Skip to content

Commit

Permalink
util: add list of capabilities
Browse files Browse the repository at this point in the history
the capsh approach doesn't work on RHEL as the version of libcap is not
updated and doesn't know all the possible capabilities available on the
system.  This is the output I get with getpcaps on RHELAH 7.4.2:

Capabilities for `1': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36+ep

Fallback to the capsh method if there will be more capabilities that we
know of, and hopefully libcap does.

Signed-off-by: Giuseppe Scrivano <[email protected]>

Closes: projectatomic#1130
Approved by: rhatdan
  • Loading branch information
giuseppe authored and eyusupov committed Mar 10, 2018
1 parent 0023634 commit 0d55f94
Showing 1 changed file with 48 additions and 7 deletions.
55 changes: 48 additions & 7 deletions Atomic/util.py
Original file line number Diff line number Diff line change
Expand Up @@ -1136,6 +1136,45 @@ def remove_skopeo_prefixes(image):
image = image.replace(remove, '')
return image

KNOWN_CAPS = ['CAP_CHOWN',
'CAP_DAC_OVERRIDE',
'CAP_DAC_READ_SEARCH',
'CAP_FOWNER',
'CAP_FSETID',
'CAP_KILL',
'CAP_SETGID',
'CAP_SETUID',
'CAP_SETPCAP',
'CAP_LINUX_IMMUTABLE',
'CAP_NET_BIND_SERVICE',
'CAP_NET_BROADCAST',
'CAP_NET_ADMIN',
'CAP_NET_RAW',
'CAP_IPC_LOCK',
'CAP_IPC_OWNER',
'CAP_SYS_MODULE',
'CAP_SYS_RAWIO',
'CAP_SYS_CHROOT',
'CAP_SYS_PTRACE',
'CAP_SYS_PACCT',
'CAP_SYS_ADMIN',
'CAP_SYS_BOOT',
'CAP_SYS_NICE',
'CAP_SYS_RESOURCE',
'CAP_SYS_TIME',
'CAP_SYS_TTY_CONFIG',
'CAP_MKNOD',
'CAP_LEASE',
'CAP_AUDIT_WRITE',
'CAP_AUDIT_CONTROL',
'CAP_SETFCAP',
'CAP_MAC_OVERRIDE',
'CAP_MAC_ADMIN',
'CAP_SYSLOG',
'CAP_WAKE_ALARM',
'CAP_BLOCK_SUSPEND',
'CAP_AUDIT_READ']

def get_all_known_process_capabilities():
"""
Get all the known process capabilities
Expand All @@ -1147,14 +1186,16 @@ def get_all_known_process_capabilities():
with open("/proc/sys/kernel/cap_last_cap", 'r') as f:
last_cap = int(f.read())

mask = hex((1 << (last_cap + 1)) - 1)

out = subprocess.check_output([CAPSH_PATH, '--decode={}'.format(mask)], stderr=DEVNULL)
if last_cap < len(KNOWN_CAPS):
caps = KNOWN_CAPS[:last_cap+1]
else:
mask = hex((1 << (last_cap + 1)) - 1)
out = subprocess.check_output([CAPSH_PATH, '--decode={}'.format(mask)], stderr=DEVNULL)

# The output looks like 0x0000003fffffffff=cap_chown,cap_dac_override,...
# so take only the part after the '='
caps = str(out.decode().split("=")[1].strip())
# The output looks like 0x0000003fffffffff=cap_chown,cap_dac_override,...
# so take only the part after the '='
caps = str(out.decode().split("=")[1].strip()).split(',')

caps_list = [i.upper() for i in caps.split(',')]
caps_list = [i.upper() for i in caps]

return [i for i in caps_list if not i[0].isdigit()]

0 comments on commit 0d55f94

Please sign in to comment.