Move caps and device spec utils to oci pkg

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2022-11-09 12:21:53 -05:00 · 2018-12-10 15:40:40 -05:00 · 2018-12-10 15:40:40 -05:00 · b940cc5cff
commit b940cc5cff
parent 6e3113f700
5 changed files with 20 additions and 18 deletions
--- a/oci/oci.go
+++ b/oci/oci.go
@ -0,0 +1,80 @@
+package oci // import "github.com/docker/docker/oci"
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+
+	"github.com/docker/docker/oci/caps"
+	specs "github.com/opencontainers/runtime-spec/specs-go"
+)
+
+// nolint: gosimple
+var deviceCgroupRuleRegex = regexp.MustCompile("^([acb]) ([0-9]+|\\*):([0-9]+|\\*) ([rwm]{1,3})$")
+
+// SetCapabilities sets the provided capabilities on the spec
+// All capabilities are added if privileged is true
+func SetCapabilities(s *specs.Spec, add, drop []string, privileged bool) error {
+	var (
+		caplist []string
+		err     error
+	)
+	if privileged {
+		caplist = caps.GetAllCapabilities()
+	} else {
+		caplist, err = caps.TweakCapabilities(s.Process.Capabilities.Bounding, add, drop)
+		if err != nil {
+			return err
+		}
+	}
+	s.Process.Capabilities.Effective = caplist
+	s.Process.Capabilities.Bounding = caplist
+	s.Process.Capabilities.Permitted = caplist
+	s.Process.Capabilities.Inheritable = caplist
+	// setUser has already been executed here
+	// if non root drop capabilities in the way execve does
+	if s.Process.User.UID != 0 {
+		s.Process.Capabilities.Effective = []string{}
+		s.Process.Capabilities.Permitted = []string{}
+	}
+	return nil
+}
+
+// AppendDevicePermissionsFromCgroupRules takes rules for the devices cgroup to append to the default set
+func AppendDevicePermissionsFromCgroupRules(devPermissions []specs.LinuxDeviceCgroup, rules []string) ([]specs.LinuxDeviceCgroup, error) {
+	for _, deviceCgroupRule := range rules {
+		ss := deviceCgroupRuleRegex.FindAllStringSubmatch(deviceCgroupRule, -1)
+		if len(ss[0]) != 5 {
+			return nil, fmt.Errorf("invalid device cgroup rule format: '%s'", deviceCgroupRule)
+		}
+		matches := ss[0]
+
+		dPermissions := specs.LinuxDeviceCgroup{
+			Allow:  true,
+			Type:   matches[1],
+			Access: matches[4],
+		}
+		if matches[2] == "*" {
+			major := int64(-1)
+			dPermissions.Major = &major
+		} else {
+			major, err := strconv.ParseInt(matches[2], 10, 64)
+			if err != nil {
+				return nil, fmt.Errorf("invalid major value in device cgroup rule format: '%s'", deviceCgroupRule)
+			}
+			dPermissions.Major = &major
+		}
+		if matches[3] == "*" {
+			minor := int64(-1)
+			dPermissions.Minor = &minor
+		} else {
+			minor, err := strconv.ParseInt(matches[3], 10, 64)
+			if err != nil {
+				return nil, fmt.Errorf("invalid minor value in device cgroup rule format: '%s'", deviceCgroupRule)
+			}
+			dPermissions.Minor = &minor
+		}
+		devPermissions = append(devPermissions, dPermissions)
+	}
+	return devPermissions, nil
+}