summaryrefslogtreecommitdiffhomepage
path: root/runsc/specutils
diff options
context:
space:
mode:
Diffstat (limited to 'runsc/specutils')
-rw-r--r--runsc/specutils/BUILD1
-rw-r--r--runsc/specutils/namespace.go14
2 files changed, 15 insertions, 0 deletions
diff --git a/runsc/specutils/BUILD b/runsc/specutils/BUILD
index 97a504b20..e73b2293f 100644
--- a/runsc/specutils/BUILD
+++ b/runsc/specutils/BUILD
@@ -18,6 +18,7 @@ go_library(
"//pkg/sentry/kernel/auth",
"@com_github_cenkalti_backoff//:go_default_library",
"@com_github_opencontainers_runtime-spec//specs-go:go_default_library",
+ "@com_github_syndtr_gocapability//capability:go_default_library",
"@org_golang_x_sys//unix:go_default_library",
],
)
diff --git a/runsc/specutils/namespace.go b/runsc/specutils/namespace.go
index 80eaad965..356943a65 100644
--- a/runsc/specutils/namespace.go
+++ b/runsc/specutils/namespace.go
@@ -23,6 +23,7 @@ import (
"syscall"
specs "github.com/opencontainers/runtime-spec/specs-go"
+ "github.com/syndtr/gocapability/capability"
"golang.org/x/sys/unix"
"gvisor.googlesource.com/gvisor/pkg/log"
)
@@ -202,3 +203,16 @@ func SetUIDGIDMappings(cmd *exec.Cmd, s *specs.Spec) {
})
}
}
+
+// CanSetUIDGID returns true if the user has SETUID and SETGID capabilities.
+func CanSetUIDGID() bool {
+ caps, err := capability.NewPid2(os.Getpid())
+ if err != nil {
+ return false
+ }
+ if err := caps.Load(); err != nil {
+ return false
+ }
+ return caps.Get(capability.EFFECTIVE, capability.CAP_SETUID) &&
+ caps.Get(capability.EFFECTIVE, capability.CAP_SETGID)
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-24 06:55:27 +0000