Skip to content

Commit 9311515

Browse files
author
Ma Shimiao
committed
validate: optimize capabilites check
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
1 parent 96609ba commit 9311515

1 file changed

Lines changed: 36 additions & 35 deletions

File tree

cmd/oci-runtime-tool/validate.go

Lines changed: 36 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import (
1717
"github.com/Sirupsen/logrus"
1818
"github.com/blang/semver"
1919
rspec "github.com/opencontainers/runtime-spec/specs-go"
20+
"github.com/syndtr/gocapability/capability"
2021
"github.com/urfave/cli"
2122
)
2223

@@ -27,39 +28,23 @@ var bundleValidateFlags = []cli.Flag{
2728
}
2829

2930
var (
30-
defaultRlimits = []string{
31+
validRlimits = []string{
32+
"RLIMIT_AS",
33+
"RLIMIT_CORE",
3134
"RLIMIT_CPU",
32-
"RLIMIT_FSIZE",
3335
"RLIMIT_DATA",
34-
"RLIMIT_STACK",
35-
"RLIMIT_CORE",
36-
"RLIMIT_RSS",
37-
"RLIMIT_NPROC",
38-
"RLIMIT_NOFILE",
39-
"RLIMIT_MEMLOCK",
40-
"RLIMIT_AS",
36+
"RLIMIT_FSIZE",
4137
"RLIMIT_LOCKS",
42-
"RLIMIT_SIGPENDING",
38+
"RLIMIT_MEMLOCK",
4339
"RLIMIT_MSGQUEUE",
4440
"RLIMIT_NICE",
41+
"RLIMIT_NOFILE",
42+
"RLIMIT_NPROC",
43+
"RLIMIT_RSS",
4544
"RLIMIT_RTPRIO",
4645
"RLIMIT_RTTIME",
47-
}
48-
defaultCaps = []string{
49-
"CAP_CHOWN",
50-
"CAP_DAC_OVERRIDE",
51-
"CAP_FSETID",
52-
"CAP_FOWNER",
53-
"CAP_MKNOD",
54-
"CAP_NET_RAW",
55-
"CAP_SETGID",
56-
"CAP_SETUID",
57-
"CAP_SETFCAP",
58-
"CAP_SETPCAP",
59-
"CAP_NET_BIND_SERVICE",
60-
"CAP_SYS_CHROOT",
61-
"CAP_KILL",
62-
"CAP_AUDIT_WRITE",
46+
"RLIMIT_SIGPENDING",
47+
"RLIMIT_STACK",
6348
}
6449
)
6550

@@ -225,8 +210,8 @@ func checkProcess(spec rspec.Spec, rootfs string, hostCheck bool) (msgs []string
225210

226211
for index := 0; index < len(process.Capabilities); index++ {
227212
capability := process.Capabilities[index]
228-
if !capValid(capability) {
229-
msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", process.Capabilities[index]))
213+
if !capValid(capability, hostCheck) {
214+
msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
230215
}
231216
}
232217

@@ -465,17 +450,33 @@ func envValid(env string) bool {
465450
return true
466451
}
467452

468-
func capValid(capability string) bool {
469-
for _, val := range defaultCaps {
470-
if val == capability {
471-
return true
472-
}
473-
}
453+
func capValid(c string, hostSpecific bool) bool {
454+
cp := strings.ToUpper(c)
455+
456+
for _, cap := range capability.List() {
457+
if cp == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
458+
if hostSpecific && cap > lastCap() {
459+
return false
460+
}
461+
return true
462+
}
463+
}
464+
474465
return false
475466
}
476467

468+
func lastCap() capability.Cap {
469+
last := capability.CAP_LAST_CAP
470+
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
471+
if last == capability.Cap(63) {
472+
last = capability.CAP_BLOCK_SUSPEND
473+
}
474+
475+
return last
476+
}
477+
477478
func rlimitValid(rlimit string) bool {
478-
for _, val := range defaultRlimits {
479+
for _, val := range validRlimits {
479480
if val == rlimit {
480481
return true
481482
}

0 commit comments

Comments
 (0)