mirror of
https://github.com/containers/skopeo.git
synced 2025-09-11 03:29:43 +00:00
fix(deps): update module github.com/moby/sys/capability to v0.4.0
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
renovate[bot]
GitHub
100
vendor/github.com/moby/sys/capability/capability_linux.go
generated
vendored
100
vendor/github.com/moby/sys/capability/capability_linux.go
generated
vendored
@@ -117,6 +117,13 @@ func newPid(pid int) (c Capabilities, retErr error) {
|
||||
return
|
||||
}
|
||||
|
||||
func ignoreEINVAL(err error) error {
|
||||
if errors.Is(err, syscall.EINVAL) {
|
||||
err = nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
type capsV3 struct {
|
||||
hdr capHeader
|
||||
data [2]capData
|
||||
@@ -307,15 +314,15 @@ func (c *capsV3) Load() (err error) {
|
||||
}
|
||||
break
|
||||
}
|
||||
if strings.HasPrefix(line, "CapB") {
|
||||
_, err = fmt.Sscanf(line[4:], "nd: %08x%08x", &c.bounds[1], &c.bounds[0])
|
||||
if val, ok := strings.CutPrefix(line, "CapBnd:\t"); ok {
|
||||
_, err = fmt.Sscanf(val, "%08x%08x", &c.bounds[1], &c.bounds[0])
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
continue
|
||||
}
|
||||
if strings.HasPrefix(line, "CapA") {
|
||||
_, err = fmt.Sscanf(line[4:], "mb: %08x%08x", &c.ambient[1], &c.ambient[0])
|
||||
if val, ok := strings.CutPrefix(line, "CapAmb:\t"); ok {
|
||||
_, err = fmt.Sscanf(val, "%08x%08x", &c.ambient[1], &c.ambient[0])
|
||||
if err != nil {
|
||||
break
|
||||
}
|
||||
@@ -327,7 +334,10 @@ func (c *capsV3) Load() (err error) {
|
||||
return
|
||||
}
|
||||
|
||||
func (c *capsV3) Apply(kind CapType) (err error) {
|
||||
func (c *capsV3) Apply(kind CapType) error {
|
||||
if c.hdr.pid != 0 {
|
||||
return errors.New("unable to modify capabilities of another process")
|
||||
}
|
||||
last, err := LastCap()
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -336,21 +346,17 @@ func (c *capsV3) Apply(kind CapType) (err error) {
|
||||
var data [2]capData
|
||||
err = capget(&c.hdr, &data[0])
|
||||
if err != nil {
|
||||
return
|
||||
return err
|
||||
}
|
||||
if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
|
||||
for i := Cap(0); i <= last; i++ {
|
||||
if c.Get(BOUNDING, i) {
|
||||
continue
|
||||
}
|
||||
err = prctl(syscall.PR_CAPBSET_DROP, uintptr(i), 0, 0, 0)
|
||||
// Ignore EINVAL since the capability may not be supported in this system.
|
||||
err = ignoreEINVAL(dropBound(i))
|
||||
if err != nil {
|
||||
// Ignore EINVAL since the capability may not be supported in this system.
|
||||
if err == syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
|
||||
err = nil
|
||||
continue
|
||||
}
|
||||
return
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -359,29 +365,73 @@ func (c *capsV3) Apply(kind CapType) (err error) {
|
||||
if kind&CAPS == CAPS {
|
||||
err = capset(&c.hdr, &c.data[0])
|
||||
if err != nil {
|
||||
return
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if kind&AMBS == AMBS {
|
||||
// Ignore EINVAL as not supported on kernels before 4.3
|
||||
err = ignoreEINVAL(resetAmbient())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
for i := Cap(0); i <= last; i++ {
|
||||
action := pr_CAP_AMBIENT_LOWER
|
||||
if c.Get(AMBIENT, i) {
|
||||
action = pr_CAP_AMBIENT_RAISE
|
||||
if !c.Get(AMBIENT, i) {
|
||||
continue
|
||||
}
|
||||
err = prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
|
||||
// Ignore EINVAL as not supported on kernels before 4.3
|
||||
err = ignoreEINVAL(setAmbient(true, i))
|
||||
if err != nil {
|
||||
// Ignore EINVAL as not supported on kernels before 4.3
|
||||
if err == syscall.EINVAL { //nolint:errorlint // Errors from syscall are bare.
|
||||
err = nil
|
||||
continue
|
||||
}
|
||||
return
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
return nil
|
||||
}
|
||||
|
||||
func getAmbient(c Cap) (bool, error) {
|
||||
res, err := prctlRetInt(pr_CAP_AMBIENT, pr_CAP_AMBIENT_IS_SET, uintptr(c))
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
return res > 0, nil
|
||||
}
|
||||
|
||||
func setAmbient(raise bool, caps ...Cap) error {
|
||||
op := pr_CAP_AMBIENT_RAISE
|
||||
if !raise {
|
||||
op = pr_CAP_AMBIENT_LOWER
|
||||
}
|
||||
for _, val := range caps {
|
||||
err := prctl(pr_CAP_AMBIENT, op, uintptr(val))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func resetAmbient() error {
|
||||
return prctl(pr_CAP_AMBIENT, pr_CAP_AMBIENT_CLEAR_ALL, 0)
|
||||
}
|
||||
|
||||
func getBound(c Cap) (bool, error) {
|
||||
res, err := prctlRetInt(syscall.PR_CAPBSET_READ, uintptr(c), 0)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
return res > 0, nil
|
||||
}
|
||||
|
||||
func dropBound(caps ...Cap) error {
|
||||
for _, val := range caps {
|
||||
err := prctl(syscall.PR_CAPBSET_DROP, uintptr(val), 0)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func newFile(path string) (c Capabilities, err error) {
|
||||
|
||||
Reference in New Issue
Block a user