mirror/ youki
1
0
Fork 0
mirror of https://github.com/containers/youki synced 2024-06-10 08:46:21 +02:00
Code Issues

Define CapabilityExt with a functions to convert caps to oci_spec 

Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
This commit is contained in:
Takashi IIGUNI 2021-09-08 11:24:37 +00:00
parent 5cf890a861
commit 10b9b26782
2 changed files with 105 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

191
src/capabilities.rs
View File

@ -11,104 +11,113 @@ fn to_set(caps: &Capabilities) -> CapsHashSet {
let mut capabilities = CapsHashSet::new();
for c in caps {
let cap = to_cap(*c);
let cap = c.to_cap();
capabilities.insert(cap);
}
capabilities
}
/// Convert oci::runtime::Capability to caps::Capability
pub fn to_cap(cap: SpecCapability) -> caps::Capability {
match cap {
SpecCapability::AuditControl => CapsCapability::CAP_AUDIT_CONTROL,
SpecCapability::AuditRead => CapsCapability::CAP_AUDIT_READ,
SpecCapability::AuditWrite => CapsCapability::CAP_AUDIT_WRITE,
SpecCapability::BlockSuspend => CapsCapability::CAP_BLOCK_SUSPEND,
SpecCapability::Bpf => CapsCapability::CAP_BPF,
SpecCapability::CheckpointRestore => CapsCapability::CAP_CHECKPOINT_RESTORE,
SpecCapability::Chown => CapsCapability::CAP_CHOWN,
SpecCapability::DacOverride => CapsCapability::CAP_DAC_OVERRIDE,
SpecCapability::DacReadSearch => CapsCapability::CAP_DAC_READ_SEARCH,
SpecCapability::Fowner => CapsCapability::CAP_FOWNER,
SpecCapability::Fsetid => CapsCapability::CAP_FSETID,
SpecCapability::IpcLock => CapsCapability::CAP_IPC_LOCK,
SpecCapability::IpcOwner => CapsCapability::CAP_IPC_OWNER,
SpecCapability::Kill => CapsCapability::CAP_KILL,
SpecCapability::Lease => CapsCapability::CAP_LEASE,
SpecCapability::LinuxImmutable => CapsCapability::CAP_LINUX_IMMUTABLE,
SpecCapability::MacAdmin => CapsCapability::CAP_MAC_ADMIN,
SpecCapability::MacOverride => CapsCapability::CAP_MAC_OVERRIDE,
SpecCapability::Mknod => CapsCapability::CAP_MKNOD,
SpecCapability::NetAdmin => CapsCapability::CAP_NET_ADMIN,
SpecCapability::NetBindService => CapsCapability::CAP_NET_BIND_SERVICE,
SpecCapability::NetBroadcast => CapsCapability::CAP_NET_BROADCAST,
SpecCapability::NetRaw => CapsCapability::CAP_NET_RAW,
SpecCapability::Perfmon => CapsCapability::CAP_PERFMON,
SpecCapability::Setgid => CapsCapability::CAP_SETGID,
SpecCapability::Setfcap => CapsCapability::CAP_SETFCAP,
SpecCapability::Setpcap => CapsCapability::CAP_SETPCAP,
SpecCapability::Setuid => CapsCapability::CAP_SETUID,
SpecCapability::SysAdmin => CapsCapability::CAP_SYS_ADMIN,
SpecCapability::SysBoot => CapsCapability::CAP_SYS_BOOT,
SpecCapability::SysChroot => CapsCapability::CAP_SYS_CHROOT,
SpecCapability::SysModule => CapsCapability::CAP_SYS_MODULE,
SpecCapability::SysNice => CapsCapability::CAP_SYS_NICE,
SpecCapability::SysPacct => CapsCapability::CAP_SYS_PACCT,
SpecCapability::SysPtrace => CapsCapability::CAP_SYS_PTRACE,
SpecCapability::SysRawio => CapsCapability::CAP_SYS_RAWIO,
SpecCapability::SysResource => CapsCapability::CAP_SYS_RESOURCE,
SpecCapability::SysTime => CapsCapability::CAP_SYS_TIME,
