-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add capability package #149
Commits on Feb 7, 2013
-
Configuration menu - View commit details
-
Copy full SHA for 5191123 - Browse repository at this point
Copy the full SHA 5191123View commit details
Commits on Feb 8, 2013
-
Configuration menu - View commit details
-
Copy full SHA for 34f2e4f - Browse repository at this point
Copy the full SHA 34f2e4fView commit details -
Configuration menu - View commit details
-
Copy full SHA for e3c3ba5 - Browse repository at this point
Copy the full SHA e3c3ba5View commit details
Commits on May 16, 2014
-
Configuration menu - View commit details
-
Copy full SHA for 0fe8712 - Browse repository at this point
Copy the full SHA 0fe8712View commit details
Commits on Jan 15, 2015
-
capability: Allow to use the zero value for pid to operate with the c…
…urrent task In this case we can use /proc/self/, which is correct even if a task live in another pid namespace. Signed-off-by: Andrey Vagin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 52dd710 - Browse repository at this point
Copy the full SHA 52dd710View commit details
Commits on Feb 17, 2015
-
Configuration menu - View commit details
-
Copy full SHA for 17b8e69 - Browse repository at this point
Copy the full SHA 17b8e69View commit details
Commits on Feb 18, 2015
-
Configuration menu - View commit details
-
Copy full SHA for a5b2cd8 - Browse repository at this point
Copy the full SHA a5b2cd8View commit details -
Configuration menu - View commit details
-
Copy full SHA for 349eb2e - Browse repository at this point
Copy the full SHA 349eb2eView commit details -
capability: determine CAP_LAST_CAP dynamically
New capabilities can be added, and we want to be sure that a bounding set will be set correctly in this case. Without this patch new capabilities are not dropped from a bounding set. Signed-off-by: Andrey Vagin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b61cbe6 - Browse repository at this point
Copy the full SHA b61cbe6View commit details -
Configuration menu - View commit details
-
Copy full SHA for 4ba06ac - Browse repository at this point
Copy the full SHA 4ba06acView commit details -
capability: Don't use fmt.Fscanf for /proc/sys/kernel/cap_last_cap
fmt.Fscanf reads byte by byte from this file, but this doesn't work for sysctl-s. 29279 open("/proc/sys/kernel/cap_last_cap", O_RDONLY|O_CLOEXEC 29279 <... open resumed> ) = 3 29279 read(3, "3", 1) = 1 29279 read(3, "", 1) = 0 Reported-by: @syndtr
Configuration menu - View commit details
-
Copy full SHA for 8f72402 - Browse repository at this point
Copy the full SHA 8f72402View commit details
Commits on Mar 23, 2015
-
capability: Not fail on Apply if there is no /proc/sys/kernel/cap_las…
…t_cap file Fix docker/libcontainer#452 Signed-off-by: Alexander Morozov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2bc1d7e - Browse repository at this point
Copy the full SHA 2bc1d7eView commit details
Commits on May 6, 2015
-
capability: Add tool for generating String and List functions
Signed-off-by: Alexander Morozov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3cd3167 - Browse repository at this point
Copy the full SHA 3cd3167View commit details -
capability: Use go generate for String and List functions
Signed-off-by: Alexander Morozov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ed44d7b - Browse repository at this point
Copy the full SHA ed44d7bView commit details
Commits on Jun 14, 2015
-
Configuration menu - View commit details
-
Copy full SHA for 69dca76 - Browse repository at this point
Copy the full SHA 69dca76View commit details
Commits on Jul 14, 2015
-
Configuration menu - View commit details
-
Copy full SHA for bc55f7f - Browse repository at this point
Copy the full SHA bc55f7fView commit details
Commits on Jul 16, 2015
-
capability: Merge pull request moby#9 from h2so5/master
handle ENODATA in getVfsCap
Configuration menu - View commit details
-
Copy full SHA for 4c632f4 - Browse repository at this point
Copy the full SHA 4c632f4View commit details
Commits on Sep 28, 2016
-
capability: Add support for ambient capabilities (moby#11)
Ambient capabilities were added in Linux 4.3 and provide a way to pass on capabilities to unprivileged processes easily. Signed-off-by: Justin Cormack <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f3cb87f - Browse repository at this point
Copy the full SHA f3cb87fView commit details
Commits on Jul 4, 2017
-
capability: Fix issue moby#12: break too early (moby#13)
After getting CapBnd, Loop break too early, can't to get CapAmb value. Signed-off-by: Ma Shimiao <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8294f6f - Browse repository at this point
