From 6a91149b53b2f5a3b6a366007dcd80c2dc34e9b0 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Mon, 30 Sep 2024 15:08:31 -0700 Subject: [PATCH 1/2] platformInspectContainerHostConfig: rm dead code In this code, g.HostSpecific is _always_ false, as it is never set by generate.New and is thus left at the default value (false). Remove dead code. Signed-off-by: Kir Kolyshkin --- libpod/container_inspect_linux.go | 9 --------- 1 file changed, 9 deletions(-) diff --git a/libpod/container_inspect_linux.go b/libpod/container_inspect_linux.go index 909be3d310..1f1d3c326c 100644 --- a/libpod/container_inspect_linux.go +++ b/libpod/container_inspect_linux.go @@ -11,8 +11,6 @@ import ( "github.com/containers/podman/v5/libpod/define" "github.com/containers/podman/v5/pkg/util" spec "github.com/opencontainers/runtime-spec/specs-go" - "github.com/opencontainers/runtime-tools/generate" - "github.com/opencontainers/runtime-tools/validate/capabilities" "github.com/sirupsen/logrus" "github.com/syndtr/gocapability/capability" ) @@ -152,15 +150,8 @@ func (c *Container) platformInspectContainerHostConfig(ctrSpec *spec.Spec, hostC boundingCaps[cap] = true } } else { - g, err := generate.New("linux") - if err != nil { - return err - } // If we are privileged, use all caps. for _, cap := range capability.List() { - if g.HostSpecific && cap > capabilities.LastCap() { - continue - } boundingCaps[fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))] = true } } From 28e01cc8cc2f0a890ca555c3f1273e0b4850d683 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Mon, 30 Sep 2024 14:54:43 -0700 Subject: [PATCH 2/2] Switch to moby/sys/capability Signed-off-by: Kir Kolyshkin --- go.mod | 2 +- libpod/container_inspect_linux.go | 4 ++-- test/e2e/run_privileged_test.go | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index c7bcaadf9e..3198e8e681 100644 --- a/go.mod +++ b/go.mod @@ -67,7 +67,6 @@ require ( github.com/spf13/cobra v1.8.1 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 - github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 github.com/vbauerster/mpb/v8 v8.8.3 github.com/vishvananda/netlink v1.3.0 go.etcd.io/bbolt v1.3.11 @@ -198,6 +197,7 @@ require ( github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect github.com/sylabs/sif/v2 v2.19.1 // indirect + github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tklauser/go-sysconf v0.3.12 // indirect diff --git a/libpod/container_inspect_linux.go b/libpod/container_inspect_linux.go index 1f1d3c326c..c407a7ebe2 100644 --- a/libpod/container_inspect_linux.go +++ b/libpod/container_inspect_linux.go @@ -10,9 +10,9 @@ import ( "github.com/containers/common/pkg/config" "github.com/containers/podman/v5/libpod/define" "github.com/containers/podman/v5/pkg/util" + "github.com/moby/sys/capability" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/sirupsen/logrus" - "github.com/syndtr/gocapability/capability" ) func (c *Container) platformInspectContainerHostConfig(ctrSpec *spec.Spec, hostConfig *define.InspectContainerHostConfig) error { @@ -151,7 +151,7 @@ func (c *Container) platformInspectContainerHostConfig(ctrSpec *spec.Spec, hostC } } else { // If we are privileged, use all caps. - for _, cap := range capability.List() { + for _, cap := range capability.ListKnown() { boundingCaps[fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))] = true } } diff --git a/test/e2e/run_privileged_test.go b/test/e2e/run_privileged_test.go index f3d571ebe6..67370991d4 100644 --- a/test/e2e/run_privileged_test.go +++ b/test/e2e/run_privileged_test.go @@ -8,9 +8,9 @@ import ( "strings" . "github.com/containers/podman/v5/test/utils" + "github.com/moby/sys/capability" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" - "github.com/syndtr/gocapability/capability" ) // helper function for confirming that container capabilities are equal @@ -32,7 +32,7 @@ func containerCapMatchesHost(ctrCap string, hostCap string) { // and host caps must always be a superset (inclusive) of container Expect(hostCapN).To(BeNumerically(">", 0), "host cap %q should be nonzero", hostCap) Expect(hostCapN).To(BeNumerically(">=", ctrCapN), "host cap %q should never be less than container cap %q", hostCap, ctrCap) - hostCapMasked := hostCapN & (1<