Skip to content

Commit 3d20a6a

Browse files
cypharcyphar
committed
generate: remove validate dependency
The two modules {validate,generate} should be mutually exclusive and should not depend on each other. In addition, it is not the job of generate to carry out validation of any arguments provided (especially system-specific arguments). lastCap needs two copies because of the RHEL6 hack, which is a shame but does not justify the import dependency (because that dependency pulls in logrus and a few other libraries for no good reason). Fixes: 1a899a6 ("validate: optimize capabilites check") Signed-off-by: Aleksa Sarai <[email protected]>
1 parent 2ed047a commit 3d20a6a

File tree

2 files changed

+22
-18
lines changed

2 files changed

+22
-18
lines changed

generate/generate.go

Lines changed: 15 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,6 @@ import (
1010

1111
rspec "github.com/opencontainers/runtime-spec/specs-go"
1212
"github.com/opencontainers/runtime-tools/generate/seccomp"
13-
"github.com/opencontainers/runtime-tools/validate"
1413
"github.com/syndtr/gocapability/capability"
1514
)
1615

@@ -841,12 +840,24 @@ func (g *Generator) AddBindMount(source, dest string, options []string) {
841840
g.spec.Mounts = append(g.spec.Mounts, mnt)
842841
}
843842

843+
// lastCap return last cap of system, and is required to hack around RHEL6.
844+
// This is an exact copy of "validate/validate.go".lastCap.
845+
func lastCap() capability.Cap {
846+
last := capability.CAP_LAST_CAP
847+
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
848+
if last == capability.Cap(63) {
849+
last = capability.CAP_BLOCK_SUSPEND
850+
}
851+
852+
return last
853+
}
854+
844855
// SetupPrivileged sets up the privilege-related fields inside g.spec.
845856
func (g *Generator) SetupPrivileged(privileged bool) {
846857
if privileged { // Add all capabilities in privileged mode.
847858
var finalCapList []string
848859
for _, cap := range capability.List() {
849-
if g.HostSpecific && cap > validate.LastCap() {
860+
if g.HostSpecific && cap > lastCap() {
850861
continue
851862
}
852863
finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
@@ -878,12 +889,8 @@ func (g *Generator) ClearProcessCapabilities() {
878889

879890
// AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
880891
func (g *Generator) AddProcessCapability(c string) error {
881-
cp := strings.ToUpper(c)
882-
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
883-
return err
884-
}
885-
886892
g.initSpecProcessCapabilities()
893+
cp := strings.ToUpper(c)
887894

888895
for _, cap := range g.spec.Process.Capabilities.Bounding {
889896
if strings.ToUpper(cap) == cp {
@@ -925,12 +932,8 @@ func (g *Generator) AddProcessCapability(c string) error {
925932

926933
// DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
927934
func (g *Generator) DropProcessCapability(c string) error {
928-
cp := strings.ToUpper(c)
929-
if err := validate.CapValid(cp, g.HostSpecific); err != nil {
930-
return err
931-
}
932-
933935
g.initSpecProcessCapabilities()
936+
cp := strings.ToUpper(c)
934937

935938
for i, cap := range g.spec.Process.Capabilities.Bounding {
936939
if strings.ToUpper(cap) == cp {

validate/validate.go

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -289,7 +289,7 @@ func (v *Validator) CheckCapabilities() (msgs []string) {
289289
}
290290

291291
for capability, owns := range caps {
292-
if err := CapValid(capability, v.HostSpecific); err != nil {
292+
if err := capValid(capability, v.HostSpecific); err != nil {
293293
msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
294294
}
295295

@@ -602,16 +602,16 @@ func (v *Validator) CheckSeccomp() (msgs []string) {
602602
return
603603
}
604604

605-
// CapValid checks whether a capability is valid
606-
func CapValid(c string, hostSpecific bool) error {
605+
// capValid checks whether a capability is valid
606+
func capValid(c string, hostSpecific bool) error {
607607
isValid := false
608608

609609
if !strings.HasPrefix(c, "CAP_") {
610610
return fmt.Errorf("capability %s must start with CAP_", c)
611611
}
612612
for _, cap := range capability.List() {
613613
if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
614-
if hostSpecific && cap > LastCap() {
614+
if hostSpecific && cap > lastCap() {
615615
return fmt.Errorf("CAP_%s is not supported on the current host", c)
616616
}
617617
isValid = true
@@ -625,8 +625,9 @@ func CapValid(c string, hostSpecific bool) error {
625625
return nil
626626
}
627627

628-
// LastCap return last cap of system
629-
func LastCap() capability.Cap {
628+
// lastCap return last cap of system, and is required to hack around RHEL6.
629+
// This is an exact copy of "generate/generate.go".lastCap.
630+
func lastCap() capability.Cap {
630631
last := capability.CAP_LAST_CAP
631632
// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
632633
if last == capability.Cap(63) {

0 commit comments

Comments
 (0)