Merge pull request #755 from klihub/fixes/isolate-gojson-deps

giuseppe · web-flow · commit e18fb056fc7f · 2022-10-26T21:36:55.000+02:00
generate, validate: isolate gojson* dependencies.
diff --git a/generate/generate.go b/generate/generate.go
@@ -10,7 +10,7 @@ import (
 
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate/seccomp"
-	"github.com/opencontainers/runtime-tools/validate"
+	capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
 	"github.com/syndtr/gocapability/capability"
 )
 
@@ -1136,7 +1136,7 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 	if privileged { // Add all capabilities in privileged mode.
 		var finalCapList []string
 		for _, cap := range capability.List() {
-			if g.HostSpecific && cap > validate.LastCap() {
+			if g.HostSpecific && cap > capsCheck.LastCap() {
 				continue
 			}
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
@@ -1170,7 +1170,7 @@ func (g *Generator) ClearProcessCapabilities() {
 // AddProcessCapability adds a process capability into all 5 capability sets.
 func (g *Generator) AddProcessCapability(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1233,7 +1233,7 @@ func (g *Generator) AddProcessCapability(c string) error {
 // AddProcessCapabilityAmbient adds a process capability into g.Config.Process.Capabilities.Ambient.
 func (g *Generator) AddProcessCapabilityAmbient(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1257,7 +1257,7 @@ func (g *Generator) AddProcessCapabilityAmbient(c string) error {
 // AddProcessCapabilityBounding adds a process capability into g.Config.Process.Capabilities.Bounding.
 func (g *Generator) AddProcessCapabilityBounding(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1280,7 +1280,7 @@ func (g *Generator) AddProcessCapabilityBounding(c string) error {
 // AddProcessCapabilityEffective adds a process capability into g.Config.Process.Capabilities.Effective.
 func (g *Generator) AddProcessCapabilityEffective(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1303,7 +1303,7 @@ func (g *Generator) AddProcessCapabilityEffective(c string) error {
 // AddProcessCapabilityInheritable adds a process capability into g.Config.Process.Capabilities.Inheritable.
 func (g *Generator) AddProcessCapabilityInheritable(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1326,7 +1326,7 @@ func (g *Generator) AddProcessCapabilityInheritable(c string) error {
 // AddProcessCapabilityPermitted adds a process capability into g.Config.Process.Capabilities.Permitted.
 func (g *Generator) AddProcessCapabilityPermitted(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1379,7 +1379,7 @@ func (g *Generator) DropProcessCapability(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return capsCheck.CapValid(cp, false)
 }
 
 // DropProcessCapabilityAmbient drops a process capability from g.Config.Process.Capabilities.Ambient.
@@ -1395,7 +1395,7 @@ func (g *Generator) DropProcessCapabilityAmbient(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return capsCheck.CapValid(cp, false)
 }
 
 // DropProcessCapabilityBounding drops a process capability from g.Config.Process.Capabilities.Bounding.
@@ -1411,7 +1411,7 @@ func (g *Generator) DropProcessCapabilityBounding(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return capsCheck.CapValid(cp, false)
 }
 
 // DropProcessCapabilityEffective drops a process capability from g.Config.Process.Capabilities.Effective.
@@ -1427,7 +1427,7 @@ func (g *Generator) DropProcessCapabilityEffective(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return capsCheck.CapValid(cp, false)
 }
 
 // DropProcessCapabilityInheritable drops a process capability from g.Config.Process.Capabilities.Inheritable.
@@ -1443,7 +1443,7 @@ func (g *Generator) DropProcessCapabilityInheritable(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return capsCheck.CapValid(cp, false)
 }
 
