github.com/geofffranks/garden-linux@v0.0.0-20160715111146-26c893169cfa/system/capabilities_linux.go

github.com/geofffranks/garden-linux@v0.0.0-20160715111146-26c893169cfa/system/capabilities_linux.go (about)

     1  package system
     2  
     3  import (
     4  	"fmt"
     5  	"runtime"
     6  
     7  	"github.com/syndtr/gocapability/capability"
     8  )
     9  
    10  func init() {
    11  	runtime.LockOSThread()
    12  }
    13  
    14  type ProcessCapabilities struct {
    15  	Pid int
    16  }
    17  
    18  func (c ProcessCapabilities) Limit(extendedWhitelist bool) error {
    19  	caps, err := capability.NewPid(c.Pid)
    20  	if err != nil {
    21  		return fmt.Errorf("system: getting capabilities: %s", err)
    22  	}
    23  
    24  	sets := capability.BOUNDING | capability.CAPS
    25  	caps.Clear(sets)
    26  	caps.Set(sets,
    27  		capability.CAP_CHOWN,
    28  		capability.CAP_DAC_OVERRIDE,
    29  		capability.CAP_FSETID,
    30  		capability.CAP_FOWNER,
    31  		capability.CAP_MKNOD,
    32  		capability.CAP_NET_RAW,
    33  		capability.CAP_SETGID,
    34  		capability.CAP_SETUID,
    35  		capability.CAP_SETFCAP,
    36  		capability.CAP_SETPCAP,
    37  		capability.CAP_NET_BIND_SERVICE,
    38  		capability.CAP_SYS_CHROOT,
    39  		capability.CAP_KILL,
    40  		capability.CAP_AUDIT_WRITE,
    41  	)
    42  
    43  	if extendedWhitelist {
    44  		caps.Set(sets, capability.CAP_SYS_ADMIN)
    45  	}
    46  
    47  	err = caps.Apply(sets)
    48  	if err != nil {
    49  		return fmt.Errorf("system: applying capabilities: %s", err)
    50  	}
    51  
    52  	return nil
    53  }