From 0d2d2ceed405e51b6d5472ddc4faaffd3c8bc9f8 Mon Sep 17 00:00:00 2001
From: zhouhao <zhouhao@cn.fujitsu.com>
Date: Tue, 21 Mar 2017 11:00:05 +0800
Subject: [PATCH] validate: increase OS validation for special cases

Signed-off-by: zhouhao <zhouhao@cn.fujitsu.com>
---
 validate/validate.go | 79 +++++++++++++++++++++++++++++---------------
 1 file changed, 52 insertions(+), 27 deletions(-)

diff --git a/validate/validate.go b/validate/validate.go
index 0c4ebb901..98cdb2c8d 100644
--- a/validate/validate.go
+++ b/validate/validate.go
@@ -273,46 +273,71 @@ func (v *Validator) CheckProcess() (msgs []string) {
 		}
 	}
 
-	var caps []string
+	msgs = append(msgs, v.CheckCapablities()...)
+	msgs = append(msgs, v.CheckRlimits()...)
 
-	for _, cap := range process.Capabilities.Bounding {
-		caps = append(caps, cap)
-	}
-	for _, cap := range process.Capabilities.Effective {
-		caps = append(caps, cap)
-	}
-	for _, cap := range process.Capabilities.Inheritable {
-		caps = append(caps, cap)
-	}
-	for _, cap := range process.Capabilities.Permitted {
-		caps = append(caps, cap)
-	}
-	for _, cap := range process.Capabilities.Ambient {
-		caps = append(caps, cap)
+	if v.spec.Platform.OS == "linux" {
+
+		if len(process.ApparmorProfile) > 0 {
+			profilePath := filepath.Join(v.bundlePath, v.spec.Root.Path, "/etc/apparmor.d", process.ApparmorProfile)
+			_, err := os.Stat(profilePath)
+			if err != nil {
+				msgs = append(msgs, err.Error())
+			}
+		}
 	}
 
-	for _, capability := range caps {
-		if err := CapValid(capability, v.HostSpecific); err != nil {
-			msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
+	return
+}
+
+func (v *Validator) CheckCapablities() (msgs []string) {
+	process := v.spec.Process
+	if v.spec.Platform.OS == "linux" {
+		var caps []string
+
+		for _, cap := range process.Capabilities.Bounding {
+			caps = append(caps, cap)
+		}
+		for _, cap := range process.Capabilities.Effective {
+			caps = append(caps, cap)
+		}
+		for _, cap := range process.Capabilities.Inheritable {
+			caps = append(caps, cap)
+		}
+		for _, cap := range process.Capabilities.Permitted {
+			caps = append(caps, cap)
+		}
+		for _, cap := range process.Capabilities.Ambient {
+			caps = append(caps, cap)
+		}
+
+		for _, capability := range caps {
+			if err := CapValid(capability, v.HostSpecific); err != nil {
+				msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
+			}
 		}
+	} else {
+		logrus.Warnf("process.capabilities validation not yet implemented for OS %q", v.spec.Platform.OS)
 	}
 
+	return
+}
+
+func (v *Validator) CheckRlimits() (msgs []string) {
+	process := v.spec.Process
 	for index, rlimit := range process.Rlimits {
-		if err := rlimitValid(rlimit); err != nil {
-			msgs = append(msgs, err.Error())
-		}
 		for i := index + 1; i < len(process.Rlimits); i++ {
 			if process.Rlimits[index].Type == process.Rlimits[i].Type {
 				msgs = append(msgs, fmt.Sprintf("rlimit can not contain the same type %q.", process.Rlimits[index].Type))
 			}
 		}
-	}
 
-	if len(process.ApparmorProfile) > 0 {
-		profilePath := filepath.Join(v.bundlePath, v.spec.Root.Path, "/etc/apparmor.d", process.ApparmorProfile)
-		_, err := os.Stat(profilePath)
-		if err != nil {
-			msgs = append(msgs, err.Error())
+		if v.spec.Platform.OS == "linux" {
+			if err := rlimitValid(rlimit); err != nil {
+				msgs = append(msgs, err.Error())
+			}
+		} else {
+			logrus.Warnf("process.rlimits validation not yet implemented for OS %q", v.spec.Platform.OS)
 		}
 	}