capabilities.Caps: use a map for capability-types

Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah · Mar 17, 2021 · 2bfbdb8 · 2bfbdb8
1 parent 513d89e
commit 2bfbdb8
Showing 1 changed file with 31 additions and 24 deletions.
diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go
@@ -12,7 +12,16 @@ import (
 
 const allCapabilityTypes = capability.CAPS | capability.BOUNDING | capability.AMBIENT
 
-var capabilityMap map[string]capability.Cap
+var (
+	capabilityMap map[string]capability.Cap
+	capTypes      = []capability.CapType{
+		capability.BOUNDING,
+		capability.PERMITTED,
+		capability.INHERITABLE,
+		capability.EFFECTIVE,
+		capability.AMBIENT,
+	}
+)
 
 func init() {
 	capabilityMap = make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
@@ -24,37 +33,41 @@ func init() {
 	}
 }
 
-// New creates a new Caps from the given Capabilities config.
+// New creates a new Caps from the given Capabilities config. Unknown Capabilities
+// or Capabilities that are unavailable in the current environment produce an error.
 func New(capConfig *configs.Capabilities) (*Caps, error) {
 	var (
-		err  error
-		caps Caps
+		err error
+		c   Caps
 	)
 
-	if caps.bounding, err = capSlice(capConfig.Bounding); err != nil {
+	if c.caps[capability.BOUNDING], err = capSlice(capConfig.Bounding); err != nil {
 		return nil, err
 	}
-	if caps.effective, err = capSlice(capConfig.Effective); err != nil {
+	if c.caps[capability.EFFECTIVE], err = capSlice(capConfig.Effective); err != nil {
 		return nil, err
 	}
-	if caps.inheritable, err = capSlice(capConfig.Inheritable); err != nil {
+	if c.caps[capability.INHERITABLE], err = capSlice(capConfig.Inheritable); err != nil {
 		return nil, err
 	}
-	if caps.permitted, err = capSlice(capConfig.Permitted); err != nil {
+	if c.caps[capability.PERMITTED], err = capSlice(capConfig.Permitted); err != nil {
 		return nil, err
 	}
-	if caps.ambient, err = capSlice(capConfig.Ambient); err != nil {
+	if c.caps[capability.AMBIENT], err = capSlice(capConfig.Ambient); err != nil {
 		return nil, err
 	}
-	if caps.pid, err = capability.NewPid2(0); err != nil {
+	if c.pid, err = capability.NewPid2(0); err != nil {
 		return nil, err
 	}
-	if err = caps.pid.Load(); err != nil {
+	if err = c.pid.Load(); err != nil {
 		return nil, err
 	}
-	return &caps, nil
+	return &c, nil
 }
 
+// capSlice converts the slice of capability names in caps, to their numeric
+// equivalent, and returns them as a slice. Unknown or unavailable capabilities
+// produce an error.
 func capSlice(caps []string) ([]capability.Cap, error) {
 	out := make([]capability.Cap, len(caps))
 	for i, c := range caps {
@@ -69,28 +82,22 @@ func capSlice(caps []string) ([]capability.Cap, error) {
 
 // Caps holds the capabilities for a container.
 type Caps struct {
-	pid         capability.Capabilities
-	bounding    []capability.Cap
-	effective   []capability.Cap
-	inheritable []capability.Cap
-	permitted   []capability.Cap
-	ambient     []capability.Cap
+	pid  capability.Capabilities
+	caps map[capability.CapType][]capability.Cap
 }
 
 // ApplyBoundingSet sets the capability bounding set to those specified in the whitelist.
 func (c *Caps) ApplyBoundingSet() error {
 	c.pid.Clear(capability.BOUNDING)
-	c.pid.Set(capability.BOUNDING, c.bounding...)
+	c.pid.Set(capability.BOUNDING, c.caps[capability.BOUNDING]...)
 	return c.pid.Apply(capability.BOUNDING)
 }
 
 // Apply sets all the capabilities for the current process in the config.
 func (c *Caps) ApplyCaps() error {
 	c.pid.Clear(allCapabilityTypes)
-	c.pid.Set(capability.BOUNDING, c.bounding...)
-	c.pid.Set(capability.PERMITTED, c.permitted...)
-	c.pid.Set(capability.INHERITABLE, c.inheritable...)
-	c.pid.Set(capability.EFFECTIVE, c.effective...)
-	c.pid.Set(capability.AMBIENT, c.ambient...)
+	for _, g := range capTypes {
+		c.pid.Set(g, c.caps[g]...)
+	}
 	return c.pid.Apply(allCapabilityTypes)
 }