SpecCapability::SysTtyConfig => CapsCapability::CAP_SYS_TTY_CONFIG,
SpecCapability::Syslog => CapsCapability::CAP_SYSLOG,
SpecCapability::WakeAlarm => CapsCapability::CAP_WAKE_ALARM,
}
pub trait CapabilityExt {
/// Convert self to caps::Capability
fn to_cap(&self) -> caps::Capability;
/// Convert caps::Capability to self
fn from_cap(c: CapsCapability) -> Self;
}
/// Convert oci::runtime::Capability to caps::Capability
pub fn from_cap(c: CapsCapability) -> SpecCapability {
match c {
CapsCapability::CAP_AUDIT_CONTROL => SpecCapability::AuditControl,
CapsCapability::CAP_AUDIT_READ => SpecCapability::AuditRead,
CapsCapability::CAP_AUDIT_WRITE => SpecCapability::AuditWrite,
CapsCapability::CAP_BLOCK_SUSPEND => SpecCapability::BlockSuspend,
CapsCapability::CAP_BPF => SpecCapability::Bpf,
CapsCapability::CAP_CHECKPOINT_RESTORE => SpecCapability::CheckpointRestore,
CapsCapability::CAP_CHOWN => SpecCapability::Chown,
CapsCapability::CAP_DAC_OVERRIDE => SpecCapability::DacOverride,
CapsCapability::CAP_DAC_READ_SEARCH => SpecCapability::DacReadSearch,
CapsCapability::CAP_FOWNER => SpecCapability::Fowner,
CapsCapability::CAP_FSETID => SpecCapability::Fsetid,
CapsCapability::CAP_IPC_LOCK => SpecCapability::IpcLock,
CapsCapability::CAP_IPC_OWNER => SpecCapability::IpcOwner,
CapsCapability::CAP_KILL => SpecCapability::Kill,
CapsCapability::CAP_LEASE => SpecCapability::Lease,
CapsCapability::CAP_LINUX_IMMUTABLE => SpecCapability::LinuxImmutable,
CapsCapability::CAP_MAC_ADMIN => SpecCapability::MacAdmin,
CapsCapability::CAP_MAC_OVERRIDE => SpecCapability::MacOverride,
CapsCapability::CAP_MKNOD => SpecCapability::Mknod,
CapsCapability::CAP_NET_ADMIN => SpecCapability::NetAdmin,
CapsCapability::CAP_NET_BIND_SERVICE => SpecCapability::NetBindService,
CapsCapability::CAP_NET_BROADCAST => SpecCapability::NetBroadcast,
CapsCapability::CAP_NET_RAW => SpecCapability::NetRaw,
CapsCapability::CAP_PERFMON => SpecCapability::Perfmon,
CapsCapability::CAP_SETGID => SpecCapability::Setgid,
CapsCapability::CAP_SETFCAP => SpecCapability::Setfcap,
CapsCapability::CAP_SETPCAP => SpecCapability::Setpcap,
CapsCapability::CAP_SETUID => SpecCapability::Setuid,
CapsCapability::CAP_SYS_ADMIN => SpecCapability::SysAdmin,
CapsCapability::CAP_SYS_BOOT => SpecCapability::SysBoot,
CapsCapability::CAP_SYS_CHROOT => SpecCapability::SysChroot,
CapsCapability::CAP_SYS_MODULE => SpecCapability::SysModule,
CapsCapability::CAP_SYS_NICE => SpecCapability::SysNice,
CapsCapability::CAP_SYS_PACCT => SpecCapability::SysPacct,
CapsCapability::CAP_SYS_PTRACE => SpecCapability::SysPtrace,
CapsCapability::CAP_SYS_RAWIO => SpecCapability::SysRawio,
CapsCapability::CAP_SYS_RESOURCE => SpecCapability::SysResource,
CapsCapability::CAP_SYS_TIME => SpecCapability::SysTime,
CapsCapability::CAP_SYS_TTY_CONFIG => SpecCapability::SysTtyConfig,
CapsCapability::CAP_SYSLOG => SpecCapability::Syslog,
CapsCapability::CAP_WAKE_ALARM => SpecCapability::WakeAlarm,
CapsCapability::__Nonexhaustive => unreachable!("invalid capability"),
impl CapabilityExt for SpecCapability {
/// Convert oci::runtime::Capability to caps::Capability
