CAP_SETPCAP:
|
||||
return "setpcap"
|
||||
case CAP_LINUX_IMMUTABLE:
|
||||
return "linux_immutable"
|
||||
case CAP_NET_BIND_SERVICE:
|
||||
return "net_bind_service"
|
||||
case CAP_NET_BROADCAST:
|
||||
return "net_broadcast"
|
||||
case CAP_NET_ADMIN:
|
||||
return "net_admin"
|
||||
case CAP_NET_RAW:
|
||||
return "net_raw"
|
||||
case CAP_IPC_LOCK:
|
||||
return "ipc_lock"
|
||||
case CAP_IPC_OWNER:
|
||||
return "ipc_owner"
|
||||
case CAP_SYS_MODULE:
|
||||
return "sys_module"
|
||||
case CAP_SYS_RAWIO:
|
||||
return "sys_rawio"
|
||||
case CAP_SYS_CHROOT:
|
||||
return "sys_chroot"
|
||||
case CAP_SYS_PTRACE:
|
||||
return "sys_ptrace"
|
||||
case CAP_SYS_PACCT:
|
||||
return "sys_pacct"
|
||||
case CAP_SYS_ADMIN:
|
||||
return "sys_admin"
|
||||
case CAP_SYS_BOOT:
|
||||
return "sys_boot"
|
||||
case CAP_SYS_NICE:
|
||||
return "sys_nice"
|
||||
case CAP_SYS_RESOURCE:
|
||||
return "sys_resource"
|
||||
case CAP_SYS_TIME:
|
||||
return "sys_time"
|
||||
case CAP_SYS_TTY_CONFIG:
|
||||
return "sys_tty_config"
|
||||
case CAP_MKNOD:
|
||||
return "mknod"
|
||||
case CAP_LEASE:
|
||||
return "lease"
|
||||
case CAP_AUDIT_WRITE:
|
||||
return "audit_write"
|
||||
case CAP_AUDIT_CONTROL:
|
||||
return "audit_control"
|
||||
case CAP_SETFCAP:
|
||||
return "setfcap"
|
||||
case CAP_MAC_OVERRIDE:
|
||||
return "mac_override"
|
||||
case CAP_MAC_ADMIN:
|
||||
return "mac_admin"
|
||||
case CAP_SYSLOG:
|
||||
return "syslog"
|
||||
case CAP_WAKE_ALARM:
|
||||
return "wake_alarm"
|
||||
case CAP_BLOCK_SUSPEND:
|
||||
return "block_suspend"
|
||||
case CAP_AUDIT_READ:
|
||||
return "audit_read"
|
||||
case CAP_PERFMON:
|
||||
return "perfmon"
|
||||
case CAP_BPF:
|
||||
return "bpf"
|
||||
case CAP_CHECKPOINT_RESTORE:
|
||||
return "checkpoint_restore"
|
||||
}
|
||||
return "unknown"
|
||||
}
|
||||
|
||||
func list() []Cap {
|
||||
return []Cap{
|
||||
CAP_CHOWN,
|
||||
CAP_DAC_OVERRIDE,
|
||||
CAP_DAC_READ_SEARCH,
|
||||
CAP_FOWNER,
|
||||
CAP_FSETID,
|
||||
CAP_KILL,
|
||||
CAP_SETGID,
|
||||
CAP_SETUID,
|
||||
CAP_SETPCAP,
|
||||
CAP_LINUX_IMMUTABLE,
|
||||
CAP_NET_BIND_SERVICE,
|
||||
CAP_NET_BROADCAST,
|
||||
CAP_NET_ADMIN,
|
||||
CAP_NET_RAW,
|
||||
CAP_IPC_LOCK,
|
||||
CAP_IPC_OWNER,
|
||||
CAP_SYS_MODULE,
|
||||
CAP_SYS_RAWIO,
|
||||
CAP_SYS_CHROOT,
|
||||
CAP_SYS_PTRACE,
|
||||
CAP_SYS_PACCT,
|
||||
CAP_SYS_ADMIN,
|
||||
CAP_SYS_BOOT,
|
||||
CAP_SYS_NICE,
|
||||
CAP_SYS_RESOURCE,
|
||||
CAP_SYS_TIME,
|
||||
CAP_SYS_TTY_CONFIG,
|
||||
CAP_MKNOD,
|
||||
CAP_LEASE,
|
||||
CAP_AUDIT_WRITE,
|
||||
CAP_AUDIT_CONTROL,
|
||||
CAP_SETFCAP,
|
||||
CAP_MAC_OVERRIDE,
|
||||
CAP_MAC_ADMIN,
|
||||
CAP_SYSLOG,
|
||||
CAP_WAKE_ALARM,
|
||||
CAP_BLOCK_SUSPEND,
|
||||
CAP_AUDIT_READ,
|
||||
CAP_PERFMON,
|
||||
CAP_BPF,
|
||||
CAP_CHECKPOINT_RESTORE,
|
||||
}
|
||||
}
|
|
@ -0,0 +1,153 @@
|
|||
// Copyright 2024 The Capability Authors.
|
||||
// Copyright 2013 Suryandaru Triandana <syndtr@gmail.com>
|
||||
// All rights reserved.
