summaryrefslogtreecommitdiff
path: root/vendor/github.com/projectatomic/buildah/util
diff options
context:
space:
mode:
authorTomSweeneyRedHat <tsweeney@redhat.com>2018-06-19 10:03:34 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-06-22 14:55:32 +0000
commit89af35175d97cf90e7336d3c817612fafc68dbdb (patch)
tree7468b588dfc47b0e9f173c6b273c732514eb6821 /vendor/github.com/projectatomic/buildah/util
parent82a948c04ec068acb9f0d47dc0f9e3bd05b4c90c (diff)
downloadpodman-89af35175d97cf90e7336d3c817612fafc68dbdb.tar.gz
podman-89af35175d97cf90e7336d3c817612fafc68dbdb.tar.bz2
podman-89af35175d97cf90e7336d3c817612fafc68dbdb.zip
Add cap-add and cap-drop to build man page
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> Closes: #968 Approved by: mheon
Diffstat (limited to 'vendor/github.com/projectatomic/buildah/util')
-rw-r--r--vendor/github.com/projectatomic/buildah/util/types.go20
-rw-r--r--vendor/github.com/projectatomic/buildah/util/util.go185
2 files changed, 205 insertions, 0 deletions
diff --git a/vendor/github.com/projectatomic/buildah/util/types.go b/vendor/github.com/projectatomic/buildah/util/types.go
index bce419c02..974b707fb 100644
--- a/vendor/github.com/projectatomic/buildah/util/types.go
+++ b/vendor/github.com/projectatomic/buildah/util/types.go
@@ -8,3 +8,23 @@ const (
// DefaultCNIConfigDir is the default location of CNI configuration files.
DefaultCNIConfigDir = "/etc/cni/net.d"
)
+
+var (
+ // DefaultCapabilities is the list of capabilities which we grant by
+ // default to containers which are running under UID 0.
+ DefaultCapabilities = []string{
+ "CAP_AUDIT_WRITE",
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FOWNER",
+ "CAP_FSETID",
+ "CAP_KILL",
+ "CAP_MKNOD",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SETFCAP",
+ "CAP_SETGID",
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SYS_CHROOT",
+ }
+)
diff --git a/vendor/github.com/projectatomic/buildah/util/util.go b/vendor/github.com/projectatomic/buildah/util/util.go
index 8ac9f8a6c..61705867d 100644
--- a/vendor/github.com/projectatomic/buildah/util/util.go
+++ b/vendor/github.com/projectatomic/buildah/util/util.go
@@ -1,11 +1,13 @@
package util
import (
+ "bufio"
"fmt"
"io"
"net/url"
"os"
"path"
+ "strconv"
"strings"
"github.com/containers/image/directory"
@@ -17,7 +19,9 @@ import (
"github.com/containers/image/tarball"
"github.com/containers/image/types"
"github.com/containers/storage"
+ "github.com/containers/storage/pkg/idtools"
"github.com/docker/distribution/registry/api/errcode"
+ "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
@@ -243,3 +247,184 @@ func Runtime() string {
}
return DefaultRuntime
}
+
+// StringInSlice returns a boolean indicating if the exact value s is present
+// in the slice slice.
+func StringInSlice(s string, slice []string) bool {
+ for _, v := range slice {
+ if v == s {
+ return true
+ }
+ }
+ return false
+}
+
+// GetHostIDs uses ID mappings to compute the host-level IDs that will
+// correspond to a UID/GID pair in the container.
+func GetHostIDs(uidmap, gidmap []specs.LinuxIDMapping, uid, gid uint32) (uint32, uint32, error) {
+ uidMapped := true
+ for _, m := range uidmap {
+ uidMapped = false
+ if uid >= m.ContainerID && uid < m.ContainerID+m.Size {
+ uid = (uid - m.ContainerID) + m.HostID
+ uidMapped = true
+ break
+ }
+ }
+ if !uidMapped {
+ return 0, 0, errors.Errorf("container uses ID mappings, but doesn't map UID %d", uid)
+ }
+ gidMapped := true
+ for _, m := range gidmap {
+ gidMapped = false
+ if gid >= m.ContainerID && gid < m.ContainerID+m.Size {
+ gid = (gid - m.ContainerID) + m.HostID
+ gidMapped = true
+ break
+ }
+ }
+ if !gidMapped {
+ return 0, 0, errors.Errorf("container uses ID mappings, but doesn't map GID %d", gid)
+ }
+ return uid, gid, nil
+}
+
+// GetHostRootIDs uses ID mappings in spec to compute the host-level IDs that will
+// correspond to UID/GID 0/0 in the container.
+func GetHostRootIDs(spec *specs.Spec) (uint32, uint32, error) {
+ if spec.Linux == nil {
+ return 0, 0, nil
+ }
+ return GetHostIDs(spec.Linux.UIDMappings, spec.Linux.GIDMappings, 0, 0)
+}
+
+// getHostIDMappings reads mappings from the named node under /proc.
