libpod: make hasCapSysResource platform-specific

I'm not sure if there is an equivalent to CAP_SYS_RESOURCE on FreeBSD but for now, I have added a no-op stub which returns false. Signed-off-by: Doug Rabson <dfr@rabson.org>
2025-05-21 09:05:56 +08:00 · 2025-02-10 14:12:00 +00:00
parent a5ed4230d8
commit ab0410948a
3 changed files with 18 additions and 14 deletions
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@ -18,7 +18,6 @@ import (
 	"slices"
 	"strconv"
 	"strings"
-	"sync"
 	"syscall"
 	"time"

@ -53,7 +52,6 @@ import (
 	"github.com/containers/storage/pkg/unshare"
 	stypes "github.com/containers/storage/types"
 	securejoin "github.com/cyphar/filepath-securejoin"
-	"github.com/moby/sys/capability"
 	runcuser "github.com/moby/sys/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
@ -179,18 +177,6 @@ func getOverlayUpperAndWorkDir(options []string) (string, string, error) {
 	return upperDir, workDir, nil
 }

-// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
-var hasCapSysResource = sync.OnceValues(func() (bool, error) {
-	currentCaps, err := capability.NewPid2(0)
-	if err != nil {
-		return false, err
-	}
-	if err = currentCaps.Load(); err != nil {
-		return false, err
-	}
-	return currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_RESOURCE), nil
-})
-
 // Generate spec for a container
 // Accepts a map of the container's dependencies
 func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFuncRet func(), err error) {
--- a/libpod/container_internal_freebsd.go
+++ b/libpod/container_internal_freebsd.go
@ -410,3 +410,8 @@ func (c *Container) hasPrivateUTS() bool {
 	// specification.
 	return true
 }
+
+// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
+func hasCapSysResource() (bool, error) {
+	return true, nil
+}
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@ -21,6 +21,7 @@ import (
 	"github.com/containers/podman/v5/libpod/define"
 	"github.com/containers/podman/v5/libpod/shutdown"
 	"github.com/containers/podman/v5/pkg/rootless"
+	"github.com/moby/sys/capability"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
@ -835,3 +836,15 @@ func (c *Container) hasPrivateUTS() bool {
 	}
 	return privateUTS
 }
+
+// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
+var hasCapSysResource = sync.OnceValues(func() (bool, error) {
+	currentCaps, err := capability.NewPid2(0)
+	if err != nil {
+		return false, err
+	}
+	if err = currentCaps.Load(); err != nil {
+		return false, err
+	}
+	return currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_RESOURCE), nil
+})