diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2018-09-28 09:43:13 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2018-09-28 09:44:13 -0700 |
| commit | cf226d48ce8c49409049e03ed405366db9fc2a04 (patch) | |
| tree | 293d892446f0b03179757ab8a45ae032ccb534aa /runsc/specutils | |
| parent | 6779bd1187e2b0f8692ab8a16d8d1681f0e674c5 (diff) | |
Switch to root in userns when CAP_SYS_CHROOT is also missing
Some tests check current capabilities and re-run the tests as root inside
userns if required capabibilities are missing. It was checking for
CAP_SYS_ADMIN only, CAP_SYS_CHROOT is also required now.
PiperOrigin-RevId: 214949226
Change-Id: Ic81363969fa76c04da408fae8ea7520653266312
Diffstat (limited to 'runsc/specutils')
| -rw-r--r-- | runsc/specutils/namespace.go | 22 |
1 files changed, 7 insertions, 15 deletions
diff --git a/runsc/specutils/namespace.go b/runsc/specutils/namespace.go index 48a199a77..00293d45b 100644 --- a/runsc/specutils/namespace.go +++ b/runsc/specutils/namespace.go @@ -204,8 +204,8 @@ func SetUIDGIDMappings(cmd *exec.Cmd, s *specs.Spec) { } } -// CanSetUIDGID returns true if the user has SETUID and SETGID capabilities. -func CanSetUIDGID() bool { +// HasCapabilities returns true if the user has all capabilties in 'cs'. +func HasCapabilities(cs ...capability.Cap) bool { caps, err := capability.NewPid2(os.Getpid()) if err != nil { return false @@ -213,18 +213,10 @@ func CanSetUIDGID() bool { if err := caps.Load(); err != nil { return false } - return caps.Get(capability.EFFECTIVE, capability.CAP_SETUID) && - caps.Get(capability.EFFECTIVE, capability.CAP_SETGID) -} - -// HasCapSysAdmin returns true if the user has CAP_SYS_ADMIN capability. -func HasCapSysAdmin() bool { - caps, err := capability.NewPid2(os.Getpid()) - if err != nil { - return false - } - if err := caps.Load(); err != nil { - return false + for _, c := range cs { + if !caps.Get(capability.EFFECTIVE, c) { + return false + } } - return caps.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) + return true } |