From ab0410948a2ae4808f258fdbb546cb94f1c7939d Mon Sep 17 00:00:00 2001 From: Doug Rabson Date: Mon, 10 Feb 2025 14:12:00 +0000 Subject: [PATCH] libpod: make hasCapSysResource platform-specific I'm not sure if there is an equivalent to CAP_SYS_RESOURCE on FreeBSD but for now, I have added a no-op stub which returns false. Signed-off-by: Doug Rabson --- libpod/container_internal_common.go | 14 -------------- libpod/container_internal_freebsd.go | 5 +++++ libpod/container_internal_linux.go | 13 +++++++++++++ 3 files changed, 18 insertions(+), 14 deletions(-) diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 77eb280f31..5b8d898247 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -18,7 +18,6 @@ import ( "slices" "strconv" "strings" - "sync" "syscall" "time" @@ -53,7 +52,6 @@ import ( "github.com/containers/storage/pkg/unshare" stypes "github.com/containers/storage/types" securejoin "github.com/cyphar/filepath-securejoin" - "github.com/moby/sys/capability" runcuser "github.com/moby/sys/user" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" @@ -179,18 +177,6 @@ func getOverlayUpperAndWorkDir(options []string) (string, string, error) { return upperDir, workDir, nil } -// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE. -var hasCapSysResource = sync.OnceValues(func() (bool, error) { - currentCaps, err := capability.NewPid2(0) - if err != nil { - return false, err - } - if err = currentCaps.Load(); err != nil { - return false, err - } - return currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_RESOURCE), nil -}) - // Generate spec for a container // Accepts a map of the container's dependencies func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFuncRet func(), err error) { diff --git a/libpod/container_internal_freebsd.go b/libpod/container_internal_freebsd.go index 55ce66dc2a..a3e0c5d613 100644 --- a/libpod/container_internal_freebsd.go +++ b/libpod/container_internal_freebsd.go @@ -410,3 +410,8 @@ func (c *Container) hasPrivateUTS() bool { // specification. return true } + +// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE. +func hasCapSysResource() (bool, error) { + return true, nil +} diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index c1be78d31d..0f6e5905d3 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -21,6 +21,7 @@ import ( "github.com/containers/podman/v5/libpod/define" "github.com/containers/podman/v5/libpod/shutdown" "github.com/containers/podman/v5/pkg/rootless" + "github.com/moby/sys/capability" spec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/selinux/go-selinux/label" @@ -835,3 +836,15 @@ func (c *Container) hasPrivateUTS() bool { } return privateUTS } + +// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE. +var hasCapSysResource = sync.OnceValues(func() (bool, error) { + currentCaps, err := capability.NewPid2(0) + if err != nil { + return false, err + } + if err = currentCaps.Load(); err != nil { + return false, err + } + return currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_RESOURCE), nil +})