Merge pull request #1088 from crosbymichael/rc2
Bump spec and version to rc2
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
index 8e4d8ba..152246d 100644
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@@ -68,7 +68,7 @@
},
{
"ImportPath": "github.com/syndtr/gocapability/capability",
- "Rev": "2c00daeb6c3b45114c80ac44119e7b8801fdd852"
+ "Rev": "e7cb7fa329f456b3855136a2642b197bad7366ba"
},
{
"ImportPath": "github.com/vishvananda/netlink",
diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go
index c13f4e5..c07c557 100644
--- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go
+++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability.go
@@ -10,42 +10,42 @@
type Capabilities interface {
// Get check whether a capability present in the given
// capabilities set. The 'which' value should be one of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
+ // PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
Get(which CapType, what Cap) bool
// Empty check whether all capability bits of the given capabilities
// set are zero. The 'which' value should be one of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
+ // PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
Empty(which CapType) bool
// Full check whether all capability bits of the given capabilities
// set are one. The 'which' value should be one of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
+ // PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
Full(which CapType) bool
// Set sets capabilities of the given capabilities sets. The
// 'which' value should be one or combination (OR'ed) of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
+ // PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
Set(which CapType, caps ...Cap)
// Unset unsets capabilities of the given capabilities sets. The
// 'which' value should be one or combination (OR'ed) of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
+ // PERMITTED, INHERITABLE, BOUNDING or AMBIENT.
Unset(which CapType, caps ...Cap)
// Fill sets all bits of the given capabilities kind to one. The
- // 'kind' value should be one or combination (OR'ed) of CAPS or
- // BOUNDS.
+ // 'kind' value should be one or combination (OR'ed) of CAPS,
+ // BOUNDS or AMBS.
Fill(kind CapType)
// Clear sets all bits of the given capabilities kind to zero. The
- // 'kind' value should be one or combination (OR'ed) of CAPS or
- // BOUNDS.
+ // 'kind' value should be one or combination (OR'ed) of CAPS,
+ // BOUNDS or AMBS.
Clear(kind CapType)
// String return current capabilities state of the given capabilities
// set as string. The 'which' value should be one of EFFECTIVE,
- // PERMITTED, INHERITABLE or BOUNDING.
+ // PERMITTED, INHERITABLE BOUNDING or AMBIENT
StringCap(which CapType) string
// String return current capabilities state as string.
diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go
index 3dfcd39..6d2135a 100644
--- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go
+++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/capability_linux.go
@@ -235,9 +235,10 @@
}
type capsV3 struct {
- hdr capHeader
- data [2]capData
- bounds [2]uint32
+ hdr capHeader
+ data [2]capData
+ bounds [2]uint32
+ ambient [2]uint32
}
func (c *capsV3) Get(which CapType, what Cap) bool {
@@ -256,6 +257,8 @@
return (1<<uint(what))&c.data[i].inheritable != 0
case BOUNDING:
return (1<<uint(what))&c.bounds[i] != 0
+ case AMBIENT:
+ return (1<<uint(what))&c.ambient[i] != 0
}
return false
@@ -275,6 +278,9 @@
case BOUNDING:
dest[0] = c.bounds[0]
dest[1] = c.bounds[1]
+ case AMBIENT:
+ dest[0] = c.ambient[0]
+ dest[1] = c.ambient[1]
}
}
@@ -313,6 +319,9 @@
if which&BOUNDING != 0 {
c.bounds[i] |= 1 << uint(what)
}
+ if which&AMBIENT != 0 {
+ c.ambient[i] |= 1 << uint(what)
+ }
}
}
@@ -336,6 +345,9 @@
if which&BOUNDING != 0 {
c.bounds[i] &= ^(1 << uint(what))
}
+ if which&AMBIENT != 0 {
+ c.ambient[i] &= ^(1 << uint(what))
+ }
}
}
@@ -353,6 +365,10 @@
c.bounds[0] = 0xffffffff
c.bounds[1] = 0xffffffff
}
+ if kind&AMBS == AMBS {
+ c.ambient[0] = 0xffffffff
+ c.ambient[1] = 0xffffffff
+ }
}
func (c *capsV3) Clear(kind CapType) {
@@ -369,6 +385,10 @@
c.bounds[0] = 0
c.bounds[1] = 0
}
+ if kind&AMBS == AMBS {
+ c.ambient[0] = 0
+ c.ambient[1] = 0
+ }
}
func (c *capsV3) StringCap(which CapType) (ret string) {
@@ -410,6 +430,10 @@
fmt.Sscanf(line[4:], "nd: %08x%08x", &c.bounds[1], &c.bounds[0])
break
}
+ if strings.HasPrefix(line, "CapA") {
+ fmt.Sscanf(line[4:], "mb: %08x%08x", &c.ambient[1], &c.ambient[0])
+ break
+ }
}
f.Close()
@@ -442,7 +466,25 @@
}
if kind&CAPS == CAPS {
- return capset(&c.hdr, &c.data[0])
+ err = capset(&c.hdr, &c.data[0])
+ if err != nil {
+ return
+ }
+ }
+
+ if kind&AMBS == AMBS {
+ for i := Cap(0); i <= CAP_LAST_CAP; i++ {
+ action := pr_CAP_AMBIENT_LOWER
+ if c.Get(AMBIENT, i) {
+ action = pr_CAP_AMBIENT_RAISE
+ }
+ err := prctl(pr_CAP_AMBIENT, action, uintptr(i), 0, 0)
+ // Ignore EINVAL as not supported on kernels before 4.3
+ if errno, ok := err.(syscall.Errno); ok && errno == syscall.EINVAL {
+ err = nil
+ continue
+ }
+ }
}
return
diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go
index fd0ce7f..6938173 100644
--- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go
+++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/enum.go
@@ -20,6 +20,8 @@
return "bounding"
case CAPS:
return "caps"
+ case AMBIENT:
+ return "ambient"
}
return "unknown"
}
@@ -29,9 +31,11 @@
PERMITTED
INHERITABLE
BOUNDING
+ AMBIENT
CAPS = EFFECTIVE | PERMITTED | INHERITABLE
BOUNDS = BOUNDING
+ AMBS = AMBIENT
)
//go:generate go run enumgen/gen.go
diff --git a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go
index dd6f454..eb71700 100644
--- a/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go
+++ b/Godeps/_workspace/src/github.com/syndtr/gocapability/capability/syscall_linux.go
@@ -38,6 +38,15 @@
return
}
+// not yet in syscall
+const (
+ pr_CAP_AMBIENT = 47
+ pr_CAP_AMBIENT_IS_SET = uintptr(1)
+ pr_CAP_AMBIENT_RAISE = uintptr(2)
+ pr_CAP_AMBIENT_LOWER = uintptr(3)
+ pr_CAP_AMBIENT_CLEAR_ALL = uintptr(4)
+)
+
func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) {
_, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0)
if e1 != 0 {
diff --git a/libcontainer/capabilities_linux.go b/libcontainer/capabilities_linux.go
index 4eda56d..48338a1 100644
--- a/libcontainer/capabilities_linux.go
+++ b/libcontainer/capabilities_linux.go
@@ -10,7 +10,7 @@
"github.com/syndtr/gocapability/capability"
)
-const allCapabilityTypes = capability.CAPS | capability.BOUNDS
+const allCapabilityTypes = capability.CAPS | capability.BOUNDS | capability.AMBS
var capabilityMap map[string]capability.Cap
