Define CapabilityExt with a functions to convert caps to oci_spec

Signed-off-by: Takashi IIGUNI <iiguni.tks@gmail.com>
2024-12-04 19:18:29 +01:00 · 2021-09-08 11:24:37 +00:00 · 2021-09-08 11:24:37 +00:00 · 10b9b26782
commit 10b9b26782
parent 5cf890a861
2 changed files with 105 additions and 95 deletions
--- a/src/capabilities.rs
+++ b/src/capabilities.rs
@ -11,104 +11,113 @@ fn to_set(caps: &Capabilities) -> CapsHashSet {
    let mut capabilities = CapsHashSet::new();

    for c in caps {
-        let cap = to_cap(*c);
+        let cap = c.to_cap();
        capabilities.insert(cap);
    }
    capabilities
 }

-/// Convert oci::runtime::Capability to caps::Capability
-pub fn to_cap(cap: SpecCapability) -> caps::Capability {
-    match cap {
-        SpecCapability::AuditControl => CapsCapability::CAP_AUDIT_CONTROL,
-        SpecCapability::AuditRead => CapsCapability::CAP_AUDIT_READ,
-        SpecCapability::AuditWrite => CapsCapability::CAP_AUDIT_WRITE,
-        SpecCapability::BlockSuspend => CapsCapability::CAP_BLOCK_SUSPEND,
-        SpecCapability::Bpf => CapsCapability::CAP_BPF,
-        SpecCapability::CheckpointRestore => CapsCapability::CAP_CHECKPOINT_RESTORE,
-        SpecCapability::Chown => CapsCapability::CAP_CHOWN,
-        SpecCapability::DacOverride => CapsCapability::CAP_DAC_OVERRIDE,
-        SpecCapability::DacReadSearch => CapsCapability::CAP_DAC_READ_SEARCH,
-        SpecCapability::Fowner => CapsCapability::CAP_FOWNER,
-        SpecCapability::Fsetid => CapsCapability::CAP_FSETID,
-        SpecCapability::IpcLock => CapsCapability::CAP_IPC_LOCK,
-        SpecCapability::IpcOwner => CapsCapability::CAP_IPC_OWNER,
-        SpecCapability::Kill => CapsCapability::CAP_KILL,
-        SpecCapability::Lease => CapsCapability::CAP_LEASE,
-        SpecCapability::LinuxImmutable => CapsCapability::CAP_LINUX_IMMUTABLE,
-        SpecCapability::MacAdmin => CapsCapability::CAP_MAC_ADMIN,
-        SpecCapability::MacOverride => CapsCapability::CAP_MAC_OVERRIDE,
-        SpecCapability::Mknod => CapsCapability::CAP_MKNOD,
-        SpecCapability::NetAdmin => CapsCapability::CAP_NET_ADMIN,
-        SpecCapability::NetBindService => CapsCapability::CAP_NET_BIND_SERVICE,
-        SpecCapability::NetBroadcast => CapsCapability::CAP_NET_BROADCAST,
-        SpecCapability::NetRaw => CapsCapability::CAP_NET_RAW,
-        SpecCapability::Perfmon => CapsCapability::CAP_PERFMON,
-        SpecCapability::Setgid => CapsCapability::CAP_SETGID,
-        SpecCapability::Setfcap => CapsCapability::CAP_SETFCAP,
-        SpecCapability::Setpcap => CapsCapability::CAP_SETPCAP,
-        SpecCapability::Setuid => CapsCapability::CAP_SETUID,
-        SpecCapability::SysAdmin => CapsCapability::CAP_SYS_ADMIN,
-        SpecCapability::SysBoot => CapsCapability::CAP_SYS_BOOT,
-        SpecCapability::SysChroot => CapsCapability::CAP_SYS_CHROOT,
-        SpecCapability::SysModule => CapsCapability::CAP_SYS_MODULE,
-        SpecCapability::SysNice => CapsCapability::CAP_SYS_NICE,
-        SpecCapability::SysPacct => CapsCapability::CAP_SYS_PACCT,
-        SpecCapability::SysPtrace => CapsCapability::CAP_SYS_PTRACE,
-        SpecCapability::SysRawio => CapsCapability::CAP_SYS_RAWIO,
-        SpecCapability::SysResource => CapsCapability::CAP_SYS_RESOURCE,
-        SpecCapability::SysTime => CapsCapability::CAP_SYS_TIME,
-        SpecCapability::SysTtyConfig => CapsCapability::CAP_SYS_TTY_CONFIG,
-        SpecCapability::Syslog => CapsCapability::CAP_SYSLOG,
-        SpecCapability::WakeAlarm => CapsCapability::CAP_WAKE_ALARM,
-    }
+pub trait CapabilityExt {
+    /// Convert self to caps::Capability
+    fn to_cap(&self) -> caps::Capability;
+    /// Convert caps::Capability to self
+    fn from_cap(c: CapsCapability) -> Self;
 }

