Dont use custom marshaling for caps and namespaces
This also adds an enabled field to the types so that they can be easily toggled. Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
parent
0424993f6d
commit
f6a8719dd5
2 changed files with 28 additions and 61 deletions
|
@ -1,7 +1,6 @@
|
||||||
package libcontainer
|
package libcontainer
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
|
||||||
"errors"
|
"errors"
|
||||||
"github.com/syndtr/gocapability/capability"
|
"github.com/syndtr/gocapability/capability"
|
||||||
)
|
)
|
||||||
|
@ -19,29 +18,30 @@ var (
|
||||||
namespaceList = Namespaces{}
|
namespaceList = Namespaces{}
|
||||||
|
|
||||||
capabilityList = Capabilities{
|
capabilityList = Capabilities{
|
||||||
{Key: "SETPCAP", Value: capability.CAP_SETPCAP},
|
{Key: "SETPCAP", Value: capability.CAP_SETPCAP, Enabled: true},
|
||||||
{Key: "SYS_MODULE", Value: capability.CAP_SYS_MODULE},
|
{Key: "SYS_MODULE", Value: capability.CAP_SYS_MODULE, Enabled: true},
|
||||||
{Key: "SYS_RAWIO", Value: capability.CAP_SYS_RAWIO},
|
{Key: "SYS_RAWIO", Value: capability.CAP_SYS_RAWIO, Enabled: true},
|
||||||
{Key: "SYS_PACCT", Value: capability.CAP_SYS_PACCT},
|
{Key: "SYS_PACCT", Value: capability.CAP_SYS_PACCT, Enabled: true},
|
||||||
{Key: "SYS_ADMIN", Value: capability.CAP_SYS_ADMIN},
|
{Key: "SYS_ADMIN", Value: capability.CAP_SYS_ADMIN, Enabled: true},
|
||||||
{Key: "SYS_NICE", Value: capability.CAP_SYS_NICE},
|
{Key: "SYS_NICE", Value: capability.CAP_SYS_NICE, Enabled: true},
|
||||||
{Key: "SYS_RESOURCE", Value: capability.CAP_SYS_RESOURCE},
|
{Key: "SYS_RESOURCE", Value: capability.CAP_SYS_RESOURCE, Enabled: true},
|
||||||
{Key: "SYS_TIME", Value: capability.CAP_SYS_TIME},
|
{Key: "SYS_TIME", Value: capability.CAP_SYS_TIME, Enabled: true},
|
||||||
{Key: "SYS_TTY_CONFIG", Value: capability.CAP_SYS_TTY_CONFIG},
|
{Key: "SYS_TTY_CONFIG", Value: capability.CAP_SYS_TTY_CONFIG, Enabled: true},
|
||||||
{Key: "MKNOD", Value: capability.CAP_MKNOD},
|
{Key: "MKNOD", Value: capability.CAP_MKNOD, Enabled: true},
|
||||||
{Key: "AUDIT_WRITE", Value: capability.CAP_AUDIT_WRITE},
|
{Key: "AUDIT_WRITE", Value: capability.CAP_AUDIT_WRITE, Enabled: true},
|
||||||
{Key: "AUDIT_CONTROL", Value: capability.CAP_AUDIT_CONTROL},
|
{Key: "AUDIT_CONTROL", Value: capability.CAP_AUDIT_CONTROL, Enabled: true},
|
||||||
{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE},
|
{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE, Enabled: true},
|
||||||
{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN},
|
{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN, Enabled: true},
|
||||||
{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN},
|
{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN, Enabled: true},
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
type (
|
type (
|
||||||
Namespace struct {
|
Namespace struct {
|
||||||
Key string
|
Key string `json:"key,omitempty"`
|
||||||
Value int
|
Enabled bool `json:"enabled,omitempty"`
|
||||||
File string
|
Value int `json:"value,omitempty"`
|
||||||
|
File string `json:"file,omitempty"`
|
||||||
}
|
}
|
||||||
Namespaces []*Namespace
|
Namespaces []*Namespace
|
||||||
)
|
)
|
||||||
|
