[draft] Switch to github.com/moby/sys/capability v0.4.0

This removes the last unversioned package in runc's direct dependencies.

Draft pending moby/sys#176 merge and v0.4.0 release.

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.3.4
 	github.com/docker/go-units v0.5.0
 	github.com/godbus/dbus/v5 v5.1.0
+	github.com/moby/sys/capability v0.4.0
 	github.com/moby/sys/mountinfo v0.7.2
 	github.com/moby/sys/user v0.3.0
 	github.com/moby/sys/userns v0.1.0
@@ -23,7 +24,6 @@ require (
 	github.com/opencontainers/selinux v1.11.1
 	github.com/seccomp/libseccomp-golang v0.10.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	github.com/urfave/cli v1.22.16
 	github.com/vishvananda/netlink v1.3.0
 	golang.org/x/net v0.24.0
@@ -37,3 +37,5 @@ require (
 	github.com/vishvananda/netns v0.0.4 // indirect
 	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
 )
+
+replace github.com/moby/sys/capability => github.com/kolyshkin/sys/capability v0.0.0-20241101015351-c61ae8843acf

go.sum

@@ -31,6 +31,8 @@ github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtL
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM=
 github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE=
+github.com/kolyshkin/sys/capability v0.0.0-20241101015351-c61ae8843acf h1:qB1RsE/PtOILqvmNPCOLtF/HSjERLAIQ0L9nIvtO9Mw=
+github.com/kolyshkin/sys/capability v0.0.0-20241101015351-c61ae8843acf/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -73,8 +75,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/urfave/cli v1.22.16 h1:MH0k6uJxdwdeWQTwhSO42Pwr4YLrNLwBtg1MRgTqPdQ=
 github.com/urfave/cli v1.22.16/go.mod h1:EeJR6BKodywf4zciqrdw6hpCPk68JO9z5LazXZMn5Po=
 github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=

libcontainer/capabilities/capabilities.go

@@ -3,42 +3,38 @@
 package capabilities
 
 import (
+	"fmt"
 	"sort"
 	"strings"
 	"sync"
 
+	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 )
 
 const allCapabilityTypes = capability.CAPS | capability.BOUNDING | capability.AMBIENT
 
-var (
-	capTypes = []capability.CapType{
-		capability.BOUNDING,
-		capability.PERMITTED,
-		capability.INHERITABLE,
-		capability.EFFECTIVE,
-		capability.AMBIENT,
-	}
+func capToStr(c capability.Cap) string {
+	return "CAP_" + strings.ToUpper(c.String())
+}
 
-	capMap = sync.OnceValue(func() map[string]capability.Cap {
-		cm := make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
-		for _, c := range capability.List() {
-			if c > capability.CAP_LAST_CAP {
-				continue
-			}
-			cm["CAP_"+strings.ToUpper(c.String())] = c
-		}
-		return cm
-	})
-)
+var capMap = sync.OnceValues(func() (map[string]capability.Cap, error) {
+	list, err := capability.ListSupported()
+	if err != nil {
+		return nil, err
+	}
+	cm := make(map[string]capability.Cap, len(list))
+	for _, c := range list {
+		cm[capToStr(c)] = c
+	}
+	return cm, nil
+})
 
 // KnownCapabilities returns the list of the known capabilities.
 // Used by `runc features`.
 func KnownCapabilities() []string {
-	list := capability.List()
+	list := capability.ListKnown()
 	res := make([]string, len(list))
 	for i, c := range list {
 		res[i] = "CAP_" + strings.ToUpper(c.String())
@@ -50,11 +46,12 @@ func KnownCapabilities() []string {
 // or Capabilities that are unavailable in the current environment are ignored,
 // printing a warning instead.
 func New(capConfig *configs.Capabilities) (*Caps, error) {
-	var (
-		err error
-		c   Caps
-	)
+	var c Caps
 
