Merge pull request #4358 from kolyshkin/rm-cap-init

libct/cap: switch to moby/sys/capability, lazy init

Author: kolyshkin

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.3.4
 	github.com/docker/go-units v0.5.0
 	github.com/godbus/dbus/v5 v5.1.0
+	github.com/moby/sys/capability v0.4.0
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/moby/sys/user v0.3.0
 	github.com/moby/sys/userns v0.1.0
@@ -23,7 +24,6 @@ require (
 	github.com/opencontainers/selinux v1.11.1
 	github.com/seccomp/libseccomp-golang v0.10.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	github.com/urfave/cli v1.22.16
 	github.com/vishvananda/netlink v1.3.0
 	golang.org/x/net v0.31.0

go.sum

@@ -39,6 +39,8 @@ github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
 github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
+github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk=
+github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
 github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
 github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
@@ -73,8 +75,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/urfave/cli v1.22.16 h1:MH0k6uJxdwdeWQTwhSO42Pwr4YLrNLwBtg1MRgTqPdQ=
 github.com/urfave/cli v1.22.16/go.mod h1:EeJR6BKodywf4zciqrdw6hpCPk68JO9z5LazXZMn5Po=
 github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=

libcontainer/capabilities/capabilities.go

@@ -3,41 +3,36 @@
 package capabilities
 
 import (
+	"fmt"
 	"sort"
 	"strings"
+	"sync"
 
+	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 )
 
-const allCapabilityTypes = capability.CAPS | capability.BOUNDING | capability.AMBIENT
+func capToStr(c capability.Cap) string {
+	return "CAP_" + strings.ToUpper(c.String())
+}
 
-var (
-	capabilityMap map[string]capability.Cap
-	capTypes      = []capability.CapType{
-		capability.BOUNDING,
-		capability.PERMITTED,
-		capability.INHERITABLE,
-		capability.EFFECTIVE,
-		capability.AMBIENT,
+var capMap = sync.OnceValues(func() (map[string]capability.Cap, error) {
+	list, err := capability.ListSupported()
+	if err != nil {
+		return nil, err
 	}
-)
-
-func init() {
-	capabilityMap = make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
-	for _, c := range capability.List() {
-		if c > capability.CAP_LAST_CAP {
-			continue
-		}
-		capabilityMap["CAP_"+strings.ToUpper(c.String())] = c
+	cm := make(map[string]capability.Cap, len(list))
+	for _, c := range list {
+		cm[capToStr(c)] = c
 	}
-}
+	return cm, nil
+})
 
 // KnownCapabilities returns the list of the known capabilities.
 // Used by `runc features`.
 func KnownCapabilities() []string {
-	list := capability.List()
+	list := capability.ListKnown()
 	res := make([]string, len(list))
 	for i, c := range list {
 		res[i] = "CAP_" + strings.ToUpper(c.String())
@@ -49,11 +44,12 @@ func KnownCapabilities() []string {
 // or Capabilities that are unavailable in the current environment are ignored,
 // printing a warning instead.
 func New(capConfig *configs.Capabilities) (*Caps, error) {
-	var (
-		err error
-		c   Caps
-	)
+	var c Caps
 
+	_, err := capMap()
+	if err != nil {
+		return nil, err
+	}
 	unknownCaps := make(map[string]struct{})
 	c.caps = map[capability.CapType][]capability.Cap{
 		capability.BOUNDING:    capSlice(capConfig.Bounding, unknownCaps),
@@ -75,9 +71,10 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
 // equivalent, and returns them as a slice. Unknown or unavailable capabilities
 // are not returned, but appended to unknownCaps.
 func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
-	var out []capability.Cap
+	cm, _ := capMap()
+	out := make([]capability.Cap, 0, len(caps))
 	for _, c := range caps {
-		if v, ok := capabilityMap[c]; !ok {
+		if v, ok := cm[c]; !ok {
 			unknownCaps[c] = struct{}{}
 		} else {
 			out = append(out, v)
@@ -88,7 +85,7 @@ func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
 
 // mapKeys returns the keys of input in sorted order
 func mapKeys(input map[string]struct{}) []string {
-	var keys []string
+	keys := make([]string, 0, len(input))
 	for c := range input {
 		keys = append(keys, c)
 	}
@@ -111,9 +108,36 @@ func (c *Caps) ApplyBoundingSet() error {
 
 // Apply sets all the capabilities for the current process in the config.
 func (c *Caps) ApplyCaps() error {
-	c.pid.Clear(allCapabilityTypes)
-	for _, g := range capTypes {
+	c.pid.Clear(capability.CAPS | capability.BOUNDS)
+	for _, g := range []capability.CapType{
+		capability.EFFECTIVE,
+		capability.PERMITTED,
+		capability.INHERITABLE,
+		capability.BOUNDING,
+	} {
 		c.pid.Set(g, c.caps[g]...)
 	}
-	return c.pid.Apply(allCapabilityTypes)
+	if err := c.pid.Apply(capability.CAPS | capability.BOUNDS); err != nil {
+		return fmt.Errorf("can't apply capabilities: %w", err)
+	}
+
+	// Old version of capability package used to ignore errors from setting
+	// ambient capabilities, which is now fixed (see
+	// https://github.com/kolyshkin/capability/pull/3).
+	//
+	// To maintain backward compatibility, set ambient caps one by one and
+	// don't return any errors, only warn.
+	ambs := c.caps[capability.AMBIENT]
+	err := capability.ResetAmbient()
+	if err != nil {
+		return fmt.Errorf("can't reset ambient capabilities: %w", err)
+	}
+	for _, a := range ambs {
+		err := capability.SetAmbient(true, a)
+		if err != nil {
+			logrus.Warnf("can't raise ambient capability %s: %v", capToStr(a), err)
+		}
+	}
+
+	return nil
 }

libcontainer/capabilities/capabilities_linux_test.go

@@ -5,12 +5,20 @@ import (
 	"os"
 	"testing"
 
+	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/sirupsen/logrus"
 	"github.com/sirupsen/logrus/hooks/test"
-	"github.com/syndtr/gocapability/capability"
 )
 
+var capTypes = []capability.CapType{
+	capability.BOUNDING,
+	capability.PERMITTED,
+	capability.INHERITABLE,
+	capability.EFFECTIVE,
+	capability.AMBIENT,
+}
+
 func TestNew(t *testing.T) {
 	cs := []string{"CAP_CHOWN", "CAP_UNKNOWN", "CAP_UNKNOWN2"}
 	conf := configs.Capabilities{

tests/integration/capabilities.bats

@@ -116,3 +116,17 @@ function teardown() {
 	[[ "${output}" == *"CapBnd:	0000000400000021"* ]]
 	[[ "${output}" == *"CapAmb:	0000000400000001"* ]]
 }
+
+@test "runc run [ambient caps not set in inheritable result in a warning]" {
+	update_config '   .process.capabilities.inheritable = ["CAP_KILL"]
+                       | .process.capabilities.ambient = ["CAP_KILL", "CAP_CHOWN"]'
+	runc run test_amb
+	[ "$status" -eq 0 ]
+	# This should result in CAP_KILL set in ambient,
+	# and a warning about inability to set CAP_CHOWN.
+	#
+	# CAP_CHOWN is 0, the bit mask is 0x1 (1 << 0)
+	# CAP_KILL is 5, the bit mask is 0x20 (1 << 5).
+	[[ "$output" == *"can't raise ambient capability CAP_CHOWN: "* ]]
+	[[ "${output}" == *"CapAmb:	0000000000000020"* ]]
+}