Copy the full SHA 8294f6fView commit details
Commits on Feb 23, 2018
-
capability: Deprecate NewPid and NewFile for NewPid2 and NewFile2 (mo…
…by#14) The old methods had an internal Load(), which is unnecessary for some use cases. For example, if you're going to drop all capabilities, you don't need to load the current set first. This commit deprecates the old New* functions and adds New*2 functions which do not include the internal Load. Callers who do need the Load will need to call it explicitly after initializing their Capabilities object. Callers who do not need the Load can just add the "2" to the function name and get more efficient/robust behavior. The "Deprecated:" paragraph syntax is recommended in [1]: To signal that an identifier should not be used, add a paragraph to its doc comment that begins with "Deprecated:" followed by some information about the deprecation. [1]: https://blog.golang.org/godoc-documenting-go-code
Configuration menu - View commit details
-
Copy full SHA for a2f19b5 - Browse repository at this point
Copy the full SHA a2f19b5View commit details
Commits on Sep 16, 2018
-
capability: Fix capHeader.pid type (moby#16)
* Fix capHeader.pid type In C, int is 4 bytes in 32 and 64-bit systems. In Go, int is a 8 bytes in 64-bit systems. Before this fix, pid was being ignored because the kernel will always read 0 due to padding added between version and pid fields. * Update capability_linux.go
Configuration menu - View commit details
-
Copy full SHA for 7b553f5 - Browse repository at this point
Copy the full SHA 7b553f5View commit details
Commits on Aug 5, 2020
-
capability: add CAP_PERFMON, CAP_BPF, and CAP_CHECKPOINT_RESTORE
CAP_PERFMON and CAP_BPF were introduced in kernel 5.8: https://kernelnewbies.org/Linux_5.8#Introduce_CAP_BPF_and_CAP_PERFMON_security_capabilities CAP_CHECKPOINT_RESTORE was merged on the master recently and will be available in the next version of the kernel. torvalds/linux@124ea65 The capability numbers are taken from https://github.com/torvalds/linux/blob/442489c219235991de86d0277b5d859ede6d8792/include/uapi/linux/capability.h#L373-L416 Signed-off-by: Akihiro Suda <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1f9e05d - Browse repository at this point
Copy the full SHA 1f9e05dView commit details
Commits on Aug 15, 2020
-
Configuration menu - View commit details
-
Copy full SHA for a1bb7d2 - Browse repository at this point
Copy the full SHA a1bb7d2View commit details -
capability: Merge branch 'kernel58' of https://github.com/AkihiroSuda…
…/gocapability into AkihiroSuda-kernel58
Configuration menu - View commit details
-
Copy full SHA for a615c43 - Browse repository at this point
Copy the full SHA a615c43View commit details
Commits on Jul 22, 2024
-
Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e4ea695 - Browse repository at this point
Copy the full SHA e4ea695View commit details -
capability: Use new style build tags
Go 1.17 introduced new style of adding build tags (//go:build), and some tools no longer understand old-style (// +build) tags. Add the new tag, drop the old one. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 49112ce - Browse repository at this point
Copy the full SHA 49112ceView commit details -
Move the code to the top-level directory. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5ff585d - Browse repository at this point
Copy the full SHA 5ff585dView commit details -
capability: Fix future version compatibility
In case kernel folks will ever release capability v4, the chances are high v3 is still supported. Therefore, we should not error out upon seeing an unknown version from the kernel, but assume we can go with v3. While at it, treat the uninitialized capVers as an error. Before this patch, it was still treated as an error, but "unknown capability version" is not exactly what the error is, so let's be more specific. Reported-by: Andrei Vagin <[email protected]> Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a8e5adc - Browse repository at this point
Copy the full SHA a8e5adcView commit details -
capability: Drop capability v1 and v2 support
Capabilities v3 API was added by the Linux kernel 2.6.26. Since go 1.18 (no longer supported as of go 1.20 release), the minimum Linux kernel requirement is 2.6.32 (see [1]). So, it does not make sense to support capabilities v1 and v2 any more. Drop the support, returning the appropriate error message. [1] https://tip.golang.org/doc/go1.18#linux Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1be70fa - Browse repository at this point