|
||||
//
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package capability
|
||||
|
||||
import (
|
||||
"syscall"
|
||||
"unsafe"
|
||||
)
|
||||
|
||||
type capHeader struct {
|
||||
version uint32
|
||||
pid int32
|
||||
}
|
||||
|
||||
type capData struct {
|
||||
effective uint32
|
||||
permitted uint32
|
||||
inheritable uint32
|
||||
}
|
||||
|
||||
func capget(hdr *capHeader, data *capData) (err error) {
|
||||
_, _, e1 := syscall.Syscall(syscall.SYS_CAPGET, uintptr(unsafe.Pointer(hdr)), uintptr(unsafe.Pointer(data)), 0)
|
||||
if e1 != 0 {
|
||||
err = e1
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func capset(hdr *capHeader, data *capData) (err error) {
|
||||
_, _, e1 := syscall.Syscall(syscall.SYS_CAPSET, uintptr(unsafe.Pointer(hdr)), uintptr(unsafe.Pointer(data)), 0)
|
||||
if e1 != 0 {
|
||||
err = e1
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// not yet in syscall
|
||||
const (
|
||||
pr_CAP_AMBIENT = 47
|
||||
pr_CAP_AMBIENT_IS_SET = uintptr(1)
|
||||
pr_CAP_AMBIENT_RAISE = uintptr(2)
|
||||
pr_CAP_AMBIENT_LOWER = uintptr(3)
|
||||
pr_CAP_AMBIENT_CLEAR_ALL = uintptr(4)
|
||||
)
|
||||
|
||||
func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) {
|
||||
_, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0)
|
||||
if e1 != 0 {
|
||||
err = e1
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
const (
|
||||
vfsXattrName = "security.capability"
|
||||
|
||||
vfsCapVerMask = 0xff000000
|
||||
vfsCapVer1 = 0x01000000
|
||||
vfsCapVer2 = 0x02000000
|
||||
|
||||
vfsCapFlagMask = ^vfsCapVerMask
|
||||
vfsCapFlageffective = 0x000001
|
||||
|
||||
vfscapDataSizeV1 = 4 * (1 + 2*1)
|
||||
vfscapDataSizeV2 = 4 * (1 + 2*2)
|
||||
)
|
||||
|
||||
type vfscapData struct {
|
||||
magic uint32
|
||||
data [2]struct {
|
||||
permitted uint32
|
||||
inheritable uint32
|
||||
}
|
||||
effective [2]uint32
|
||||
version int8
|
||||
}
|
||||
|
||||
var _vfsXattrName *byte
|
||||
|
||||
func init() {
|
||||
_vfsXattrName, _ = syscall.BytePtrFromString(vfsXattrName)
|
||||
}
|
||||
|
||||
func getVfsCap(path string, dest *vfscapData) (err error) {
|
||||
var _p0 *byte
|
||||
_p0, err = syscall.BytePtrFromString(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
r0, _, e1 := syscall.Syscall6(syscall.SYS_GETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_vfsXattrName)), uintptr(unsafe.Pointer(dest)), vfscapDataSizeV2, 0, 0)
|
||||
if e1 != 0 {
|
||||
if e1 == syscall.ENODATA {
|
||||
dest.version = 2
|
||||
return
|
||||
}
|
||||
err = e1
|
||||
}
|
||||
switch dest.magic & vfsCapVerMask {
|
||||
case vfsCapVer1:
|
||||
dest.version = 1
|
||||
if r0 != vfscapDataSizeV1 {
|
||||
return syscall.EINVAL
|
||||
}
|
||||
dest.data[1].permitted = 0
|
||||
dest.data[1].inheritable = 0
|
||||
case vfsCapVer2:
|
||||
dest.version = 2
|
||||
if r0 != vfscapDataSizeV2 {
|
||||
return syscall.EINVAL
|
||||
}
|
||||
default:
|
||||
return syscall.EINVAL
|
||||
}
|
||||
if dest.magic&vfsCapFlageffective != 0 {
|
||||
dest.effective[0] = dest.data[0].permitted | dest.data[0].inheritable
|
||||
dest.effective[1] = dest.data[1].permitted | dest.data[1].inheritable
|
||||
} else {
|
||||
dest.effective[0] = 0
|
||||
dest.effective[1] = 0
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func setVfsCap(path string, data *vfscapData) (err error) {
|
||||
var _p0 *byte
|
||||
_p0, err = syscall.BytePtrFromString(path)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
var size uintptr
|
||||
if data.version == 1 {
|
||||
data.magic = vfsCapVer1
|
||||
size = vfscapDataSizeV1
|
||||
} else if data.version == 2 {
|
||||
data.magic = vfsCapVer2
|
||||
if data.effective[0] != 0 || data.effective[1] != 0 {
|
||||
data.magic |= vfsCapFlageffective
|
||||
}
|
||||
size = vfscapDataSizeV2
|
||||
} else {
|
||||
return syscall.EINVAL
|
||||
}
|
||||
_, _, e1 := syscall.Syscall6(syscall.SYS_SETXATTR, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_vfsXattrName)), uintptr(unsafe.Pointer(data)), size, 0, 0)
|
||||
if e1 != 0 {
|
||||
err = e1
|
||||
}
|
||||
return
|
||||
}
|
|
@ -205,6 +205,9 @@ github.com/moby/swarmkit/v2/api/defaults
|
|||
github.com/moby/swarmkit/v2/api/genericresource
|
||||
github.com/moby/swarmkit/v2/manager/raftselector
|
||||
github.com/moby/swarmkit/v2/protobuf/plugin
|
||||
# github.com/moby/sys/capability v0.3.0
|
||||
## explicit; go 1.21
|
||||
github.com/moby/sys/capability
|
||||
# github.com/moby/sys/sequential v0.6.0
|
||||
## explicit; go 1.17
|
||||
github.com/moby/sys/sequential
|
||||
|
|
Loading…
Reference in New Issue