-/// Convert oci::runtime::Capability to caps::Capability
-pub fn from_cap(c: CapsCapability) -> SpecCapability {
-    match c {
-        CapsCapability::CAP_AUDIT_CONTROL => SpecCapability::AuditControl,
-        CapsCapability::CAP_AUDIT_READ => SpecCapability::AuditRead,
-        CapsCapability::CAP_AUDIT_WRITE => SpecCapability::AuditWrite,
-        CapsCapability::CAP_BLOCK_SUSPEND => SpecCapability::BlockSuspend,
-        CapsCapability::CAP_BPF => SpecCapability::Bpf,
-        CapsCapability::CAP_CHECKPOINT_RESTORE => SpecCapability::CheckpointRestore,
-        CapsCapability::CAP_CHOWN => SpecCapability::Chown,
-        CapsCapability::CAP_DAC_OVERRIDE => SpecCapability::DacOverride,
-        CapsCapability::CAP_DAC_READ_SEARCH => SpecCapability::DacReadSearch,
-        CapsCapability::CAP_FOWNER => SpecCapability::Fowner,
-        CapsCapability::CAP_FSETID => SpecCapability::Fsetid,
-        CapsCapability::CAP_IPC_LOCK => SpecCapability::IpcLock,
-        CapsCapability::CAP_IPC_OWNER => SpecCapability::IpcOwner,
-        CapsCapability::CAP_KILL => SpecCapability::Kill,
-        CapsCapability::CAP_LEASE => SpecCapability::Lease,
-        CapsCapability::CAP_LINUX_IMMUTABLE => SpecCapability::LinuxImmutable,
-        CapsCapability::CAP_MAC_ADMIN => SpecCapability::MacAdmin,
-        CapsCapability::CAP_MAC_OVERRIDE => SpecCapability::MacOverride,
-        CapsCapability::CAP_MKNOD => SpecCapability::Mknod,
-        CapsCapability::CAP_NET_ADMIN => SpecCapability::NetAdmin,
-        CapsCapability::CAP_NET_BIND_SERVICE => SpecCapability::NetBindService,
-        CapsCapability::CAP_NET_BROADCAST => SpecCapability::NetBroadcast,
-        CapsCapability::CAP_NET_RAW => SpecCapability::NetRaw,
-        CapsCapability::CAP_PERFMON => SpecCapability::Perfmon,
-        CapsCapability::CAP_SETGID => SpecCapability::Setgid,
-        CapsCapability::CAP_SETFCAP => SpecCapability::Setfcap,
-        CapsCapability::CAP_SETPCAP => SpecCapability::Setpcap,
-        CapsCapability::CAP_SETUID => SpecCapability::Setuid,
-        CapsCapability::CAP_SYS_ADMIN => SpecCapability::SysAdmin,
-        CapsCapability::CAP_SYS_BOOT => SpecCapability::SysBoot,
-        CapsCapability::CAP_SYS_CHROOT => SpecCapability::SysChroot,
-        CapsCapability::CAP_SYS_MODULE => SpecCapability::SysModule,
-        CapsCapability::CAP_SYS_NICE => SpecCapability::SysNice,
-        CapsCapability::CAP_SYS_PACCT => SpecCapability::SysPacct,
-        CapsCapability::CAP_SYS_PTRACE => SpecCapability::SysPtrace,
-        CapsCapability::CAP_SYS_RAWIO => SpecCapability::SysRawio,
-        CapsCapability::CAP_SYS_RESOURCE => SpecCapability::SysResource,
-        CapsCapability::CAP_SYS_TIME => SpecCapability::SysTime,
-        CapsCapability::CAP_SYS_TTY_CONFIG => SpecCapability::SysTtyConfig,
-        CapsCapability::CAP_SYSLOG => SpecCapability::Syslog,
-        CapsCapability::CAP_WAKE_ALARM => SpecCapability::WakeAlarm,
-        CapsCapability::__Nonexhaustive => unreachable!("invalid capability"),
+impl CapabilityExt for SpecCapability {
+    /// Convert oci::runtime::Capability to caps::Capability
+    fn to_cap(&self) -> caps::Capability {
+        match self {
+            SpecCapability::AuditControl => CapsCapability::CAP_AUDIT_CONTROL,
+            SpecCapability::AuditRead => CapsCapability::CAP_AUDIT_READ,
+            SpecCapability::AuditWrite => CapsCapability::CAP_AUDIT_WRITE,
+            SpecCapability::BlockSuspend => CapsCapability::CAP_BLOCK_SUSPEND,
+            SpecCapability::Bpf => CapsCapability::CAP_BPF,
+            SpecCapability::CheckpointRestore => CapsCapability::CAP_CHECKPOINT_RESTORE,
+            SpecCapability::Chown => CapsCapability::CAP_CHOWN,
+            SpecCapability::DacOverride => CapsCapability::CAP_DAC_OVERRIDE,
+            SpecCapability::DacReadSearch => CapsCapability::CAP_DAC_READ_SEARCH,
+            SpecCapability::Fowner => CapsCapability::CAP_FOWNER,
+            SpecCapability::Fsetid => CapsCapability::CAP_FSETID,
+            SpecCapability::IpcLock => CapsCapability::CAP_IPC_LOCK,
+            SpecCapability::IpcOwner => CapsCapability::CAP_IPC_OWNER,
+            SpecCapability::Kill => CapsCapability::CAP_KILL,
+            SpecCapability::Lease => CapsCapability::CAP_LEASE,
+            SpecCapability::LinuxImmutable => CapsCapability::CAP_LINUX_IMMUTABLE,
+            SpecCapability::MacAdmin => CapsCapability::CAP_MAC_ADMIN,
+            SpecCapability::MacOverride => CapsCapability::CAP_MAC_OVERRIDE,
+            SpecCapability::Mknod => CapsCapability::CAP_MKNOD,
+            SpecCapability::NetAdmin => CapsCapability::CAP_NET_ADMIN,
+            SpecCapability::NetBindService => CapsCapability::CAP_NET_BIND_SERVICE,