Copy the full SHA 1be70faView commit details -
capability: Apply: fix ambient caps error handling
Commit f3cb87f added support for ambient capabilities. Unfortunately, the code added to Apply is incorrect because it uses a local variable err which is never used or returned. Found by a linter: > capability_linux.go:480:5: ineffectual assignment to err (ineffassign) > err = nil > ^ Fixes: f3cb87f Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d8cc449 - Browse repository at this point
Copy the full SHA d8cc449View commit details
Commits on Jul 23, 2024
-
capability: Load: simplify code, fix a linter warning
Fix the following warning: > capability_linux.go:407:17: S1039: unnecessary use of fmt.Sprintf (gosimple) > status_path = fmt.Sprintf("/proc/self/status") > ^ Also, - simplify the code for the common case when pid is 0; - rename a variable (to obey Go naming guidelines). Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9ebbf3c - Browse repository at this point
Copy the full SHA 9ebbf3cView commit details -
capability: init: fix a linter warning
Fix the following linter warning: > capability_linux.go:34:8: Error return value is not checked (errcheck) > capget(&hdr, nil) > ^ Here we deliberately ignore the error from capget() since we have no way to report it, and hdr.ver will be 0 in case of an error anyway. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 16bd4cd - Browse repository at this point
Copy the full SHA 16bd4cdView commit details -
capability: enumgen: drop using io/ioutil
Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 42c88db - Browse repository at this point
Copy the full SHA 42c88dbView commit details
Commits on Jul 24, 2024
-
capability: Load: don't ignore Sscanf errors
This fixes errcheck linter warnings: > capability_linux.go:311:14: Error return value of `fmt.Sscanf` is not checked (errcheck) > fmt.Sscanf(line[4:], "nd: %08x%08x", &c.bounds[1], &c.bounds[0]) > ^ > capability_linux.go:315:14: Error return value of `fmt.Sscanf` is not checked (errcheck) > fmt.Sscanf(line[4:], "mb: %08x%08x", &c.ambient[1], &c.ambient[0]) > ^ Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9510382 - Browse repository at this point
Copy the full SHA 9510382View commit details
Commits on Jul 30, 2024
-
capability: Move capVers out of init
Currently, capVers is initialized in func init, but its value is only used from NewPid*. Let's use sync.OnceValues for lazy initialization. While at it, stop ignoring syscall return value. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b48e69d - Browse repository at this point
Copy the full SHA b48e69dView commit details -
capability: Remove init and CAP_LAST_CAP, add LastCap
One (minor) issue with this package is it has func init which reads a file in /proc, making the start of any program which imports the package a bit slower. Let's switch to lazy initialization, i.e. only read the file when needed. Unfortunately, this can not be done in a non-disruptive manner, since we have a public variable CAP_LAST_CAP. So, this is a disruptive change, and anyone who's using CAP_LAST_CAP should change their code to something like this: last, err := capability.LastCap() if err != nil { return err } Also, add a test case for LastCap. Reported-by: ningmingxiao <[email protected]> Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 935800e - Browse repository at this point
Copy the full SHA 935800eView commit details -
capability: Rename a test variable
Rename whats -> what in test to silence codespell warnings. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1c20dc0 - Browse repository at this point
Copy the full SHA 1c20dc0View commit details -
Mostly for ignoring this warning: ./capability_linux.go:311: nd ==> and, 2nd Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1d2e439 - Browse repository at this point
Copy the full SHA 1d2e439View commit details -
capability: ci: add some basic GHA checks
Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1b89c56 - Browse repository at this point
Copy the full SHA 1b89c56View commit details -
capability: Use gofumpt to format code
Brought to you by gofumpt v0.6.0 (go1.22.4). Add a CI action to check code is gofumpt'ed. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c3a94dd - Browse repository at this point
Copy the full SHA c3a94ddView commit details
Commits on Jul 31, 2024
-
