Update gocapability

This commit is contained in:
Victor Marmol 2015-05-05 14:31:25 -07:00
parent fa782f19f9
commit 96c025a60a
4 changed files with 95 additions and 45 deletions

2
Godeps/Godeps.json generated
View File

@ -178,7 +178,7 @@
}, },
{ {
"ImportPath": "github.com/syndtr/gocapability/capability", "ImportPath": "github.com/syndtr/gocapability/capability",
"Rev": "3c85049eaeb429febe7788d9c7aac42322a377fe" "Rev": "8e4cdcb3c22b40d5e330ade0b68cb2e2a3cf6f98"
}, },
{ {
"ImportPath": "golang.org/x/exp/inotify", "ImportPath": "golang.org/x/exp/inotify",

View File

@ -60,7 +60,8 @@ type Capabilities interface {
Apply(kind CapType) error Apply(kind CapType) error
} }
// NewPid create new initialized Capabilities object for given pid. // NewPid create new initialized Capabilities object for given pid when it
// is nonzero, or for the current pid if pid is 0
func NewPid(pid int) (Capabilities, error) { func NewPid(pid int) (Capabilities, error) {
return newPid(pid) return newPid(pid)
} }

View File

@ -24,12 +24,46 @@ const (
linuxCapVer3 = 0x20080522 linuxCapVer3 = 0x20080522
) )
var capVers uint32 var (
capVers uint32
capLastCap Cap
)
func init() { func init() {
var hdr capHeader var hdr capHeader
capget(&hdr, nil) capget(&hdr, nil)
capVers = hdr.version capVers = hdr.version
if initLastCap() == nil {
CAP_LAST_CAP = capLastCap
if capLastCap > 31 {
capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1
} else {
capUpperMask = 0
}
}
}
func initLastCap() error {
if capLastCap != 0 {
return nil
}
f, err := os.Open("/proc/sys/kernel/cap_last_cap")
if err != nil {
return err
}
defer f.Close()
var b []byte = make([]byte, 11)
_, err = f.Read(b)
if err != nil {
return err
}
fmt.Sscanf(string(b), "%d", &capLastCap)
return nil
} }
func mkStringCap(c Capabilities, which CapType) (ret string) { func mkStringCap(c Capabilities, which CapType) (ret string) {
@ -351,7 +385,15 @@ func (c *capsV3) Load() (err error) {
return return
} }
f, err := os.Open(fmt.Sprintf("/proc/%d/status", c.hdr.pid)) var status_path string
if c.hdr.pid == 0 {
status_path = fmt.Sprintf("/proc/self/status")
} else {
status_path = fmt.Sprintf("/proc/%d/status", c.hdr.pid)
}
f, err := os.Open(status_path)
if err != nil { if err != nil {
return return
} }

