github.com/cloudfoundry-attic/garden-linux@v0.333.2-candidate/integration/helpers/capcheck/inspector/inspector_linux.go

github.com/cloudfoundry-attic/garden-linux@v0.333.2-candidate/integration/helpers/capcheck/inspector/inspector_linux.go (about)

     1  package inspector
     2  
     3  import (
     4  	"fmt"
     5  	"io/ioutil"
     6  	"net"
     7  	"os"
     8  	"os/exec"
     9  	"syscall"
    10  
    11  	"path/filepath"
    12  
    13  	"github.com/syndtr/gocapability/capability"
    14  )
    15  
    16  func ProbeCAP_SYS_ADMIN() error {
    17  	dirName, err := ioutil.TempDir("", "capability-utility")
    18  	if err != nil {
    19  		printMsg("CAP_SYS_ADMIN", "Failed to create a directory: %s", err)
    20  		return err
    21  	}
    22  	defer os.RemoveAll(dirName)
    23  
    24  	if err := syscall.Mount(dirName, dirName, "", uintptr(syscall.MS_BIND), ""); err != nil {
    25  		printMsg("CAP_SYS_ADMIN", "Failed to create a bind mount: %s", err)
    26  		return err
    27  	} else {
    28  		syscall.Unmount(dirName, 0)
    29  		printMsg("CAP_SYS_ADMIN", "Create bind mount succeeded")
    30  	}
    31  
    32  	return nil
    33  }
    34  
    35  func ProbeCAP_NET_BIND_SERVICE() error {
    36  	if ln, err := net.Listen("tcp", ":21"); err != nil {
    37  		printMsg("CAP_NET_BIND_SERVICE", "Failed to create listener: %s", err)
    38  		return err
    39  	} else {
    40  		ln.Close()
    41  		printMsg("CAP_NET_BIND_SERVICE", "Create listener succeeded")
    42  	}
    43  	return nil
    44  }
    45  
    46  func ProbeCAP_MKNOD() error {
    47  	dirName, err := ioutil.TempDir("", "CAP_MKNOD")
    48  	if err != nil {
    49  		printMsg("CAP_MKNOD", "Failed to create a directory: %s", err)
    50  	}
    51  	defer os.RemoveAll(dirName)
    52  
    53  	if out, err := exec.Command("mknod", filepath.Join(dirName, "node"), "b", "0777", "200").CombinedOutput(); err != nil {
    54  		printMsg("CAP_MKNOD", "Failed to make a node: %s, %s", err, string(out))
    55  		return err
    56  	} else {
    57  		os.RemoveAll(dirName)
    58  		printMsg("CAP_MKNOD", "Make node succeeded")
    59  	}
    60  	return nil
    61  }
    62  
    63  func PrintCaps() {
    64  	PrintCap("CAP_DAC_OVERRIDE    ", capability.CAP_DAC_OVERRIDE)
    65  	PrintCap("CAP_FSETID          ", capability.CAP_FSETID)
    66  	PrintCap("CAP_FOWNER          ", capability.CAP_FOWNER)
    67  	PrintCap("CAP_MKNOD           ", capability.CAP_MKNOD)
    68  	PrintCap("CAP_NET_RAW         ", capability.CAP_NET_RAW)
    69  	PrintCap("CAP_SETGID          ", capability.CAP_SETGID)
    70  	PrintCap("CAP_SETUID          ", capability.CAP_SETUID)
    71  	PrintCap("CAP_CHOWN           ", capability.CAP_CHOWN)
    72  	PrintCap("CAP_SETFCAP         ", capability.CAP_SETFCAP)
    73  	PrintCap("CAP_SETPCAP         ", capability.CAP_SETPCAP)
    74  	PrintCap("CAP_NET_BIND_SERVICE", capability.CAP_NET_BIND_SERVICE)
    75  	PrintCap("CAP_SYS_CHROOT      ", capability.CAP_SYS_CHROOT)
    76  	PrintCap("CAP_KILL            ", capability.CAP_KILL)
    77  	PrintCap("CAP_AUDIT_WRITE     ", capability.CAP_AUDIT_WRITE)
    78  }
    79  
    80  func PrintCap(capName string, cap capability.Cap) {
    81  	caps, err := capability.NewPid(0)
    82  	if err != nil {
    83  		panic(err)
    84  	}
    85  
    86  	b := caps.Get(capability.BOUNDING, cap)
    87  	p := caps.Get(capability.PERMITTED, cap)
    88  	e := caps.Get(capability.EFFECTIVE, cap)
    89  	i := caps.Get(capability.INHERITABLE, cap)
    90  
    91  	fmt.Printf("%s bounding=%t, permitted=%t, effective=%t, inheritable=%t\n", capName, b, p, e, i)
    92  }
    93  
    94  func target(nonRootUid, nonRootGid int) (int, int) {
    95  	if os.Getuid() == 0 {
    96  		return nonRootUid, nonRootGid
    97  	} else {
    98  		return 0, 0
    99  	}
   100  }
   101  
   102  func printMsg(tag, msg string, args ...interface{}) {
   103  	text := fmt.Sprintf(msg, args...)
   104  	fmt.Printf("%s: %s\n", tag, text)
   105  }