github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #3137 from Random-Liu/fix-race-and-panic

Browse Source 
Fix capability option race and panic.
This commit is contained in:
Michael Crosby 2019-03-28 11:43:28 -04:00 committed by GitHub
commit f2a20ead83
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 55 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
oci/spec_opts.go
View File

@ -741,7 +741,9 @@ func WithCapabilities(caps []string) SpecOpts {
} }
// WithAllCapabilities sets all linux capabilities for the process // WithAllCapabilities sets all linux capabilities for the process
var WithAllCapabilities = WithCapabilities(GetAllCapabilities()) var WithAllCapabilities = func(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
return WithCapabilities(GetAllCapabilities())(ctx, client, c, s)
}
// GetAllCapabilities returns all caps up to CAP_LAST_CAP // GetAllCapabilities returns all caps up to CAP_LAST_CAP
// or CAP_BLOCK_SUSPEND on RHEL6 // or CAP_BLOCK_SUSPEND on RHEL6
@ -771,12 +773,14 @@ func capsContain(caps []string, s string) bool {
} }
func removeCap(caps *[]string, s string) { func removeCap(caps *[]string, s string) {
for i, c := range *caps { var newcaps []string
for _, c := range *caps {
if c == s { if c == s {
*caps = append((*caps)[:i], (*caps)[i+1:]...) continue
return
} }
newcaps = append(newcaps, c)
} }
*caps = newcaps
} }
// WithAddedCapabilities adds the provided capabilities // WithAddedCapabilities adds the provided capabilities

54
oci/spec_opts_test.go
View File

@ -166,25 +166,25 @@ func TestWithEnv(t *testing.T) {
Env: []string{"DEFAULT=test"}, Env: []string{"DEFAULT=test"},
} }
WithEnv([]string{"env=1"})(nil, nil, nil, &s) WithEnv([]string{"env=1"})(context.Background(), nil, nil, &s)
if len(s.Process.Env) != 2 { if len(s.Process.Env) != 2 {
t.Fatal("didn't append") t.Fatal("didn't append")
} }
WithEnv([]string{"env2=1"})(nil, nil, nil, &s) WithEnv([]string{"env2=1"})(context.Background(), nil, nil, &s)
if len(s.Process.Env) != 3 { if len(s.Process.Env) != 3 {
t.Fatal("didn't append") t.Fatal("didn't append")
} }
WithEnv([]string{"env2=2"})(nil, nil, nil, &s) WithEnv([]string{"env2=2"})(context.Background(), nil, nil, &s)
if s.Process.Env[2] != "env2=2" { if s.Process.Env[2] != "env2=2" {
t.Fatal("couldn't update") t.Fatal("couldn't update")
} }
WithEnv([]string{"env2"})(nil, nil, nil, &s) WithEnv([]string{"env2"})(context.Background(), nil, nil, &s)
if len(s.Process.Env) != 2 { if len(s.Process.Env) != 2 {
t.Fatal("couldn't unset") t.Fatal("couldn't unset")
@ -428,7 +428,7 @@ func TestAddCaps(t *testing.T) {
var s specs.Spec var s specs.Spec
if err := WithAddedCapabilities([]string{"CAP_CHOWN"})(nil, nil, nil, &s); err != nil { if err := WithAddedCapabilities([]string{"CAP_CHOWN"})(context.Background(), nil, nil, &s); err != nil {
t.Fatal(err) t.Fatal(err)
} }
for i, cl := range [][]string{ for i, cl := range [][]string{
@ -448,10 +448,10 @@ func TestDropCaps(t *testing.T) {
var s specs.Spec var s specs.Spec
if err := WithAllCapabilities(nil, nil, nil, &s); err != nil { if err := WithAllCapabilities(context.Background(), nil, nil, &s); err != nil {
t.Fatal(err) t.Fatal(err)
} }
if err := WithDroppedCapabilities([]string{"CAP_CHOWN"})(nil, nil, nil, &s); err != nil { if err := WithDroppedCapabilities([]string{"CAP_CHOWN"})(context.Background(), nil, nil, &s); err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -465,4 +465,44 @@ func TestDropCaps(t *testing.T) {
t.Errorf("cap list %d contains dropped cap", i) t.Errorf("cap list %d contains dropped cap", i)
} }
} }
// Add all capabilities back and drop a different cap.
if err := WithAllCapabilities(context.Background(), nil, nil, &s); err != nil {
t.Fatal(err)
}
if err := WithDroppedCapabilities([]string{"CAP_FOWNER"})(context.Background(), nil, nil, &s); err != nil {
t.Fatal(err)
}
for i, cl := range [][]string{
s.Process.Capabilities.Bounding,
s.Process.Capabilities.Effective,
s.Process.Capabilities.Permitted,
s.Process.Capabilities.Inheritable,
} {
if capsContain(cl, "CAP_FOWNER") {
t.Errorf("cap list %d contains dropped cap", i)
}
if !capsContain(cl, "CAP_CHOWN") {
t.Errorf("cap list %d doesn't contain non-dropped cap", i)
}
}
// Drop all duplicated caps.
if err := WithCapabilities([]string{"CAP_CHOWN", "CAP_CHOWN"})(context.Background(), nil, nil, &s); err != nil {
t.Fatal(err)
}
if err := WithDroppedCapabilities([]string{"CAP_CHOWN"})(context.Background(), nil, nil, &s); err != nil {
t.Fatal(err)
}
for i, cl := range [][]string{
s.Process.Capabilities.Bounding,
s.Process.Capabilities.Effective,
s.Process.Capabilities.Permitted,
s.Process.Capabilities.Inheritable,
} {
if len(cl) != 0 {
t.Errorf("cap list %d is not empty", i)
}
}
} }