View File

@ -112,32 +112,33 @@ func (c Cap) String() string {
return "wake_alarm" return "wake_alarm"
case CAP_BLOCK_SUSPEND: case CAP_BLOCK_SUSPEND:
return "block_suspend" return "block_suspend"
case CAP_AUDIT_READ:
return "audit_read"
} }
return "unknown" return "unknown"
} }
// POSIX-draft defined capabilities.
const ( const (
// POSIX-draft defined capabilities.
// In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this // In a system with the [_POSIX_CHOWN_RESTRICTED] option defined, this
// overrides the restriction of changing file ownership and group // overrides the restriction of changing file ownership and group
// ownership. // ownership.
CAP_CHOWN Cap = 0 CAP_CHOWN = Cap(0)
// Override all DAC access, including ACL execute access if // Override all DAC access, including ACL execute access if
// [_POSIX_ACL] is defined. Excluding DAC access covered by // [_POSIX_ACL] is defined. Excluding DAC access covered by
// CAP_LINUX_IMMUTABLE. // CAP_LINUX_IMMUTABLE.
CAP_DAC_OVERRIDE Cap = 1 CAP_DAC_OVERRIDE = Cap(1)
// Overrides all DAC restrictions regarding read and search on files // Overrides all DAC restrictions regarding read and search on files
// and directories, including ACL restrictions if [_POSIX_ACL] is // and directories, including ACL restrictions if [_POSIX_ACL] is
// defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. // defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
CAP_DAC_READ_SEARCH Cap = 2 CAP_DAC_READ_SEARCH = Cap(2)
// Overrides all restrictions about allowed operations on files, where // Overrides all restrictions about allowed operations on files, where
// file owner ID must be equal to the user ID, except where CAP_FSETID // file owner ID must be equal to the user ID, except where CAP_FSETID
// is applicable. It doesn't override MAC and DAC restrictions. // is applicable. It doesn't override MAC and DAC restrictions.
CAP_FOWNER Cap = 3 CAP_FOWNER = Cap(3)
// Overrides the following restrictions that the effective user ID // Overrides the following restrictions that the effective user ID
// shall match the file owner ID when setting the S_ISUID and S_ISGID // shall match the file owner ID when setting the S_ISUID and S_ISGID
@ -145,21 +146,21 @@ const (
// supplementary group IDs) shall match the file owner ID when setting // supplementary group IDs) shall match the file owner ID when setting
// the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are // the S_ISGID bit on that file; that the S_ISUID and S_ISGID bits are
// cleared on successful return from chown(2) (not implemented). // cleared on successful return from chown(2) (not implemented).
CAP_FSETID Cap = 4 CAP_FSETID = Cap(4)
// Overrides the restriction that the real or effective user ID of a // Overrides the restriction that the real or effective user ID of a
// process sending a signal must match the real or effective user ID // process sending a signal must match the real or effective user ID
// of the process receiving the signal. // of the process receiving the signal.
CAP_KILL Cap = 5 CAP_KILL = Cap(5)
// Allows setgid(2) manipulation // Allows setgid(2) manipulation
// Allows setgroups(2) // Allows setgroups(2)
// Allows forged gids on socket credentials passing. // Allows forged gids on socket credentials passing.
CAP_SETGID Cap = 6 CAP_SETGID = Cap(6)
// Allows set*uid(2) manipulation (including fsuid). // Allows set*uid(2) manipulation (including fsuid).
// Allows forged pids on socket credentials passing. // Allows forged pids on socket credentials passing.
CAP_SETUID Cap = 7 CAP_SETUID = Cap(7)
// Linux-specific capabilities // Linux-specific capabilities
@ -171,17 +172,17 @@ const (
// to the current process' inheritable set // to the current process' inheritable set
// Allow taking bits out of capability bounding set // Allow taking bits out of capability bounding set
// Allow modification of the securebits for a process // Allow modification of the securebits for a process
CAP_SETPCAP Cap = 8 CAP_SETPCAP = Cap(8)
// Allow modification of S_IMMUTABLE and S_APPEND file attributes // Allow modification of S_IMMUTABLE and S_APPEND file attributes
CAP_LINUX_IMMUTABLE Cap = 9 CAP_LINUX_IMMUTABLE = Cap(9)
// Allows binding to TCP/UDP sockets below 1024 // Allows binding to TCP/UDP sockets below 1024
// Allows binding to ATM VCIs below 32 // Allows binding to ATM VCIs below 32
CAP_NET_BIND_SERVICE Cap = 10 CAP_NET_BIND_SERVICE = Cap(10)
// Allow broadcasting, listen to multicast // Allow broadcasting, listen to multicast
CAP_NET_BROADCAST Cap = 11 CAP_NET_BROADCAST = Cap(11)
// Allow interface configuration // Allow interface configuration
// Allow administration of IP firewall, masquerading and accounting // Allow administration of IP firewall, masquerading and accounting
@ -196,36 +197,36 @@ const (
// Allow multicasting // Allow multicasting
// Allow read/write of device-specific registers // Allow read/write of device-specific registers
// Allow activation of ATM control sockets // Allow activation of ATM control sockets
CAP_NET_ADMIN Cap = 12 CAP_NET_ADMIN = Cap(12)
// Allow use of RAW sockets // Allow use of RAW sockets
// Allow use of PACKET sockets // Allow use of PACKET sockets
// Allow binding to any address for transparent proxying (also via NET_ADMIN) // Allow binding to any address for transparent proxying (also via NET_ADMIN)
CAP_NET_RAW Cap = 13 CAP_NET_RAW = Cap(13)
