caps

Documentation

Overview

Package caps implements a subset of Linux capabilities handling relevant in the context of authoring container images.

Index

• func XattrBytes(permitted, inheritable Mask, flags Flags) ([]byte, error)
• type FileCaps
  • func NewFileCaps(terms ...string) (*FileCaps, error)
  • func (fc *FileCaps) ToXattrBytes() ([]byte, error)
• type Flags
• type Mask
  • func Parse(s string) (Mask, error)

Functions

func XattrBytes

func XattrBytes(permitted, inheritable Mask, flags Flags) ([]byte, error)

XattrBytes encodes capabilities in the format of security.capability extended filesystem attribute. This is how Linux tracks file capabilities internally.

Types

type FileCaps

type FileCaps struct {
	// contains filtered or unexported fields
}

FileCaps encodes Linux file capabilities

func NewFileCaps

func NewFileCaps(terms ...string) (*FileCaps, error)

NewFileCaps produces file capabilities object from a list of string terms. A term is either a single capability name (added as permitted) or a cap_from_text(3) clause.

func (*FileCaps) ToXattrBytes

func (fc *FileCaps) ToXattrBytes() ([]byte, error)

ToXattrBytes encodes capabilities in the format of security.capability extended filesystem attribute.

type Flags

type Flags uint32

Flags alter certain aspects of capabilities handling

const (
	// FlagEffective causes all of the new permitted capabilities to be
	// also raised in the effective set diring execve(2)
	FlagEffective Flags = 1
)

type Mask

type Mask uint64

Mask captures a set of Linux capabilities

func Parse

func Parse(s string) (Mask, error)

Parse text representation of a single Linux capability.

It accepts all variations recognized by Docker's --cap-add, such as 'chown', 'cap_chown', and 'CHOWN'. Additionally, we allow numeric values, e.g. '42' to support future capabilities that are not yet known to us.