 // DropProcessCapabilityPermitted drops a process capability from g.Config.Process.Capabilities.Permitted.
@@ -1459,7 +1459,7 @@ func (g *Generator) DropProcessCapabilityPermitted(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return capsCheck.CapValid(cp, false)
 }
 
 func mapStrToNamespace(ns string, path string) (rspec.LinuxNamespace, error) {
diff --git a/validate/capabilities/validate.go b/validate/capabilities/validate.go
@@ -0,0 +1,31 @@
+package capabilities
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/syndtr/gocapability/capability"
+)
+
+// CapValid checks whether a capability is valid
+func CapValid(c string, hostSpecific bool) error {
+	isValid := false
+
+	if !strings.HasPrefix(c, "CAP_") {
+		return fmt.Errorf("capability %s must start with CAP_", c)
+	}
+	for _, cap := range capability.List() {
+		if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
+			if hostSpecific && cap > LastCap() {
+				return fmt.Errorf("%s is not supported on the current host", c)
+			}
+			isValid = true
+			break
+		}
+	}
+
+	if !isValid {
+		return fmt.Errorf("invalid capability: %s", c)
+	}
+	return nil
+}
diff --git a/validate/capabilities/validate_linux.go b/validate/capabilities/validate_linux.go
@@ -0,0 +1,16 @@
+package capabilities
+
+import (
+	"github.com/syndtr/gocapability/capability"
+)
+
+// LastCap return last cap of system
+func LastCap() capability.Cap {
+	last := capability.CAP_LAST_CAP
+	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
+	}
+
+	return last
+}
diff --git a/validate/capabilities/validate_unsupported.go b/validate/capabilities/validate_unsupported.go
@@ -0,0 +1,13 @@
+//go:build !linux
+// +build !linux
+
+package validate
+
+import (
+	"github.com/syndtr/gocapability/capability"
+)
+
+// LastCap return last cap of system
+func LastCap() capability.Cap {
+	return capability.Cap(-1)
+}
diff --git a/validate/validate.go b/validate/validate.go
@@ -20,8 +20,8 @@ import (
 	"github.com/hashicorp/go-multierror"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
+	capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
 	"github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 
 	"github.com/opencontainers/runtime-tools/specerror"
 	"github.com/xeipuuv/gojsonschema"
@@ -687,26 +687,10 @@ func (v *Validator) CheckAnnotations() (errs error) {
 }
 
 // CapValid checks whether a capability is valid
+//
+// Deprecated: use github.com/opencontainers/runtime-tools/validate/capabilities.CapValid directly.
 func CapValid(c string, hostSpecific bool) error {
-	isValid := false
-
-	if !strings.HasPrefix(c, "CAP_") {
-		return fmt.Errorf("capability %s must start with CAP_", c)
-	}
-	for _, cap := range capability.List() {
-		if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
-			if hostSpecific && cap > LastCap() {
-				return fmt.Errorf("%s is not supported on the current host", c)
-			}
-			isValid = true
-			break
-		}
-	}
-
-	if !isValid {
-		return fmt.Errorf("invalid capability: %s", c)
-	}
-	return nil
+	return capsCheck.CapValid(c, hostSpecific)
 }
 
 func envValid(env string) bool {
diff --git a/validate/validate_linux.go b/validate/validate_linux.go
@@ -11,26 +11,19 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/syndtr/gocapability/capability"
-
 	multierror "github.com/hashicorp/go-multierror"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
 	"github.com/opencontainers/runtime-tools/specerror"
+	capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
 
 // LastCap return last cap of system
-func LastCap() capability.Cap {
-	last := capability.CAP_LAST_CAP
-	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
-	if last == capability.Cap(63) {
-		last = capability.CAP_BLOCK_SUSPEND
-	}
-
-	return last
-}
+//
+// Deprecated: use github.com/opencontainers/runtime-tools/validate/capabilities.LastCap directly.
+var LastCap = capsCheck.LastCap
 
