Skip to content

Commit

Permalink
generate: remove validate dependency
Browse files Browse the repository at this point in the history 
The two modules {validate,generate} should be mutually exclusive and
should not depend on each other. In addition, it is not the job of
generate to carry out validation of any arguments provided (especially
system-specific arguments).

lastCap needs two copies because of the RHEL6 hack, which is a shame but
does not justify the import dependency (because that dependency pulls in
logrus and a few other libraries for no good reason).

Fixes: 1a899a6 ("validate: optimize capabilites check")
Signed-off-by: Aleksa Sarai <[email protected]>
  • Loading branch information
@cyphar
cyphar committed Apr 11, 2017
1 parent 2f0b832 commit cc52997
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 18 deletions.
27 changes: 15 additions & 12 deletions generate/generate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (

rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate/seccomp"
"github.com/opencontainers/runtime-tools/validate"
"github.com/syndtr/gocapability/capability"
)

Expand Down Expand Up @@ -819,12 +818,24 @@ func (g *Generator) AddBindMount(source, dest string, options []string) {
g.spec.Mounts = append(g.spec.Mounts, mnt)
}

// lastCap return last cap of system, and is required to hack around RHEL6.
// This is an exact copy of "validate/validate.go".lastCap.
func lastCap() capability.Cap {
last := capability.CAP_LAST_CAP
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}

return last
}

// SetupPrivileged sets up the privilege-related fields inside g.spec.
func (g *Generator) SetupPrivileged(privileged bool) {
if privileged { // Add all capabilities in privileged mode.
var finalCapList []string
for _, cap := range capability.List() {
if g.HostSpecific && cap > validate.LastCap() {
if g.HostSpecific && cap > lastCap() {
continue
}
finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
Expand Down Expand Up @@ -855,12 +866,8 @@ func (g *Generator) ClearProcessCapabilities() {

// AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
func (g *Generator) AddProcessCapability(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
return err
}

g.initSpec()
cp := strings.ToUpper(c)

for _, cap := range g.spec.Process.Capabilities.Bounding {
if strings.ToUpper(cap) == cp {
Expand Down Expand Up @@ -902,12 +909,8 @@ func (g *Generator) AddProcessCapability(c string) error {

// DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
func (g *Generator) DropProcessCapability(c string) error {
cp := strings.ToUpper(c)
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
return err
}

g.initSpec()
cp := strings.ToUpper(c)

for i, cap := range g.spec.Process.Capabilities.Bounding {
if strings.ToUpper(cap) == cp {
Expand Down
13 changes: 7 additions & 6 deletions validate/validate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,7 @@ func (v *Validator) CheckCapablities() (msgs []string) {
}

for _, capability := range caps {
if err := CapValid(capability, v.HostSpecific); err != nil {
if err := capValid(capability, v.HostSpecific); err != nil {
msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
}
}
Expand Down Expand Up @@ -614,16 +614,16 @@ func (v *Validator) CheckSeccomp() (msgs []string) {
return
}

// CapValid checks whether a capability is valid
func CapValid(c string, hostSpecific bool) error {
// capValid checks whether a capability is valid
func capValid(c string, hostSpecific bool) error {
isValid := false

if !strings.HasPrefix(c, "CAP_") {
return fmt.Errorf("capability %s must start with CAP_", c)
}
for _, cap := range capability.List() {
if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
if hostSpecific && cap > LastCap() {
if hostSpecific && cap > lastCap() {
return fmt.Errorf("CAP_%s is not supported on the current host", c)
}
isValid = true
Expand All @@ -637,8 +637,9 @@ func CapValid(c string, hostSpecific bool) error {
return nil
}

// LastCap return last cap of system
func LastCap() capability.Cap {
// lastCap return last cap of system, and is required to hack around RHEL6.
// This is an exact copy of "generate/generate.go".lastCap.
func lastCap() capability.Cap {
last := capability.CAP_LAST_CAP
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
Expand Down

0 comments on commit cc52997

Please sign in to comment.