With the added linter, it complains like this: > capability_linux.go:349:22: type assertion on error will fail on wrapped errors. Use errors.As to check for specific errors (errorlint) In fact, errors from syscall.Syscall6 used by prctl are bare Errno values. This means there is no need for a type assertion, so let's remove it: > - if errno, ok := err.(syscall.Errno); ok && errno == syscall.EINVAL { > + if err == syscall.EINVAL { With that change, we're still getting error from the linter, a bit different one: > capability_linux.go:349:9: comparing with == will fail on wrapped errors. Use errors.Is to check for a specific error (errorlint) So, we still need to silence it, by adding a nolint annotation. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e2363f4 - Browse repository at this point
Copy the full SHA e2363f4View commit details -
capability: Add README and CHANGELOG
Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 61d4f3b - Browse repository at this point
Copy the full SHA 61d4f3bView commit details
Commits on Aug 1, 2024
-
capability: Wrap LastCap to improve doc
As LastCap is a variable, it is shown in the documentation as a variable (see [1]). This is both ugly and unsafe (a variable can be changed). Wrap it into a proper function. [1]: https://pkg.go.dev/github.com/kolyshkin/[email protected]#pkg-variables Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4409357 - Browse repository at this point
Copy the full SHA 4409357View commit details -
capability: Really fix future kernel compatibility
Earlier commit made sure we don't error out if the kernel capability version is unknown; this ensures compatibility with future kernels. Looking at the code, I realized p.hdr.version should be initialized to linuxCapVer3 in that case, not the version returned by the kernel, otherwise we supply v3 data structure with (say) v4 version set in header. Practically, this was not a real bug (yet) because v4 is not (yet) available, but if it will ever be introduced later, this fix makes us ready. Fixes: a8e5adc ("Fix future version compatibility") Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9aa254c - Browse repository at this point
Copy the full SHA 9aa254cView commit details -
capability: CHANGELOG: add v0.1.1 changes
Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ba56f4a - Browse repository at this point
Copy the full SHA ba56f4aView commit details
Commits on Sep 13, 2024
-
This integrates github.com/kolyshkin/capability (which itself is a fork of github.com/syndtr/gocapability) to github.com/moby/sys/capability. Some of github.com/syndtr/gocapability users are (in an alphabetical order): - https://github.com/canonical/lxd - https://github.com/containers/buildah - https://github.com/containers/podman - https://github.com/containers/skopeo - https://github.com/google/gvisor - https://github.com/hashicorp/nomad - https://github.com/linuxkit/linuxkit - https://github.com/opencontainers/runc - https://github.com/opencontainers/runtime-tools - https://github.com/slimtoolkit/slim Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6f6556a - Browse repository at this point
Copy the full SHA 6f6556aView commit details -
capability: go.mod: fix the module path
Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 666f217 - Browse repository at this point
Copy the full SHA 666f217View commit details -
capability: only test on Linux
Rename a test file so the test it implements is only run on Linux. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cf3e95f - Browse repository at this point
Copy the full SHA cf3e95fView commit details -
Makefile,.github: add capability
Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 15913fd - Browse repository at this point
Copy the full SHA 15913fdView commit details -
1. Add "Copyright 2023 The Capability Authors" header to cover my work since 2023 as well as any future work in the forked package. 2. Remove (c) after the word "Copyright" (not required since 1989). 3. Remove the comma after a copyright year. 4. Minor formatting fix (move the line break earlier). Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e768b96 - Browse repository at this point
Copy the full SHA e768b96View commit details -
capability: fix CHANGELOG.md for the move
1. Clarify the fork source. 2. Fix links to 0.1.x PRs to point to the proper (old) repo. Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cbce049 - Browse repository at this point
Copy the full SHA cbce049View commit details -
capability: fix Go version in changelog
It was mistakenly set to Go >= 1.20, while it fact this package requires Go >= 1.21 (due to the use of sync.OnceValues). Signed-off-by: Kir Kolyshkin <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 27f233e - Browse repository at this point
Copy the full SHA 27f233eView commit details