fn to_cap(&self) -> caps::Capability {
match self {
SpecCapability::AuditControl => CapsCapability::CAP_AUDIT_CONTROL,
SpecCapability::AuditRead => CapsCapability::CAP_AUDIT_READ,
SpecCapability::AuditWrite => CapsCapability::CAP_AUDIT_WRITE,
SpecCapability::BlockSuspend => CapsCapability::CAP_BLOCK_SUSPEND,
SpecCapability::Bpf => CapsCapability::CAP_BPF,
SpecCapability::CheckpointRestore => CapsCapability::CAP_CHECKPOINT_RESTORE,
SpecCapability::Chown => CapsCapability::CAP_CHOWN,
SpecCapability::DacOverride => CapsCapability::CAP_DAC_OVERRIDE,
SpecCapability::DacReadSearch => CapsCapability::CAP_DAC_READ_SEARCH,
SpecCapability::Fowner => CapsCapability::CAP_FOWNER,
SpecCapability::Fsetid => CapsCapability::CAP_FSETID,
SpecCapability::IpcLock => CapsCapability::CAP_IPC_LOCK,
SpecCapability::IpcOwner => CapsCapability::CAP_IPC_OWNER,
SpecCapability::Kill => CapsCapability::CAP_KILL,
SpecCapability::Lease => CapsCapability::CAP_LEASE,
SpecCapability::LinuxImmutable => CapsCapability::CAP_LINUX_IMMUTABLE,
SpecCapability::MacAdmin => CapsCapability::CAP_MAC_ADMIN,
SpecCapability::MacOverride => CapsCapability::CAP_MAC_OVERRIDE,
SpecCapability::Mknod => CapsCapability::CAP_MKNOD,
SpecCapability::NetAdmin => CapsCapability::CAP_NET_ADMIN,
SpecCapability::NetBindService => CapsCapability::CAP_NET_BIND_SERVICE,
SpecCapability::NetBroadcast => CapsCapability::CAP_NET_BROADCAST,
SpecCapability::NetRaw => CapsCapability::CAP_NET_RAW,
SpecCapability::Perfmon => CapsCapability::CAP_PERFMON,
SpecCapability::Setgid => CapsCapability::CAP_SETGID,
SpecCapability::Setfcap => CapsCapability::CAP_SETFCAP,
SpecCapability::Setpcap => CapsCapability::CAP_SETPCAP,
SpecCapability::Setuid => CapsCapability::CAP_SETUID,
SpecCapability::SysAdmin => CapsCapability::CAP_SYS_ADMIN,
SpecCapability::SysBoot => CapsCapability::CAP_SYS_BOOT,
SpecCapability::SysChroot => CapsCapability::CAP_SYS_CHROOT,
SpecCapability::SysModule => CapsCapability::CAP_SYS_MODULE,
SpecCapability::SysNice => CapsCapability::CAP_SYS_NICE,
SpecCapability::SysPacct => CapsCapability::CAP_SYS_PACCT,
SpecCapability::SysPtrace => CapsCapability::CAP_SYS_PTRACE,
SpecCapability::SysRawio => CapsCapability::CAP_SYS_RAWIO,
SpecCapability::SysResource => CapsCapability::CAP_SYS_RESOURCE,
SpecCapability::SysTime => CapsCapability::CAP_SYS_TIME,
SpecCapability::SysTtyConfig => CapsCapability::CAP_SYS_TTY_CONFIG,
SpecCapability::Syslog => CapsCapability::CAP_SYSLOG,
SpecCapability::WakeAlarm => CapsCapability::CAP_WAKE_ALARM,
}
}
/// Convert caps::Capability to oci::runtime::Capability
fn from_cap(c: CapsCapability) -> SpecCapability {
match c {
CapsCapability::CAP_AUDIT_CONTROL => SpecCapability::AuditControl,
CapsCapability::CAP_AUDIT_READ => SpecCapability::AuditRead,
CapsCapability::CAP_AUDIT_WRITE => SpecCapability::AuditWrite,
CapsCapability::CAP_BLOCK_SUSPEND => SpecCapability::BlockSuspend,
CapsCapability::CAP_BPF => SpecCapability::Bpf,
CapsCapability::CAP_CHECKPOINT_RESTORE => SpecCapability::CheckpointRestore,
CapsCapability::CAP_CHOWN => SpecCapability::Chown,