+            SpecCapability::NetBroadcast => CapsCapability::CAP_NET_BROADCAST,
+            SpecCapability::NetRaw => CapsCapability::CAP_NET_RAW,
+            SpecCapability::Perfmon => CapsCapability::CAP_PERFMON,
+            SpecCapability::Setgid => CapsCapability::CAP_SETGID,
+            SpecCapability::Setfcap => CapsCapability::CAP_SETFCAP,
+            SpecCapability::Setpcap => CapsCapability::CAP_SETPCAP,
+            SpecCapability::Setuid => CapsCapability::CAP_SETUID,
+            SpecCapability::SysAdmin => CapsCapability::CAP_SYS_ADMIN,
+            SpecCapability::SysBoot => CapsCapability::CAP_SYS_BOOT,
+            SpecCapability::SysChroot => CapsCapability::CAP_SYS_CHROOT,
+            SpecCapability::SysModule => CapsCapability::CAP_SYS_MODULE,
+            SpecCapability::SysNice => CapsCapability::CAP_SYS_NICE,
+            SpecCapability::SysPacct => CapsCapability::CAP_SYS_PACCT,
+            SpecCapability::SysPtrace => CapsCapability::CAP_SYS_PTRACE,
+            SpecCapability::SysRawio => CapsCapability::CAP_SYS_RAWIO,
+            SpecCapability::SysResource => CapsCapability::CAP_SYS_RESOURCE,
+            SpecCapability::SysTime => CapsCapability::CAP_SYS_TIME,
+            SpecCapability::SysTtyConfig => CapsCapability::CAP_SYS_TTY_CONFIG,
+            SpecCapability::Syslog => CapsCapability::CAP_SYSLOG,
+            SpecCapability::WakeAlarm => CapsCapability::CAP_WAKE_ALARM,
+        }
+    }
+
+    /// Convert caps::Capability to oci::runtime::Capability
+    fn from_cap(c: CapsCapability) -> SpecCapability {
+        match c {
+            CapsCapability::CAP_AUDIT_CONTROL => SpecCapability::AuditControl,
+            CapsCapability::CAP_AUDIT_READ => SpecCapability::AuditRead,
+            CapsCapability::CAP_AUDIT_WRITE => SpecCapability::AuditWrite,
+            CapsCapability::CAP_BLOCK_SUSPEND => SpecCapability::BlockSuspend,
+            CapsCapability::CAP_BPF => SpecCapability::Bpf,
+            CapsCapability::CAP_CHECKPOINT_RESTORE => SpecCapability::CheckpointRestore,
+            CapsCapability::CAP_CHOWN => SpecCapability::Chown,
+            CapsCapability::CAP_DAC_OVERRIDE => SpecCapability::DacOverride,
+            CapsCapability::CAP_DAC_READ_SEARCH => SpecCapability::DacReadSearch,
+            CapsCapability::CAP_FOWNER => SpecCapability::Fowner,
+            CapsCapability::CAP_FSETID => SpecCapability::Fsetid,
+            CapsCapability::CAP_IPC_LOCK => SpecCapability::IpcLock,
+            CapsCapability::CAP_IPC_OWNER => SpecCapability::IpcOwner,
+            CapsCapability::CAP_KILL => SpecCapability::Kill,
+            CapsCapability::CAP_LEASE => SpecCapability::Lease,
+            CapsCapability::CAP_LINUX_IMMUTABLE => SpecCapability::LinuxImmutable,
+            CapsCapability::CAP_MAC_ADMIN => SpecCapability::MacAdmin,
+            CapsCapability::CAP_MAC_OVERRIDE => SpecCapability::MacOverride,
+            CapsCapability::CAP_MKNOD => SpecCapability::Mknod,
+            CapsCapability::CAP_NET_ADMIN => SpecCapability::NetAdmin,
+            CapsCapability::CAP_NET_BIND_SERVICE => SpecCapability::NetBindService,
+            CapsCapability::CAP_NET_BROADCAST => SpecCapability::NetBroadcast,
+            CapsCapability::CAP_NET_RAW => SpecCapability::NetRaw,
+            CapsCapability::CAP_PERFMON => SpecCapability::Perfmon,
+            CapsCapability::CAP_SETGID => SpecCapability::Setgid,
+            CapsCapability::CAP_SETFCAP => SpecCapability::Setfcap,
+            CapsCapability::CAP_SETPCAP => SpecCapability::Setpcap,
+            CapsCapability::CAP_SETUID => SpecCapability::Setuid,
+            CapsCapability::CAP_SYS_ADMIN => SpecCapability::SysAdmin,
+            CapsCapability::CAP_SYS_BOOT => SpecCapability::SysBoot,
+            CapsCapability::CAP_SYS_CHROOT => SpecCapability::SysChroot,
+            CapsCapability::CAP_SYS_MODULE => SpecCapability::SysModule,
+            CapsCapability::CAP_SYS_NICE => SpecCapability::SysNice,
+            CapsCapability::CAP_SYS_PACCT => SpecCapability::SysPacct,
+            CapsCapability::CAP_SYS_PTRACE => SpecCapability::SysPtrace,
+            CapsCapability::CAP_SYS_RAWIO => SpecCapability::SysRawio,
+            CapsCapability::CAP_SYS_RESOURCE => SpecCapability::SysResource,
+            CapsCapability::CAP_SYS_TIME => SpecCapability::SysTime,
+            CapsCapability::CAP_SYS_TTY_CONFIG => SpecCapability::SysTtyConfig,
+            CapsCapability::CAP_SYSLOG => SpecCapability::Syslog,
+            CapsCapability::CAP_WAKE_ALARM => SpecCapability::WakeAlarm,
+            CapsCapability::__Nonexhaustive => unreachable!("invalid capability"),
+        }
    }
 }