@ -50,23 +50,6 @@ func (ns *Namespace) String() string {
|
||||||
return ns.Key
|
return ns.Key
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ns *Namespace) MarshalJSON() ([]byte, error) {
|
|
||||||
return json.Marshal(ns.Key)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (ns *Namespace) UnmarshalJSON(src []byte) error {
|
|
||||||
var nsName string
|
|
||||||
if err := json.Unmarshal(src, &nsName); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
ret := GetNamespace(nsName)
|
|
||||||
if ret == nil {
|
|
||||||
return ErrUnkownNamespace
|
|
||||||
}
|
|
||||||
*ns = *ret
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func GetNamespace(key string) *Namespace {
|
func GetNamespace(key string) *Namespace {
|
||||||
for _, ns := range namespaceList {
|
for _, ns := range namespaceList {
|
||||||
if ns.Key == key {
|
if ns.Key == key {
|
||||||
|
@ -89,8 +72,9 @@ func (n Namespaces) Contains(ns string) bool {
|
||||||
|
|
||||||
type (
|
type (
|
||||||
Capability struct {
|
Capability struct {
|
||||||
Key string
|
Key string `json:"key,omitempty"`
|
||||||
Value capability.Cap
|
Enabled bool `json:"enabled"`
|
||||||
|
Value capability.Cap `json:"value,omitempty"`
|
||||||
}
|
}
|
||||||
Capabilities []*Capability
|
Capabilities []*Capability
|
||||||
)
|
)
|
||||||
|
@ -99,23 +83,6 @@ func (c *Capability) String() string {
|
||||||
return c.Key
|
return c.Key
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Capability) MarshalJSON() ([]byte, error) {
|
|
||||||
return json.Marshal(c.Key)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (c *Capability) UnmarshalJSON(src []byte) error {
|
|
||||||
var capName string
|
|
||||||
if err := json.Unmarshal(src, &capName); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
ret := GetCapability(capName)
|
|
||||||
if ret == nil {
|
|
||||||
return ErrUnkownCapability
|
|
||||||
}
|
|
||||||
*c = *ret
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func GetCapability(key string) *Capability {
|
func GetCapability(key string) *Capability {
|
||||||
for _, capp := range capabilityList {
|
for _, capp := range capabilityList {
|
||||||
if capp.Key == key {
|
if capp.Key == key {
|
||||||
|
|
|
@ -6,11 +6,11 @@ import (
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
namespaceList = Namespaces{
|
namespaceList = Namespaces{
|
||||||
{Key: "NEWNS", Value: syscall.CLONE_NEWNS, File: "mnt"},
|
{Key: "NEWNS", Value: syscall.CLONE_NEWNS, File: "mnt", Enabled: true},
|
||||||
{Key: "NEWUTS", Value: syscall.CLONE_NEWUTS, File: "uts"},
|
{Key: "NEWUTS", Value: syscall.CLONE_NEWUTS, File: "uts", Enabled: true},
|
||||||
{Key: "NEWIPC", Value: syscall.CLONE_NEWIPC, File: "ipc"},
|
{Key: "NEWIPC", Value: syscall.CLONE_NEWIPC, File: "ipc", Enabled: true},
|
||||||
{Key: "NEWUSER", Value: syscall.CLONE_NEWUSER, File: "user"},
|
{Key: "NEWUSER", Value: syscall.CLONE_NEWUSER, File: "user", Enabled: true},
|
||||||
{Key: "NEWPID", Value: syscall.CLONE_NEWPID, File: "pid"},
|
{Key: "NEWPID", Value: syscall.CLONE_NEWPID, File: "pid", Enabled: true},
|
||||||
{Key: "NEWNET", Value: syscall.CLONE_NEWNET, File: "net"},
|
{Key: "NEWNET", Value: syscall.CLONE_NEWNET, File: "net", Enabled: true},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue