WiP: validate: prevent generate gojsonschema dependency.

Split out the capabilty validation functions LastCap() and CapValid() from validate to validate/capabilities. This prevents gojsonschema (which is regarded by some as a package with questionable quality) from sneaking in to the dependencies of generate.Generator. Signed-off-by: Krisztian Litkey <[email protected]>
klihub · Sep 7, 2022 · 47e9562 · 47e9562
1 parent 17b3287
commit 47e9562
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 41 deletions.
diff --git a/generate/generate.go b/generate/generate.go
@@ -10,7 +10,7 @@ import (
 
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate/seccomp"
-	"github.com/opencontainers/runtime-tools/validate"
+	osCaps "github.com/opencontainers/runtime-tools/validate/capabilities"
 	"github.com/syndtr/gocapability/capability"
 )
 
@@ -1140,7 +1140,7 @@ func (g *Generator) SetupPrivileged(privileged bool) {
 	if privileged { // Add all capabilities in privileged mode.
 		var finalCapList []string
 		for _, cap := range capability.List() {
-			if g.HostSpecific && cap > validate.LastCap() {
+			if g.HostSpecific && cap > osCaps.LastCap() {
 				continue
 			}
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
@@ -1174,7 +1174,7 @@ func (g *Generator) ClearProcessCapabilities() {
 // AddProcessCapability adds a process capability into all 5 capability sets.
 func (g *Generator) AddProcessCapability(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := osCaps.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1237,7 +1237,7 @@ func (g *Generator) AddProcessCapability(c string) error {
 // AddProcessCapabilityAmbient adds a process capability into g.Config.Process.Capabilities.Ambient.
 func (g *Generator) AddProcessCapabilityAmbient(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := osCaps.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1261,7 +1261,7 @@ func (g *Generator) AddProcessCapabilityAmbient(c string) error {
 // AddProcessCapabilityBounding adds a process capability into g.Config.Process.Capabilities.Bounding.
 func (g *Generator) AddProcessCapabilityBounding(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := osCaps.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1284,7 +1284,7 @@ func (g *Generator) AddProcessCapabilityBounding(c string) error {
 // AddProcessCapabilityEffective adds a process capability into g.Config.Process.Capabilities.Effective.
 func (g *Generator) AddProcessCapabilityEffective(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := osCaps.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1307,7 +1307,7 @@ func (g *Generator) AddProcessCapabilityEffective(c string) error {
 // AddProcessCapabilityInheritable adds a process capability into g.Config.Process.Capabilities.Inheritable.
 func (g *Generator) AddProcessCapabilityInheritable(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := osCaps.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1330,7 +1330,7 @@ func (g *Generator) AddProcessCapabilityInheritable(c string) error {
 // AddProcessCapabilityPermitted adds a process capability into g.Config.Process.Capabilities.Permitted.
 func (g *Generator) AddProcessCapabilityPermitted(c string) error {
 	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
+	if err := osCaps.CapValid(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
@@ -1383,7 +1383,7 @@ func (g *Generator) DropProcessCapability(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return osCaps.CapValid(cp, false)
 }
 
 // DropProcessCapabilityAmbient drops a process capability from g.Config.Process.Capabilities.Ambient.
@@ -1399,7 +1399,7 @@ func (g *Generator) DropProcessCapabilityAmbient(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return osCaps.CapValid(cp, false)
 }
 
 // DropProcessCapabilityBounding drops a process capability from g.Config.Process.Capabilities.Bounding.
@@ -1415,7 +1415,7 @@ func (g *Generator) DropProcessCapabilityBounding(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return osCaps.CapValid(cp, false)
 }
 
 // DropProcessCapabilityEffective drops a process capability from g.Config.Process.Capabilities.Effective.
@@ -1431,7 +1431,7 @@ func (g *Generator) DropProcessCapabilityEffective(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return osCaps.CapValid(cp, false)
 }
 
 // DropProcessCapabilityInheritable drops a process capability from g.Config.Process.Capabilities.Inheritable.
@@ -1447,7 +1447,7 @@ func (g *Generator) DropProcessCapabilityInheritable(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return osCaps.CapValid(cp, false)
 }
 
 // DropProcessCapabilityPermitted drops a process capability from g.Config.Process.Capabilities.Permitted.
@@ -1463,7 +1463,7 @@ func (g *Generator) DropProcessCapabilityPermitted(c string) error {
 		}
 	}
 
-	return validate.CapValid(cp, false)
+	return osCaps.CapValid(cp, false)
 }
 
 func mapStrToNamespace(ns string, path string) (rspec.LinuxNamespace, error) {

diff --git a/validate/capabilities/validate.go b/validate/capabilities/validate.go
@@ -0,0 +1,31 @@
+package capabilities
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/syndtr/gocapability/capability"
+)
+
+// CapValid checks whether a capability is valid
+func CapValid(c string, hostSpecific bool) error {
+	isValid := false
+
+	if !strings.HasPrefix(c, "CAP_") {
+		return fmt.Errorf("capability %s must start with CAP_", c)
+	}
+	for _, cap := range capability.List() {
+		if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
+			if hostSpecific && cap > LastCap() {
+				return fmt.Errorf("%s is not supported on the current host", c)
+			}
+			isValid = true
+			break
+		}
+	}
+
+	if !isValid {
+		return fmt.Errorf("invalid capability: %s", c)
+	}
+	return nil
+}
diff --git a/validate/capabilities/validate_linux.go b/validate/capabilities/validate_linux.go
@@ -0,0 +1,19 @@
+//go:build linux
+// +build linux
+
+package capabilities
+
+import (
+	"github.com/syndtr/gocapability/capability"
+)
+
+// LastCap return last cap of system
+func LastCap() capability.Cap {
+	last := capability.CAP_LAST_CAP
+	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
+	}
+
+	return last
+}
diff --git a/validate/capabilities/validate_unsupported.go b/validate/capabilities/validate_unsupported.go
@@ -0,0 +1,13 @@
+//go:build !linux
+// +build !linux
+
+package validate
+
+import (
+	"github.com/syndtr/gocapability/capability"
+)
+
+// LastCap return last cap of system
+func LastCap() capability.Cap {
+	return capability.Cap(-1)
+}
diff --git a/validate/validate.go b/validate/validate.go
@@ -20,8 +20,8 @@ import (
 	"github.com/hashicorp/go-multierror"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
+	osCaps "github.com/opencontainers/runtime-tools/validate/capabilities"
 	"github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 
 	"github.com/opencontainers/runtime-tools/specerror"
 	"github.com/xeipuuv/gojsonschema"
@@ -688,25 +688,7 @@ func (v *Validator) CheckAnnotations() (errs error) {
 
 // CapValid checks whether a capability is valid
 func CapValid(c string, hostSpecific bool) error {
-	isValid := false
-
-	if !strings.HasPrefix(c, "CAP_") {
-		return fmt.Errorf("capability %s must start with CAP_", c)
-	}
-	for _, cap := range capability.List() {
-		if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
-			if hostSpecific && cap > LastCap() {
-				return fmt.Errorf("%s is not supported on the current host", c)
-			}
-			isValid = true
-			break
-		}
-	}
-
-	if !isValid {
-		return fmt.Errorf("invalid capability: %s", c)
-	}
-	return nil
+	return osCaps.CapValid(c, hostSpecific)
 }
 
 func envValid(env string) bool {

diff --git a/validate/validate_linux.go b/validate/validate_linux.go
@@ -17,19 +17,14 @@ import (
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	osFilepath "github.com/opencontainers/runtime-tools/filepath"
 	"github.com/opencontainers/runtime-tools/specerror"
+	osCaps "github.com/opencontainers/runtime-tools/validate/capabilities"
 	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
 
 // LastCap return last cap of system
 func LastCap() capability.Cap {
-	last := capability.CAP_LAST_CAP
-	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
-	if last == capability.Cap(63) {
-		last = capability.CAP_BLOCK_SUSPEND
-	}
-
-	return last
+	return osCaps.LastCap()
 }
 
 func deviceValid(d rspec.LinuxDevice) bool {