--- a/src/container/tenant_builder.rs
+++ b/src/container/tenant_builder.rs
@ -2,8 +2,8 @@ use anyhow::{bail, Context, Result};
 use caps::Capability;
 use nix::unistd;
 use oci_spec::runtime::{
-    Capabilities as SpecCapabilities, LinuxCapabilities, LinuxNamespace, LinuxNamespaceType,
-    Process, Spec,
+    Capabilities as SpecCapabilities, Capability as SpecCapability, LinuxCapabilities,
+    LinuxNamespace, LinuxNamespaceType, Process, Spec,
 };
 use procfs::process::Namespace;

@ -16,7 +16,7 @@ use std::{
    str::FromStr,
 };

-use crate::capabilities::from_cap;
+use crate::capabilities::CapabilityExt;
 use crate::{notify_socket::NotifySocket, rootless::Rootless, tty, utils};

 use super::{builder::ContainerBuilder, builder_impl::ContainerBuilderImpl, Container};
@ -250,7 +250,8 @@ impl TenantContainerBuilder {
                caps.push(Capability::from_str(cap)?);
            }

-            let caps: SpecCapabilities = caps.iter().map(|c| from_cap(*c)).collect();
+            let caps: SpecCapabilities =
+                caps.iter().map(|c| SpecCapability::from_cap(*c)).collect();

            if let Some(ref mut spec_caps) = spec
                .process