Merge pull request #481 from giuseppe/get-bounding-caps

capabilities: add new method BoundingSet()
containers · Mar 19, 2021 · c1d6a76 · c1d6a76
2 parents c744128 + d6662e8
commit c1d6a76
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/pkg/capabilities/capabilities.go b/pkg/capabilities/capabilities.go
@@ -16,6 +16,9 @@ var (
 	// Used internally and populated during init().
 	capabilityList []string
 
+	// Used internally and populated during init().
+	capsList []capability.Cap
+
 	// ErrUnknownCapability is thrown when an unknown capability is processed.
 	ErrUnknownCapability = errors.New("unknown capability")
 
@@ -28,6 +31,10 @@ var (
 // Useful on the CLI for `--cap-add=all` etc.
 const All = "ALL"
 
+func getCapName(c capability.Cap) string {
+	return "CAP_" + strings.ToUpper(c.String())
+}
+
 func init() {
 	last := capability.CAP_LAST_CAP
 	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
@@ -38,7 +45,8 @@ func init() {
 		if cap > last {
 			continue
 		}
-		capabilityList = append(capabilityList, "CAP_"+strings.ToUpper(cap.String()))
+		capsList = append(capsList, cap)
+		capabilityList = append(capabilityList, getCapName(cap))
 	}
 }
 
@@ -52,6 +60,26 @@ func stringInSlice(s string, sl []string) bool {
 	return false
 }
 
+// BoundingSet returns the capabilities in the current bounding set
+func BoundingSet() ([]string, error) {
+	currentCaps, err := capability.NewPid2(0)
+	if err != nil {
+		return nil, err
+	}
+	err = currentCaps.Load()
+	if err != nil {
+		return nil, err
+	}
+	var r []string
+	for _, c := range capsList {
+		if !currentCaps.Get(capability.BOUNDING, c) {
+			continue
+		}
+		r = append(r, getCapName(c))
+	}
+	return r, nil
+}
+
 // AllCapabilities returns all known capabilities.
 func AllCapabilities() []string {
 	return capabilityList

diff --git a/pkg/capabilities/capabilities_test.go b/pkg/capabilities/capabilities_test.go
@@ -14,6 +14,12 @@ func TestAllCapabilities(t *testing.T) {
 	require.Nil(t, err)
 }
 
+func TestBoundingCapabilities(t *testing.T) {
+	caps, err := BoundingSet()
+	require.Nil(t, err)
+	assert.True(t, len(caps) > 0)
+}
+
 func TestMergeCapabilitiesDropVerify(t *testing.T) {
 	adds := []string{"CAP_SYS_ADMIN", "CAP_SETUID"}
 	drops := []string{"CAP_NET_ADMIN", "cap_chown"}

diff --git a/version/version.go b/version/version.go
@@ -1,4 +1,4 @@
 package version
 
 // Version is the version of the build.
-const Version = "0.35.3-dev"
+const Version = "0.35.4-dev"