opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-21 09:05:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

libpod: make hasCapSysResource platform-specific

Browse Source 
I'm not sure if there is an equivalent to CAP_SYS_RESOURCE on FreeBSD
but for now, I have added a no-op stub which returns false.

Signed-off-by: Doug Rabson <dfr@rabson.org>
This commit is contained in:
Doug Rabson
2025-02-10 14:12:00 +00:00
parent a5ed4230d8
commit ab0410948a
3 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
libpod/container_internal_common.go
View File

@ -18,7 +18,6 @@ import (
"slices" "slices"
"strconv" "strconv"
"strings" "strings"
"sync"
"syscall" "syscall"
"time" "time"
@ -53,7 +52,6 @@ import (
"github.com/containers/storage/pkg/unshare" "github.com/containers/storage/pkg/unshare"
stypes "github.com/containers/storage/types" stypes "github.com/containers/storage/types"
securejoin "github.com/cyphar/filepath-securejoin" securejoin "github.com/cyphar/filepath-securejoin"
"github.com/moby/sys/capability"
runcuser "github.com/moby/sys/user" runcuser "github.com/moby/sys/user"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate"
@ -179,18 +177,6 @@ func getOverlayUpperAndWorkDir(options []string) (string, string, error) {
return upperDir, workDir, nil return upperDir, workDir, nil
} }
// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
var hasCapSysResource = sync.OnceValues(func() (bool, error) {
currentCaps, err := capability.NewPid2(0)
if err != nil {
return false, err
}
if err = currentCaps.Load(); err != nil {
return false, err
}
return currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_RESOURCE), nil
})
// Generate spec for a container // Generate spec for a container
// Accepts a map of the container's dependencies // Accepts a map of the container's dependencies
func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFuncRet func(), err error) { func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFuncRet func(), err error) {

5
libpod/container_internal_freebsd.go
View File

@ -410,3 +410,8 @@ func (c *Container) hasPrivateUTS() bool {
// specification. // specification.
return true return true
} }
// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
func hasCapSysResource() (bool, error) {
return true, nil
}

13
libpod/container_internal_linux.go
View File

@ -21,6 +21,7 @@ import (
"github.com/containers/podman/v5/libpod/define" "github.com/containers/podman/v5/libpod/define"
"github.com/containers/podman/v5/libpod/shutdown" "github.com/containers/podman/v5/libpod/shutdown"
"github.com/containers/podman/v5/pkg/rootless" "github.com/containers/podman/v5/pkg/rootless"
"github.com/moby/sys/capability"
spec "github.com/opencontainers/runtime-spec/specs-go" spec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate"
"github.com/opencontainers/selinux/go-selinux/label" "github.com/opencontainers/selinux/go-selinux/label"
@ -835,3 +836,15 @@ func (c *Container) hasPrivateUTS() bool {
} }
return privateUTS return privateUTS
} }
// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
var hasCapSysResource = sync.OnceValues(func() (bool, error) {
currentCaps, err := capability.NewPid2(0)
if err != nil {
return false, err
}
if err = currentCaps.Load(); err != nil {
return false, err
}
return currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_RESOURCE), nil
})