capabilities

package

v4.2.0-rc.1 Latest Latest Go to latest Published: Aug 13, 2024 License: BSD-3-Clause Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sylabs/singularity

Documentation ¶

Rendered for

Index ¶

Constants
Variables
func GetProcessBounding() (uint64, error)
func GetProcessEffective() (uint64, error)
func GetProcessInheritable() (uint64, error)
func GetProcessPermitted() (uint64, error)
func Normalize(capabilities []string) ([]string, []string)
func RemoveDuplicated(caps []string) []string
func SetProcessEffective(caps uint64) (uint64, error)
func Split(caps string) ([]string, []string)
func ToStrings(c uint64) []string
type Caplist
type Config
- func ReadFrom(r io.Reader) (*Config, error)

Constants ¶

View Source

const (
	// Permitted capability string constant.
	Permitted string = "permitted"
	// Effective capability string constant.
	Effective = "effective"
	// Inheritable capability string constant.
	Inheritable = "inheritable"
	// Ambient capability string constant.
	Ambient = "ambient"
	// Bounding capability string constant.
	Bounding = "bounding"
)

Variables ¶

View Source

var Map = map[string]*capability{
	"CAP_CHOWN":              capChown,
	"CAP_DAC_OVERRIDE":       capDacOverride,
	"CAP_DAC_READ_SEARCH":    capDacReadSearch,
	"CAP_FOWNER":             capFowner,
	"CAP_FSETID":             capFsetid,
	"CAP_KILL":               capKill,
	"CAP_SETGID":             capSetgid,
	"CAP_SETUID":             capSetuid,
	"CAP_SETPCAP":            capSetpcap,
	"CAP_LINUX_IMMUTABLE":    capLinuxImmutable,
	"CAP_NET_BIND_SERVICE":   capNetBindService,
	"CAP_NET_BROADCAST":      capNetBroadcast,
	"CAP_NET_ADMIN":          capNetAdmin,
	"CAP_NET_RAW":            capNetRaw,
	"CAP_IPC_LOCK":           capIpcLock,
	"CAP_IPC_OWNER":          capIpcOwner,
	"CAP_SYS_MODULE":         capSysModule,
	"CAP_SYS_RAWIO":          capSysRawio,
	"CAP_SYS_CHROOT":         capSysChroot,
	"CAP_SYS_PTRACE":         capSysPtrace,
	"CAP_SYS_PACCT":          capSysPacct,
	"CAP_SYS_ADMIN":          capSysAdmin,
	"CAP_SYS_BOOT":           capSysBoot,
	"CAP_SYS_NICE":           capSysNice,
	"CAP_SYS_RESOURCE":       capSysResource,
	"CAP_SYS_TIME":           capSysTime,
	"CAP_SYS_TTY_CONFIG":     capSysTtyConfig,
	"CAP_MKNOD":              capMknod,
	"CAP_LEASE":              capLease,
	"CAP_AUDIT_WRITE":        capAuditWrite,
	"CAP_AUDIT_CONTROL":      capAuditControl,
	"CAP_SETFCAP":            capSetfcap,
	"CAP_MAC_OVERRIDE":       capMacOverride,
	"CAP_MAC_ADMIN":          capMacAdmin,
	"CAP_SYSLOG":             capSyslog,
	"CAP_WAKE_ALARM":         capWakeAlarm,
	"CAP_BLOCK_SUSPEND":      capBlockSuspend,
	"CAP_AUDIT_READ":         capAuditRead,
	"CAP_PERFMON":            capPerfmon,
	"CAP_BPF":                capBPF,
	"CAP_CHECKPOINT_RESTORE": capCheckpointRestore,
}

Map maps each capability name to a struct with details about the capability.

