From 2e22bd4e3c2df6452d6fa0f00488db65f701d64f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Rod=C3=A1k?= Date: Wed, 19 Jun 2024 16:00:40 +0200 Subject: [PATCH] Fix deprecated use of capability.NewPid (SA1019) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan Rodák --- pkg/chrootarchive/chroot_linux.go | 5 ++++- pkg/unshare/unshare_linux.go | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/pkg/chrootarchive/chroot_linux.go b/pkg/chrootarchive/chroot_linux.go index 09ef6d5de4..5b8acdaba5 100644 --- a/pkg/chrootarchive/chroot_linux.go +++ b/pkg/chrootarchive/chroot_linux.go @@ -19,10 +19,13 @@ import ( // Old root is removed after the call to pivot_root so it is no longer available under the new root. // This is similar to how libcontainer sets up a container's rootfs func chroot(path string) (err error) { - caps, err := capability.NewPid(0) + caps, err := capability.NewPid2(0) if err != nil { return err } + if err := caps.Load(); err != nil { + return err + } // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host // environment not in the chroot from untrusted files. diff --git a/pkg/unshare/unshare_linux.go b/pkg/unshare/unshare_linux.go index a8dc1ba038..58adbfb8ab 100644 --- a/pkg/unshare/unshare_linux.go +++ b/pkg/unshare/unshare_linux.go @@ -526,8 +526,11 @@ func MaybeReexecUsingUserNamespace(evenForRoot bool) { } else { // If we have CAP_SYS_ADMIN, then we don't need to create a new namespace in order to be able // to use unshare(), so don't bother creating a new user namespace at this point. - capabilities, err := capability.NewPid(0) + capabilities, err := capability.NewPid2(0) + bailOnError(err, "Initializing a new Capabilities object of pid 0") + err = capabilities.Load() bailOnError(err, "Reading the current capabilities sets") + if capabilities.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) { return }