CapsCapability::CAP_DAC_OVERRIDE => SpecCapability::DacOverride,
CapsCapability::CAP_DAC_READ_SEARCH => SpecCapability::DacReadSearch,
CapsCapability::CAP_FOWNER => SpecCapability::Fowner,
CapsCapability::CAP_FSETID => SpecCapability::Fsetid,
CapsCapability::CAP_IPC_LOCK => SpecCapability::IpcLock,
CapsCapability::CAP_IPC_OWNER => SpecCapability::IpcOwner,
CapsCapability::CAP_KILL => SpecCapability::Kill,
CapsCapability::CAP_LEASE => SpecCapability::Lease,
CapsCapability::CAP_LINUX_IMMUTABLE => SpecCapability::LinuxImmutable,
CapsCapability::CAP_MAC_ADMIN => SpecCapability::MacAdmin,
CapsCapability::CAP_MAC_OVERRIDE => SpecCapability::MacOverride,
CapsCapability::CAP_MKNOD => SpecCapability::Mknod,
CapsCapability::CAP_NET_ADMIN => SpecCapability::NetAdmin,
CapsCapability::CAP_NET_BIND_SERVICE => SpecCapability::NetBindService,
CapsCapability::CAP_NET_BROADCAST => SpecCapability::NetBroadcast,
CapsCapability::CAP_NET_RAW => SpecCapability::NetRaw,
CapsCapability::CAP_PERFMON => SpecCapability::Perfmon,
CapsCapability::CAP_SETGID => SpecCapability::Setgid,
CapsCapability::CAP_SETFCAP => SpecCapability::Setfcap,
CapsCapability::CAP_SETPCAP => SpecCapability::Setpcap,
CapsCapability::CAP_SETUID => SpecCapability::Setuid,
CapsCapability::CAP_SYS_ADMIN => SpecCapability::SysAdmin,
CapsCapability::CAP_SYS_BOOT => SpecCapability::SysBoot,
CapsCapability::CAP_SYS_CHROOT => SpecCapability::SysChroot,
CapsCapability::CAP_SYS_MODULE => SpecCapability::SysModule,
CapsCapability::CAP_SYS_NICE => SpecCapability::SysNice,
CapsCapability::CAP_SYS_PACCT => SpecCapability::SysPacct,
CapsCapability::CAP_SYS_PTRACE => SpecCapability::SysPtrace,
CapsCapability::CAP_SYS_RAWIO => SpecCapability::SysRawio,
CapsCapability::CAP_SYS_RESOURCE => SpecCapability::SysResource,
CapsCapability::CAP_SYS_TIME => SpecCapability::SysTime,
CapsCapability::CAP_SYS_TTY_CONFIG => SpecCapability::SysTtyConfig,
CapsCapability::CAP_SYSLOG => SpecCapability::Syslog,
CapsCapability::CAP_WAKE_ALARM => SpecCapability::WakeAlarm,
CapsCapability::__Nonexhaustive => unreachable!("invalid capability"),
}
}
}

9
src/container/tenant_builder.rs
View File

@ -2,8 +2,8 @@ use anyhow::{bail, Context, Result};
use caps::Capability;
use nix::unistd;
use oci_spec::runtime::{
Capabilities as SpecCapabilities, LinuxCapabilities, LinuxNamespace, LinuxNamespaceType,
Process, Spec,
Capabilities as SpecCapabilities, Capability as SpecCapability, LinuxCapabilities,
LinuxNamespace, LinuxNamespaceType, Process, Spec,
};
use procfs::process::Namespace;
@ -16,7 +16,7 @@ use std::{
str::FromStr,
};
use crate::capabilities::from_cap;
use crate::capabilities::CapabilityExt;
use crate::{notify_socket::NotifySocket, rootless::Rootless, tty, utils};
use super::{builder::ContainerBuilder, builder_impl::ContainerBuilderImpl, Container};
@ -250,7 +250,8 @@ impl TenantContainerBuilder {
caps.push(Capability::from_str(cap)?);
}
let caps: SpecCapabilities = caps.iter().map(|c| from_cap(*c)).collect();
let caps: SpecCapabilities =
caps.iter().map(|c| SpecCapability::from_cap(*c)).collect();
if let Some(ref mut spec_caps) = spec
.process