Functions ¶

func GetProcessBounding ¶

func GetProcessBounding() (uint64, error)

GetProcessBounding returns bounding capabilities for the current process.

func GetProcessEffective ¶

func GetProcessEffective() (uint64, error)

GetProcessEffective returns effective capabilities for the current process.

func GetProcessInheritable ¶

func GetProcessInheritable() (uint64, error)

GetProcessInheritable returns inheritable capabilities for the current process.

func GetProcessPermitted ¶

func GetProcessPermitted() (uint64, error)

GetProcessPermitted returns permitted capabilities for the current process.

func Normalize ¶

func Normalize(capabilities []string) ([]string, []string)

Normalize takes a slice of capabilities, normalizes and unwraps CAP_ALL. The return values are a two slices: normalized capabilities slice that are valid and a slice with unrecognized capabilities.

func RemoveDuplicated ¶

func RemoveDuplicated(caps []string) []string

RemoveDuplicated removes duplicated capabilities from provided list. It does not make copy of a passed list.

func SetProcessEffective ¶

func SetProcessEffective(caps uint64) (uint64, error)

SetProcessEffective set effective capabilities for the current process and returns previous effective set.

func Split ¶

func Split(caps string) ([]string, []string)

Split takes a list of capabilities separated by commas and returns a string list with normalized capability name and a second list with unrecognized capabilities.

func ToStrings ¶

func ToStrings(c uint64) []string

ToStrings returns a list of string CAP_ values from a uint64 capability set. If a capability bit is set that is not in Map, it is ignored.

Types ¶

type Caplist ¶

type Caplist map[string][]string

Caplist defines a map of users/groups with associated list of capabilities

type Config ¶

type Config struct {
	Users  Caplist `json:"users,omitempty"`
	Groups Caplist `json:"groups,omitempty"`
}

Config is the in memory representation of the user/group capability authorizations as set by an admin

func ReadFrom ¶

func ReadFrom(r io.Reader) (*Config, error)

ReadFrom reads a capability configuration from an io.Reader and returns a capability config with the set of authorized user/group capabilities

func (*Config) AddGroupCaps ¶

func (c *Config) AddGroupCaps(group string, caps []string) error

AddGroupCaps adds an authorized capability set to group

func (*Config) AddUserCaps ¶

func (c *Config) AddUserCaps(user string, caps []string) error

AddUserCaps adds an authorized capability set to user

func (*Config) CheckGroupCaps ¶

func (c *Config) CheckGroupCaps(group string, caps []string) (authorized []string, unauthorized []string)

CheckGroupCaps checks if provided capability list for group are whether or not authorized by returning two lists, the first one containing authorized capabilities and the second one containing unauthorized capabilities

func (*Config) CheckUserCaps ¶

func (c *Config) CheckUserCaps(user string, caps []string) (authorized []string, unauthorized []string)

CheckUserCaps checks if provided capability list for user are whether or not authorized by returning two lists, the first one containing authorized capabilities and the second one containing unauthorized capabilities

func (*Config) DropGroupCaps ¶

func (c *Config) DropGroupCaps(group string, caps []string) error

DropGroupCaps drops a set of capabilities for group

func (*Config) DropUserCaps ¶

func (c *Config) DropUserCaps(user string, caps []string) error

DropUserCaps drops a set of capabilities for user

func (*Config) ListAllCaps ¶

func (c *Config) ListAllCaps() (Caplist, Caplist)

ListAllCaps returns capability list for both authorized users and groups

func (*Config) ListGroupCaps ¶

func (c *Config) ListGroupCaps(group string) []string

ListGroupCaps returns a capability list authorized for group

func (*Config) ListUserCaps ¶

func (c *Config) ListUserCaps(user string) []string

ListUserCaps returns a capability list authorized for user

func (*Config) WriteTo ¶

func (c *Config) WriteTo(w io.Writer) (int64, error)

WriteTo writes the capability config into the provided io.Writer. If writing to the same file as passed to ReadFrom(io.Reader), the file should be truncated should seek to 0 before passing the file as the io.Writer

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL