moby--moby/oci/oci.go

package oci // import "github.com/docker/docker/oci"

import (
	"fmt"
	"regexp"
	"strconv"

	specs "github.com/opencontainers/runtime-spec/specs-go"
)

// nolint: gosimple
var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")

// SetCapabilities sets the provided capabilities on the spec
// All capabilities are added if privileged is true
func SetCapabilities(s *specs.Spec, caplist []string) error {
	s.Process.Capabilities.Effective = caplist
	s.Process.Capabilities.Bounding = caplist
	s.Process.Capabilities.Permitted = caplist
	s.Process.Capabilities.Inheritable = caplist
	// setUser has already been executed here
	// if non root drop capabilities in the way execve does
	if s.Process.User.UID != 0 {
		s.Process.Capabilities.Effective = []string{}
		s.Process.Capabilities.Permitted = []string{}
	}
	return nil
}

// AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set
func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
	for _, deviceCgroupRule := range rules {
		ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
		if len(ss[0]) != 5 {
			return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
		}
		matches := ss[0]

		dPermissions := specs.LinuxDeviceCgroup{
			Allow:  true,
			Type:   matches[1],
			Access: matches[4],
		}
		if matches[2] == "*" {
			major := int64(-1)
			dPermissions.Major = &major
		} else {
			major, err := strconv.ParseInt(matches[2], 10, 64)
			if err != nil {
				return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
			}
			dPermissions.Major = &major
		}
		if matches[3] == "*" {
			minor := int64(-1)
			dPermissions.Minor = &minor
		} else {
			minor, err := strconv.ParseInt(matches[3], 10, 64)
			if err != nil {
				return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
			}
			dPermissions.Minor = &minor
		}
		devPermissions = append(devPermissions, dPermissions)
	}
	return devPermissions, nil
}
Move caps and device spec utils to `oci` pkg Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2018-12-10 15:40:40 -05:00			`package oci // import "github.com/docker/docker/oci"`
lcow: Allow the client to add or remove capabilities Signed-off-by: John Starks <jostarks@microsoft.com> 2018-06-15 18:36:10 -04:00
			`import (`
lcow: Allow the client to add device cgroup rules Signed-off-by: John Starks <jostarks@microsoft.com> 2018-06-15 19:14:17 -04:00			`"fmt"`
			`"regexp"`
			`"strconv"`

lcow: Allow the client to add or remove capabilities Signed-off-by: John Starks <jostarks@microsoft.com> 2018-06-15 18:36:10 -04:00			`specs "github.com/opencontainers/runtime-spec/specs-go"`
			`)`

lcow: Allow the client to add device cgroup rules Signed-off-by: John Starks <jostarks@microsoft.com> 2018-06-15 19:14:17 -04:00			`// nolint: gosimple`
Move caps and device spec utils to `oci` pkg Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2018-12-10 15:40:40 -05:00			`var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+\|\\):([0-9]+\|\\) ([rwm]{1,3})$")`
lcow: Allow the client to add device cgroup rules Signed-off-by: John Starks <jostarks@microsoft.com> 2018-06-15 19:14:17 -04:00
Move caps and device spec utils to `oci` pkg Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2018-12-10 15:40:40 -05:00			`// SetCapabilities sets the provided capabilities on the spec`
			`// All capabilities are added if privileged is true`
Capabilities refactor - Add support for exact list of capabilities, support only OCI model - Support OCI model on CapAdd and CapDrop but remain backward compatibility - Create variable locally instead of declaring it at the top - Use const for magic "ALL" value - Rename `cap` variable as it overlaps with `cap()` built-in - Normalize and validate capabilities before use - Move validation for conflicting options to validateHostConfig() - TweakCapabilities: simplify logic to calculate capabilities Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2018-12-16 10:11:37 -05:00			`func SetCapabilities(s *specs.Spec, caplist []string) error {`
lcow: Allow the client to add or remove capabilities Signed-off-by: John Starks <jostarks@microsoft.com> 2018-06-15 18:36:10 -04:00			`s.Process.Capabilities.Effective = caplist`
			`s.Process.Capabilities.Bounding = caplist`
			`s.Process.Capabilities.Permitted = caplist`
			`s.Process.Capabilities.Inheritable = caplist`
			`// setUser has already been executed here`
			`// if non root drop capabilities in the way execve does`
			`if s.Process.User.UID != 0 {`
			`s.Process.Capabilities.Effective = []string{}`
			`s.Process.Capabilities.Permitted = []string{}`
			`}`
			`return nil`
			`}`
lcow: Allow the client to add device cgroup rules Signed-off-by: John Starks <jostarks@microsoft.com> 2018-06-15 19:14:17 -04:00
Move caps and device spec utils to `oci` pkg Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2018-12-10 15:40:40 -05:00			`// AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set`
			`func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {`
lcow: Allow the client to add device cgroup rules Signed-off-by: John Starks <jostarks@microsoft.com> 2018-06-15 19:14:17 -04:00			`for _, deviceCgroupRule := range rules {`
			`ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)`
			`if len(ss[0]) != 5 {`
			`return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)`
			`}`
			`matches := ss[0]`

			`dPermissions := specs.LinuxDeviceCgroup{`
			`Allow: true,`
			`Type: matches[1],`
			`Access: matches[4],`
			`}`
			`if matches[2] == "*" {`
			`major := int64(-1)`
			`dPermissions.Major = &major`
			`} else {`
			`major, err := strconv.ParseInt(matches[2], 10, 64)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)`
			`}`
			`dPermissions.Major = &major`
			`}`
			`if matches[3] == "*" {`
			`minor := int64(-1)`
			`dPermissions.Minor = &minor`
			`} else {`
			`minor, err := strconv.ParseInt(matches[3], 10, 64)`
			`if err != nil {`
			`return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)`
			`}`
			`dPermissions.Minor = &minor`
			`}`
			`devPermissions = append(devPermissions, dPermissions)`
			`}`
			`return devPermissions, nil`
			`}`