-
Notifications
You must be signed in to change notification settings - Fork 97
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
LGTMs: @cyphar Closes openSUSE/umoci#114
- Loading branch information
Showing
24 changed files
with
1,099 additions
and
2,036 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
135 changes: 135 additions & 0 deletions
135
hack/runtime-tools-0001-generate-remove-validate-dependency.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
From cc52997196f8bf7717c5efb5aacd647bc0977282 Mon Sep 17 00:00:00 2001 | ||
From: Aleksa Sarai <asarai@suse.de> | ||
Date: Tue, 11 Apr 2017 23:38:02 +1000 | ||
Subject: [PATCH] generate: remove validate dependency | ||
|
||
The two modules {validate,generate} should be mutually exclusive and | ||
should not depend on each other. In addition, it is not the job of | ||
generate to carry out validation of any arguments provided (especially | ||
system-specific arguments). | ||
|
||
lastCap needs two copies because of the RHEL6 hack, which is a shame but | ||
does not justify the import dependency (because that dependency pulls in | ||
logrus and a few other libraries for no good reason). | ||
|
||
Fixes: 1a899a6d893e ("validate: optimize capabilites check") | ||
Signed-off-by: Aleksa Sarai <asarai@suse.de> | ||
--- | ||
generate/generate.go | 27 +++++++++++++++------------ | ||
validate/validate.go | 13 +++++++------ | ||
2 files changed, 22 insertions(+), 18 deletions(-) | ||
|
||
diff --git a/generate/generate.go b/generate/generate.go | ||
index f8a6294ec796..36bb4785d9e3 100644 | ||
--- a/generate/generate.go | ||
+++ b/generate/generate.go | ||
@@ -11,7 +11,6 @@ import ( | ||
|
||
rspec "github.com/opencontainers/runtime-spec/specs-go" | ||
"github.com/opencontainers/runtime-tools/generate/seccomp" | ||
- "github.com/opencontainers/runtime-tools/validate" | ||
"github.com/syndtr/gocapability/capability" | ||
) | ||
|
||
@@ -819,12 +818,24 @@ func (g *Generator) AddBindMount(source, dest string, options []string) { | ||
g.spec.Mounts = append(g.spec.Mounts, mnt) | ||
} | ||
|
||
+// lastCap return last cap of system, and is required to hack around RHEL6. | ||
+// This is an exact copy of "validate/validate.go".lastCap. | ||
+func lastCap() capability.Cap { | ||
+ last := capability.CAP_LAST_CAP | ||
+ // hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap | ||
+ if last == capability.Cap(63) { | ||
+ last = capability.CAP_BLOCK_SUSPEND | ||
+ } | ||
+ | ||
+ return last | ||
+} | ||
+ | ||
// SetupPrivileged sets up the privilege-related fields inside g.spec. | ||
func (g *Generator) SetupPrivileged(privileged bool) { | ||
if privileged { // Add all capabilities in privileged mode. | ||
var finalCapList []string | ||
for _, cap := range capability.List() { | ||
- if g.HostSpecific && cap > validate.LastCap() { | ||
+ if g.HostSpecific && cap > lastCap() { | ||
continue | ||
} | ||
finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))) | ||
@@ -855,12 +866,8 @@ func (g *Generator) ClearProcessCapabilities() { | ||
|
||
// AddProcessCapability adds a process capability into g.spec.Process.Capabilities. | ||
func (g *Generator) AddProcessCapability(c string) error { | ||
- cp := strings.ToUpper(c) | ||
- if err := validate.CapValid(cp, g.HostSpecific); err != nil { | ||
- return err | ||
- } | ||
- | ||
g.initSpec() | ||
+ cp := strings.ToUpper(c) | ||
|
||
for _, cap := range g.spec.Process.Capabilities.Bounding { | ||
if strings.ToUpper(cap) == cp { | ||
@@ -902,12 +909,8 @@ func (g *Generator) AddProcessCapability(c string) error { | ||
|
||
// DropProcessCapability drops a process capability from g.spec.Process.Capabilities. | ||
func (g *Generator) DropProcessCapability(c string) error { | ||
- cp := strings.ToUpper(c) | ||
- if err := validate.CapValid(cp, g.HostSpecific); err != nil { | ||
- return err | ||
- } | ||
- | ||
g.initSpec() | ||
+ cp := strings.ToUpper(c) | ||
|
||
for i, cap := range g.spec.Process.Capabilities.Bounding { | ||
if strings.ToUpper(cap) == cp { | ||
diff --git a/validate/validate.go b/validate/validate.go | ||
index 76c3ca6a7337..c834815260ae 100644 | ||
--- a/validate/validate.go | ||
+++ b/validate/validate.go | ||
@@ -312,7 +312,7 @@ func (v *Validator) CheckCapablities() (msgs []string) { | ||
} | ||
|
||
for _, capability := range caps { | ||
- if err := CapValid(capability, v.HostSpecific); err != nil { | ||
+ if err := capValid(capability, v.HostSpecific); err != nil { | ||
msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability)) | ||
} | ||
} | ||
@@ -614,8 +614,8 @@ func (v *Validator) CheckSeccomp() (msgs []string) { | ||
return | ||
} | ||
|
||
-// CapValid checks whether a capability is valid | ||
-func CapValid(c string, hostSpecific bool) error { | ||
+// capValid checks whether a capability is valid | ||
+func capValid(c string, hostSpecific bool) error { | ||
isValid := false | ||
|
||
if !strings.HasPrefix(c, "CAP_") { | ||
@@ -623,7 +623,7 @@ func CapValid(c string, hostSpecific bool) error { | ||
} | ||
for _, cap := range capability.List() { | ||
if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) { | ||
- if hostSpecific && cap > LastCap() { | ||
+ if hostSpecific && cap > lastCap() { | ||
return fmt.Errorf("CAP_%s is not supported on the current host", c) | ||
} | ||
isValid = true | ||
@@ -637,8 +637,9 @@ func CapValid(c string, hostSpecific bool) error { | ||
return nil | ||
} | ||
|
||
-// LastCap return last cap of system | ||
-func LastCap() capability.Cap { | ||
+// lastCap return last cap of system, and is required to hack around RHEL6. | ||
+// This is an exact copy of "generate/generate.go".lastCap. | ||
+func lastCap() capability.Cap { | ||
last := capability.CAP_LAST_CAP | ||
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap | ||
if last == capability.Cap(63) { | ||
-- | ||
2.12.2 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.