dstack/runner/internal/linux/capabilities/capabilities_linux.go at 4e620fb0ebd4f189cfb52576165a896116ad869b · dstackai/dstack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
//go:build linux

package capabilities

import (
	"strings"

	"kernel.org/pub/linux/libs/security/libcap/cap"
)

type Capability cap.Value

const (
	SETUID       = Capability(cap.SETUID)
	SETGID       = Capability(cap.SETGID)
	CHOWN        = Capability(cap.CHOWN)
	SYS_RESOURCE = Capability(cap.SYS_RESOURCE)
)

// String returns a text representation of the capability in the form used by container folks:
// UPPER_CASE, no CAP_ prefix: cap_sys_admin -> SYS_ADMIN
func (c Capability) String() string {
	return strings.ToUpper(cap.Value(c).String()[4:])
}

// Has returns true if the current process has the specified capability in its effective set
func Has(c Capability) (bool, error) {
	set, err := cap.GetPID(0)
	if err != nil {
		return false, err
	}
	return set.GetFlag(cap.Effective, cap.Value(c))
}

// Check checks and returns those capabilities that are _missing_ from the effective set
// of the current process
func Check(cs ...Capability) (missing []Capability, err error) {
	set, err := cap.GetPID(0)
	if err != nil {
		return nil, err
	}
	for _, c := range cs {
		ok, err := set.GetFlag(cap.Effective, cap.Value(c))
		if err != nil {
			return nil, err
		}
		if !ok {
			missing = append(missing, c)
		}
	}
	return missing, nil
}