+	_, err := capMap()
+	if err != nil {
+		return nil, err
+	}
 	unknownCaps := make(map[string]struct{})
 	c.caps = map[capability.CapType][]capability.Cap{
 		capability.BOUNDING:    capSlice(capConfig.Bounding, unknownCaps),
@@ -76,7 +73,7 @@ func New(capConfig *configs.Capabilities) (*Caps, error) {
 // equivalent, and returns them as a slice. Unknown or unavailable capabilities
 // are not returned, but appended to unknownCaps.
 func capSlice(caps []string, unknownCaps map[string]struct{}) []capability.Cap {
-	cm := capMap()
+	cm, _ := capMap()
 	out := make([]capability.Cap, 0, len(caps))
 	for _, c := range caps {
 		if v, ok := cm[c]; !ok {
@@ -113,9 +110,36 @@ func (c *Caps) ApplyBoundingSet() error {
 
 // Apply sets all the capabilities for the current process in the config.
 func (c *Caps) ApplyCaps() error {
-	c.pid.Clear(allCapabilityTypes)
-	for _, g := range capTypes {
+	c.pid.Clear(capability.CAPS | capability.BOUNDS)
+	for _, g := range []capability.CapType{
+		capability.EFFECTIVE,
+		capability.PERMITTED,
+		capability.INHERITABLE,
+		capability.BOUNDING,
+	} {
 		c.pid.Set(g, c.caps[g]...)
 	}
-	return c.pid.Apply(allCapabilityTypes)
+	if err := c.pid.Apply(capability.CAPS | capability.BOUNDS); err != nil {
+		return fmt.Errorf("can't apply capabilities: %v", err)
+	}
+
+	// Old version of capability package used to ignore errors from setting
+	// ambient capabilities, which is now fixed (see
+	// https://github.com/kolyshkin/capability/pull/3).
+	//
+	// To maintain backward compatibility, set ambient caps one by one and
+	// don't return any errors, only warn.
+	ambs := c.caps[capability.AMBIENT]
+	err := capability.ResetAmbient()
+	if err != nil {
+		return fmt.Errorf("can't reset ambient capabilities: %v", err)
+	}
+	for _, a := range ambs {
+		err := capability.SetAmbient(true, a)
+		if err != nil {
+			logrus.Warnf("can't raise ambient capability %s: %v", capToStr(a), err)
+		}
+	}
+
+	return nil
 }

libcontainer/capabilities/capabilities_linux_test.go

@@ -5,12 +5,20 @@ import (
 	"os"
 	"testing"
 
+	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/sirupsen/logrus"
 	"github.com/sirupsen/logrus/hooks/test"
-	"github.com/syndtr/gocapability/capability"
 )
 
+var capTypes = []capability.CapType{
+	capability.BOUNDING,
+	capability.PERMITTED,
+	capability.INHERITABLE,
+	capability.EFFECTIVE,
+	capability.AMBIENT,
+}
+
 func TestNew(t *testing.T) {
 	cs := []string{"CAP_CHOWN", "CAP_UNKNOWN", "CAP_UNKNOWN2"}
 	conf := configs.Capabilities{

tests/integration/capabilities.bats

@@ -116,3 +116,17 @@ function teardown() {
 	[[ "${output}" == *"CapBnd:	0000000400000021"* ]]
 	[[ "${output}" == *"CapAmb:	0000000400000001"* ]]
 }
+
+@test "runc run [ambient caps not set in inheritable result in a warning]" {
+       update_config '   .process.capabilities.inheritable = ["CAP_KILL"]
+                       | .process.capabilities.ambient = ["CAP_KILL", "CAP_CHOWN"]'
+       runc run test_amb
+       [ "$status" -eq 0 ]
+       # This should result in CAP_KILL set in ambient,
+       # and a warning about inability to set CAP_CHOWN.
+       #
+       # CAP_CHOWN is 0, the bit mask is 0x1 (1 << 0)
+       # CAP_KILL is 5, the bit mask is 0x20 (1 << 5).
+       [[ "$output" == *"can't raise ambient capability CAP_CHOWN: "* ]]
+       [[ "${output}" == *"CapAmb:	0000000000000020"* ]]
+}