github.com/moby/docker@v26.1.3+incompatible/oci/caps/utils_linux.go

github.com/moby/docker@v26.1.3+incompatible/oci/caps/utils_linux.go (about)

     1  package caps // import "github.com/docker/docker/oci/caps"
     2  import (
     3  	"context"
     4  	"sync"
     5  
     6  	ccaps "github.com/containerd/containerd/pkg/cap"
     7  	"github.com/containerd/log"
     8  )
     9  
    10  var initCapsOnce sync.Once
    11  
    12  func initCaps() {
    13  	initCapsOnce.Do(func() {
    14  		rawCaps := ccaps.Known()
    15  		curCaps, err := ccaps.Current()
    16  		if err != nil {
    17  			log.G(context.TODO()).WithError(err).Error("failed to get capabilities from current environment")
    18  			allCaps = rawCaps
    19  		} else {
    20  			allCaps = curCaps
    21  		}
    22  		knownCaps = make(map[string]*struct{}, len(rawCaps))
    23  		for _, capName := range rawCaps {
    24  			// For now, we assume the capability is available if we failed to
    25  			// get the capabilities from the current environment. This keeps the
    26  			// old (pre-detection) behavior, and prevents creating containers with
    27  			// no capabilities. The OCI runtime or kernel may still refuse capa-
    28  			// bilities that are not available, and produce an error in that case.
    29  			if len(curCaps) > 0 && !inSlice(curCaps, capName) {
    30  				knownCaps[capName] = nil
    31  				continue
    32  			}
    33  			knownCaps[capName] = &struct{}{}
    34  		}
    35  	})
    36  }