+func getHostIDMappings(path string) ([]specs.LinuxIDMapping, error) {
+ var mappings []specs.LinuxIDMapping
+ f, err := os.Open(path)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error reading ID mappings from %q", path)
+ }
+ defer f.Close()
+ scanner := bufio.NewScanner(f)
+ for scanner.Scan() {
+ line := scanner.Text()
+ fields := strings.Fields(line)
+ if len(fields) != 3 {
+ return nil, errors.Errorf("line %q from %q has %d fields, not 3", line, path, len(fields))
+ }
+ cid, err := strconv.ParseUint(fields[0], 10, 32)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error parsing container ID value %q from line %q in %q", fields[0], line, path)
+ }
+ hid, err := strconv.ParseUint(fields[1], 10, 32)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error parsing host ID value %q from line %q in %q", fields[1], line, path)
+ }
+ size, err := strconv.ParseUint(fields[2], 10, 32)
+ if err != nil {
+ return nil, errors.Wrapf(err, "error parsing size value %q from line %q in %q", fields[2], line, path)
+ }
+ mappings = append(mappings, specs.LinuxIDMapping{ContainerID: uint32(cid), HostID: uint32(hid), Size: uint32(size)})
+ }
+ return mappings, nil
+}
+
+// GetHostIDMappings reads mappings for the current process from the kernel.
+func GetHostIDMappings(pid string) ([]specs.LinuxIDMapping, []specs.LinuxIDMapping, error) {
+ if pid == "" {
+ pid = "self"
+ }
+ uidmap, err := getHostIDMappings(fmt.Sprintf("/proc/%s/uid_map", pid))
+ if err != nil {
+ return nil, nil, err
+ }
+ gidmap, err := getHostIDMappings(fmt.Sprintf("/proc/%s/gid_map", pid))
+ if err != nil {
+ return nil, nil, err
+ }
+ return uidmap, gidmap, nil
+}
+
+// GetSubIDMappings reads mappings from /etc/subuid and /etc/subgid.
+func GetSubIDMappings(user, group string) ([]specs.LinuxIDMapping, []specs.LinuxIDMapping, error) {
+ mappings, err := idtools.NewIDMappings(user, group)
+ if err != nil {
+ return nil, nil, errors.Wrapf(err, "error reading subuid mappings for user %q and subgid mappings for group %q", user, group)
+ }
+ var uidmap, gidmap []specs.LinuxIDMapping
+ for _, m := range mappings.UIDs() {
+ uidmap = append(uidmap, specs.LinuxIDMapping{
+ ContainerID: uint32(m.ContainerID),
+ HostID: uint32(m.HostID),
+ Size: uint32(m.Size),
+ })
+ }
+ for _, m := range mappings.GIDs() {
+ gidmap = append(gidmap, specs.LinuxIDMapping{
+ ContainerID: uint32(m.ContainerID),
+ HostID: uint32(m.HostID),
+ Size: uint32(m.Size),
+ })
+ }
+ return uidmap, gidmap, nil
+}
+
+// ParseIDMappings parses mapping triples.
+func ParseIDMappings(uidmap, gidmap []string) ([]idtools.IDMap, []idtools.IDMap, error) {
+ nonDigitsToWhitespace := func(r rune) rune {
+ if strings.IndexRune("0123456789", r) == -1 {
+ return ' '
+ } else {
+ return r
+ }
+ }
+ parseTriple := func(spec []string) (container, host, size uint32, err error) {
+ cid, err := strconv.ParseUint(spec[0], 10, 32)
+ if err != nil {
+ return 0, 0, 0, fmt.Errorf("error parsing id map value %q: %v", spec[0], err)
+ }
+ hid, err := strconv.ParseUint(spec[1], 10, 32)
+ if err != nil {
+ return 0, 0, 0, fmt.Errorf("error parsing id map value %q: %v", spec[1], err)
+ }
+ sz, err := strconv.ParseUint(spec[2], 10, 32)
+ if err != nil {
+ return 0, 0, 0, fmt.Errorf("error parsing id map value %q: %v", spec[2], err)
+ }
+ return uint32(cid), uint32(hid), uint32(sz), nil
+ }
+ parseIDMap := func(mapSpec []string, mapSetting string) (idmap []idtools.IDMap, err error) {
+ for _, idMapSpec := range mapSpec {
+ idSpec := strings.Fields(strings.Map(nonDigitsToWhitespace, idMapSpec))
+ if len(idSpec)%3 != 0 {
+ return nil, errors.Errorf("error initializing ID mappings: %s setting is malformed", mapSetting)
+ }
+ for i := range idSpec {
+ if i%3 != 0 {
+ continue
+ }
+ cid, hid, size, err := parseTriple(idSpec[i : i+3])
+ if err != nil {
+ return nil, errors.Errorf("error initializing ID mappings: %s setting is malformed", mapSetting)
+ }
+ mapping := idtools.IDMap{
+ ContainerID: int(cid),
+ HostID: int(hid),
+ Size: int(size),
+ }
+ idmap = append(idmap, mapping)
+ }
+ }
+ return idmap, nil
+ }
+ uid, err := parseIDMap(uidmap, "userns-uid-map")
+ if err != nil {
+ return nil, nil, err
+ }
+ gid, err := parseIDMap(gidmap, "userns-gid-map")
+ if err != nil {
+ return nil, nil, err
+ }
+ return uid, gid, nil
+}