 func deviceValid(d rspec.LinuxDevice) bool {
 	switch d.Type {

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ import (`
`10`	`10`
`11`	`11`	`rspec "github.com/opencontainers/runtime-spec/specs-go"`
`12`	`12`	`"github.com/opencontainers/runtime-tools/generate/seccomp"`
`13`		`- "github.com/opencontainers/runtime-tools/validate"`
	`13`	`+ capsCheck "github.com/opencontainers/runtime-tools/validate/capabilities"`
`14`	`14`	`"github.com/syndtr/gocapability/capability"`
`15`	`15`	`)`
`16`	`16`
`@@ -1136,7 +1136,7 @@ func (g *Generator) SetupPrivileged(privileged bool) {`
`1136`	`1136`	`if privileged { // Add all capabilities in privileged mode.`
`1137`	`1137`	`var finalCapList []string`
`1138`	`1138`	`for _, cap := range capability.List() {`
`1139`		`- if g.HostSpecific && cap > validate.LastCap() {`
	`1139`	`+ if g.HostSpecific && cap > capsCheck.LastCap() {`
`1140`	`1140`	`continue`
`1141`	`1141`	`}`
`1142`	`1142`	`finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))`
`@@ -1170,7 +1170,7 @@ func (g *Generator) ClearProcessCapabilities() {`
`1170`	`1170`	`// AddProcessCapability adds a process capability into all 5 capability sets.`
`1171`	`1171`	`func (g *Generator) AddProcessCapability(c string) error {`
`1172`	`1172`	`cp := strings.ToUpper(c)`
`1173`		`- if err := validate.CapValid(cp, g.HostSpecific); err != nil {`
	`1173`	`+ if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {`
`1174`	`1174`	`return err`
`1175`	`1175`	`}`
`1176`	`1176`
`@@ -1233,7 +1233,7 @@ func (g *Generator) AddProcessCapability(c string) error {`
`1233`	`1233`	`// AddProcessCapabilityAmbient adds a process capability into g.Config.Process.Capabilities.Ambient.`
`1234`	`1234`	`func (g *Generator) AddProcessCapabilityAmbient(c string) error {`
`1235`	`1235`	`cp := strings.ToUpper(c)`
`1236`		`- if err := validate.CapValid(cp, g.HostSpecific); err != nil {`
	`1236`	`+ if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {`
`1237`	`1237`	`return err`
`1238`	`1238`	`}`
`1239`	`1239`
`@@ -1257,7 +1257,7 @@ func (g *Generator) AddProcessCapabilityAmbient(c string) error {`
`1257`	`1257`	`// AddProcessCapabilityBounding adds a process capability into g.Config.Process.Capabilities.Bounding.`
`1258`	`1258`	`func (g *Generator) AddProcessCapabilityBounding(c string) error {`
`1259`	`1259`	`cp := strings.ToUpper(c)`
`1260`		`- if err := validate.CapValid(cp, g.HostSpecific); err != nil {`
	`1260`	`+ if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {`
`1261`	`1261`	`return err`
`1262`	`1262`	`}`
`1263`	`1263`
`@@ -1280,7 +1280,7 @@ func (g *Generator) AddProcessCapabilityBounding(c string) error {`
`1280`	`1280`	`// AddProcessCapabilityEffective adds a process capability into g.Config.Process.Capabilities.Effective.`
`1281`	`1281`	`func (g *Generator) AddProcessCapabilityEffective(c string) error {`
`1282`	`1282`	`cp := strings.ToUpper(c)`
`1283`		`- if err := validate.CapValid(cp, g.HostSpecific); err != nil {`
	`1283`	`+ if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {`
`1284`	`1284`	`return err`
`1285`	`1285`	`}`
`1286`	`1286`
`@@ -1303,7 +1303,7 @@ func (g *Generator) AddProcessCapabilityEffective(c string) error {`
`1303`	`1303`	`// AddProcessCapabilityInheritable adds a process capability into g.Config.Process.Capabilities.Inheritable.`
`1304`	`1304`	`func (g *Generator) AddProcessCapabilityInheritable(c string) error {`
`1305`	`1305`	`cp := strings.ToUpper(c)`
`1306`		`- if err := validate.CapValid(cp, g.HostSpecific); err != nil {`
	`1306`	`+ if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {`
`1307`	`1307`	`return err`
`1308`	`1308`	`}`
`1309`	`1309`
`@@ -1326,7 +1326,7 @@ func (g *Generator) AddProcessCapabilityInheritable(c string) error {`
`1326`	`1326`	`// AddProcessCapabilityPermitted adds a process capability into g.Config.Process.Capabilities.Permitted.`
`1327`	`1327`	`func (g *Generator) AddProcessCapabilityPermitted(c string) error {`
`1328`	`1328`	`cp := strings.ToUpper(c)`
`1329`		`- if err := validate.CapValid(cp, g.HostSpecific); err != nil {`
	`1329`	`+ if err := capsCheck.CapValid(cp, g.HostSpecific); err != nil {`
`1330`	`1330`	`return err`
`1331`	`1331`	`}`
`1332`	`1332`
`@@ -1379,7 +1379,7 @@ func (g *Generator) DropProcessCapability(c string) error {`
`1379`	`1379`	`}`
`1380`	`1380`	`}`
`1381`	`1381`
`1382`		`- return validate.CapValid(cp, false)`
	`1382`	`+ return capsCheck.CapValid(cp, false)`
`1383`	`1383`	`}`
`1384`	`1384`
`1385`	`1385`	`// DropProcessCapabilityAmbient drops a process capability from g.Config.Process.Capabilities.Ambient.`
`@@ -1395,7 +1395,7 @@ func (g *Generator) DropProcessCapabilityAmbient(c string) error {`
`1395`	`1395`	`}`
`1396`	`1396`	`}`
`1397`	`1397`
`1398`		`- return validate.CapValid(cp, false)`
	`1398`	`+ return capsCheck.CapValid(cp, false)`
`1399`	`1399`	`}`
`1400`	`1400`
`1401`	`1401`	`// DropProcessCapabilityBounding drops a process capability from g.Config.Process.Capabilities.Bounding.`
`@@ -1411,7 +1411,7 @@ func (g *Generator) DropProcessCapabilityBounding(c string) error {`
`1411`	`1411`	`}`
`1412`	`1412`	`}`
`1413`	`1413`
`1414`		`- return validate.CapValid(cp, false)`
	`1414`	`+ return capsCheck.CapValid(cp, false)`
`1415`	`1415`	`}`
`1416`	`1416`
`1417`	`1417`	`// DropProcessCapabilityEffective drops a process capability from g.Config.Process.Capabilities.Effective.`
`@@ -1427,7 +1427,7 @@ func (g *Generator) DropProcessCapabilityEffective(c string) error {`
`1427`	`1427`	`}`
`1428`	`1428`	`}`
`1429`	`1429`
`1430`		`- return validate.CapValid(cp, false)`
	`1430`	`+ return capsCheck.CapValid(cp, false)`
`1431`	`1431`	`}`
`1432`	`1432`
`1433`	`1433`	`// DropProcessCapabilityInheritable drops a process capability from g.Config.Process.Capabilities.Inheritable.`
`@@ -1443,7 +1443,7 @@ func (g *Generator) DropProcessCapabilityInheritable(c string) error {`
`1443`	`1443`	`}`
`1444`	`1444`	`}`
`1445`	`1445`
`1446`		`- return validate.CapValid(cp, false)`
	`1446`	`+ return capsCheck.CapValid(cp, false)`
`1447`	`1447`	`}`
`1448`	`1448`
`1449`	`1449`	`// DropProcessCapabilityPermitted drops a process capability from g.Config.Process.Capabilities.Permitted.`
`@@ -1459,7 +1459,7 @@ func (g *Generator) DropProcessCapabilityPermitted(c string) error {`
`1459`	`1459`	`}`
`1460`	`1460`	`}`
`1461`	`1461`
`1462`		`- return validate.CapValid(cp, false)`
	`1462`	`+ return capsCheck.CapValid(cp, false)`
`1463`	`1463`	`}`
`1464`	`1464`
`1465`	`1465`	`func mapStrToNamespace(ns string, path string) (rspec.LinuxNamespace, error) {`