use GetCapLast() to get CAP_LAST_CAP and avoid to read file /proc/sys…

…/kernel/cap_last_cap everytime when importing

Signed-off-by: ningmingxiao <[email protected]>

capability_linux.go

@@ -27,19 +27,33 @@ var (
 	capLastCap Cap
 )
 
-func init() {
+func getCapMaskCapLast() (uint32, Cap, error) {
+	// capLastCap is already set
+	if capLastCap != 0 {
+		return capUpperMask, capLastCap, nil
+	}
 	var hdr capHeader
 	capget(&hdr, nil)
 	capVers = hdr.version
+	if err := initLastCap(); err != nil {
+		return 0, 0, err
+	}
+	if capLastCap > 31 {
+		capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1
+	} else {
+		capUpperMask = 0
+	}
+	return capUpperMask, capLastCap, nil
+}
 
-	if initLastCap() == nil {
-		CAP_LAST_CAP = capLastCap
-		if capLastCap > 31 {
-			capUpperMask = (uint32(1) << (uint(capLastCap) - 31)) - 1
-		} else {
-			capUpperMask = 0
-		}
+// Highest valid capability of the running kernel.
+// Notice: we can't use CAP_LAST_CAP anymore use GetCapLastCap() instead.
+func GetCapLastCap() (Cap, error) {
+	_, capLastCap, err := getCapMaskCapLast()
+	if err != nil {
+		return 0, err
 	}
+	return capLastCap, nil
 }
 
 func initLastCap() error {
@@ -65,7 +79,8 @@ func initLastCap() error {
 }
 
 func mkStringCap(c Capabilities, which CapType) (ret string) {
-	for i, first := Cap(0), true; i <= CAP_LAST_CAP; i++ {
+	_, capLastCap, _ := getCapMaskCapLast()
+	for i, first := Cap(0), true; i <= capLastCap; i++ {
 		if !c.Get(which, i) {
 			continue
 		}
@@ -97,6 +112,11 @@ func mkString(c Capabilities, max CapType) (ret string) {
 }
 
 func newPid(pid int) (c Capabilities, err error) {
+	//make sure func getCapMaskCapLast() run ok and can get right value
+	_, _, err = getCapMaskCapLast()
+	if err != nil {
+		return nil, err
+	}
 	switch capVers {
 	case 0:
 		err = errors.New("unable to get capability version from the kernel")
@@ -327,8 +347,9 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 		if err != nil {
 			return
 		}
+		_, capLastCap, _ := getCapMaskCapLast()
 		if (1<<uint(CAP_SETPCAP))&data[0].effective != 0 {
-			for i := Cap(0); i <= CAP_LAST_CAP; i++ {
+			for i := Cap(0); i <= capLastCap; i++ {
 				if c.Get(BOUNDING, i) {
 					continue
 				}
@@ -353,7 +374,8 @@ func (c *capsV3) Apply(kind CapType) (err error) {
 	}
 
 	if kind&AMBS == AMBS {
-		for i := Cap(0); i <= CAP_LAST_CAP; i++ {
+		_, capLastCap, _ := getCapMaskCapLast()
+		for i := Cap(0); i <= capLastCap; i++ {
 			action := pr_CAP_AMBIENT_LOWER
 			if c.Get(AMBIENT, i) {
 				action = pr_CAP_AMBIENT_RAISE

capability_test.go

@@ -45,15 +45,16 @@ func TestState(t *testing.T) {
 
 	capf := new(capsFile)
 	capf.data.version = 2
+	_, capLastCap, _ := getCapMaskCapLast()
 	for _, tc := range []struct {
 		name string
 		c    Capabilities
 		sets CapType
 		max  Cap
 	}{
-		{"v3", new(capsV3), EFFECTIVE | PERMITTED | BOUNDING, CAP_LAST_CAP},
+		{"v3", new(capsV3), EFFECTIVE | PERMITTED | BOUNDING, capLastCap},
 		{"file_v1", new(capsFile), EFFECTIVE | PERMITTED, CAP_AUDIT_CONTROL},
-		{"file_v2", capf, EFFECTIVE | PERMITTED, CAP_LAST_CAP},
+		{"file_v2", capf, EFFECTIVE | PERMITTED, capLastCap},
 	} {
 		testEmpty(tc.name, tc.c, tc.sets)
 		tc.c.Fill(CAPS | BOUNDS)
@@ -62,14 +63,14 @@ func TestState(t *testing.T) {
 		tc.c.Clear(CAPS | BOUNDS)
 		testEmpty(tc.name, tc.c, tc.sets)
 		for i := CapType(1); i <= BOUNDING; i <<= 1 {
-			for j := Cap(0); j <= CAP_LAST_CAP; j++ {
+			for j := Cap(0); j <= capLastcap; j++ {
 				tc.c.Set(i, j)
 			}
 		}
 		testFull(tc.name, tc.c, tc.sets)
 		testGet(tc.name, tc.c, tc.sets, tc.max)
 		for i := CapType(1); i <= BOUNDING; i <<= 1 {
-			for j := Cap(0); j <= CAP_LAST_CAP; j++ {
+			for j := Cap(0); j <= capLastcap; j++ {
 				tc.c.Unset(i, j)
 			}
 		}

enum.go

@@ -302,8 +302,5 @@ const (
 )
 
 var (
-	// Highest valid capability of the running kernel.
-	CAP_LAST_CAP = Cap(63)
-
 	capUpperMask = ^uint32(0)
 )