// Allow locking of shared memory segments // Allow locking of shared memory segments
// Allow mlock and mlockall (which doesn't really have anything to do // Allow mlock and mlockall (which doesn't really have anything to do
// with IPC) // with IPC)
CAP_IPC_LOCK Cap = 14 CAP_IPC_LOCK = Cap(14)
// Override IPC ownership checks // Override IPC ownership checks
CAP_IPC_OWNER Cap = 15 CAP_IPC_OWNER = Cap(15)
// Insert and remove kernel modules - modify kernel without limit // Insert and remove kernel modules - modify kernel without limit
CAP_SYS_MODULE Cap = 16 CAP_SYS_MODULE = Cap(16)
// Allow ioperm/iopl access // Allow ioperm/iopl access
// Allow sending USB messages to any device via /proc/bus/usb // Allow sending USB messages to any device via /proc/bus/usb
CAP_SYS_RAWIO Cap = 17 CAP_SYS_RAWIO = Cap(17)
// Allow use of chroot() // Allow use of chroot()
CAP_SYS_CHROOT Cap = 18 CAP_SYS_CHROOT = Cap(18)
// Allow ptrace() of any process // Allow ptrace() of any process
CAP_SYS_PTRACE Cap = 19 CAP_SYS_PTRACE = Cap(19)
// Allow configuration of process accounting // Allow configuration of process accounting
CAP_SYS_PACCT Cap = 20 CAP_SYS_PACCT = Cap(20)
// Allow configuration of the secure attention key // Allow configuration of the secure attention key
// Allow administration of the random device // Allow administration of the random device
@ -263,10 +264,10 @@ const (
// arbitrary SCSI commands // arbitrary SCSI commands
// Allow setting encryption key on loopback filesystem // Allow setting encryption key on loopback filesystem
// Allow setting zone reclaim policy // Allow setting zone reclaim policy
CAP_SYS_ADMIN Cap = 21 CAP_SYS_ADMIN = Cap(21)
// Allow use of reboot() // Allow use of reboot()
CAP_SYS_BOOT Cap = 22 CAP_SYS_BOOT = Cap(22)
// Allow raising priority and setting priority on other (different // Allow raising priority and setting priority on other (different
// UID) processes // UID) processes
@ -274,7 +275,7 @@ const (
// processes and setting the scheduling algorithm used by another // processes and setting the scheduling algorithm used by another
// process. // process.
// Allow setting cpu affinity on other processes // Allow setting cpu affinity on other processes
CAP_SYS_NICE Cap = 23 CAP_SYS_NICE = Cap(23)
// Override resource limits. Set resource limits. // Override resource limits. Set resource limits.
// Override quota limits. // Override quota limits.
@ -287,33 +288,33 @@ const (
// Allow more than 64hz interrupts from the real-time clock // Allow more than 64hz interrupts from the real-time clock
// Override max number of consoles on console allocation // Override max number of consoles on console allocation
// Override max number of keymaps // Override max number of keymaps
CAP_SYS_RESOURCE Cap = 24 CAP_SYS_RESOURCE = Cap(24)
// Allow manipulation of system clock // Allow manipulation of system clock
// Allow irix_stime on mips // Allow irix_stime on mips
// Allow setting the real-time clock // Allow setting the real-time clock
CAP_SYS_TIME Cap = 25 CAP_SYS_TIME = Cap(25)
// Allow configuration of tty devices // Allow configuration of tty devices
// Allow vhangup() of tty // Allow vhangup() of tty
CAP_SYS_TTY_CONFIG Cap = 26 CAP_SYS_TTY_CONFIG = Cap(26)
// Allow the privileged aspects of mknod() // Allow the privileged aspects of mknod()
CAP_MKNOD Cap = 27 CAP_MKNOD = Cap(27)
// Allow taking of leases on files // Allow taking of leases on files
CAP_LEASE Cap = 28 CAP_LEASE = Cap(28)
CAP_AUDIT_WRITE Cap = 29 CAP_AUDIT_WRITE = Cap(29)
CAP_AUDIT_CONTROL Cap = 30 CAP_AUDIT_CONTROL = Cap(30)
CAP_SETFCAP Cap = 31 CAP_SETFCAP = Cap(31)
// Override MAC access. // Override MAC access.
// The base kernel enforces no MAC policy. // The base kernel enforces no MAC policy.
// An LSM may enforce a MAC policy, and if it does and it chooses // An LSM may enforce a MAC policy, and if it does and it chooses
// to implement capability based overrides of that policy, this is // to implement capability based overrides of that policy, this is
// the capability it should use to do so. // the capability it should use to do so.
CAP_MAC_OVERRIDE Cap = 32 CAP_MAC_OVERRIDE = Cap(32)
// Allow MAC configuration or state changes. // Allow MAC configuration or state changes.
// The base kernel requires no MAC configuration. // The base kernel requires no MAC configuration.
@ -321,18 +322,24 @@ const (
// to implement capability based checks on modifications to that // to implement capability based checks on modifications to that
// policy or the data required to maintain it, this is the // policy or the data required to maintain it, this is the
// capability it should use to do so. // capability it should use to do so.
CAP_MAC_ADMIN Cap = 33 CAP_MAC_ADMIN = Cap(33)
// Allow configuring the kernel's syslog (printk behaviour) // Allow configuring the kernel's syslog (printk behaviour)
CAP_SYSLOG Cap = 34 CAP_SYSLOG = Cap(34)
// Allow triggering something that will wake the system // Allow triggering something that will wake the system
CAP_WAKE_ALARM Cap = 35 CAP_WAKE_ALARM = Cap(35)
// Allow preventing system suspends // Allow preventing system suspends
CAP_BLOCK_SUSPEND Cap = 36 CAP_BLOCK_SUSPEND = Cap(36)
CAP_LAST_CAP = CAP_BLOCK_SUSPEND // Allow reading audit messages from the kernel
CAP_AUDIT_READ = Cap(37)
) )
const capUpperMask = (uint32(1) << (uint(CAP_LAST_CAP) - 31)) - 1 var (
// Highest valid capability of the running kernel.
CAP_LAST_CAP = Cap(63)
capUpperMask = ^uint32(0)
)