generate: remove validate dependency

cyphar · cyphar · commit 5c1e0ab0a39d · 2017-04-11T23:40:59.000+10:00
The two modules {validate,generate} should be mutually exclusive and should not depend on each other. In addition, it is not the job of generate to carry out validation of any arguments provided (especially system-specific arguments). lastCap needs two copies because of the RHEL6 hack, which is a shame but does not justify the import dependency (because that dependency pulls in logrus and a few other libraries for no good reason). Fixes: 1a899a6 ("validate: optimize capabilites check") Signed-off-by: Aleksa Sarai <asarai@suse.de>
diff --git a/generate/generate.go b/generate/generate.go
@@ -11,7 +11,6 @@ import (
 
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate/seccomp"
-	"github.com/opencontainers/runtime-tools/validate"
 	"github.com/syndtr/gocapability/capability"
 )
 
@@ -819,12 +818,24 @@ func (g *Generator) AddBindMount(source, dest string, options []string) {
 	g.spec.Mounts = append(g.spec.Mounts, mnt)
 }
 
+// lastCap return last cap of system, and is required to hack around RHEL6.
+// This is an exact copy of "validate/validate.go".lastCap.
+func lastCap() capability.Cap {
+	last := capability.CAP_LAST_CAP
+	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
+	if last == capability.Cap(63) {
+		last = capability.CAP_BLOCK_SUSPEND
+	}
+
+	return last
+}
+
 // SetupPrivileged sets up the privilege-related fields inside g.spec.
 func (g *Generator) SetupPrivileged(privileged bool) {
 	if privileged { // Add all capabilities in privileged mode.
 		var finalCapList []string
 		for _, cap := range capability.List() {
-			if g.HostSpecific && cap > validate.LastCap() {
+			if g.HostSpecific && cap > lastCap() {
 				continue
 			}
 			finalCapList = append(finalCapList, fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())))
@@ -855,12 +866,8 @@ func (g *Generator) ClearProcessCapabilities() {
 
 // AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
 func (g *Generator) AddProcessCapability(c string) error {
-	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
-		return err
-	}
-
 	g.initSpec()
+	cp := strings.ToUpper(c)
 
 	for _, cap := range g.spec.Process.Capabilities.Bounding {
 		if strings.ToUpper(cap) == cp {
@@ -902,12 +909,8 @@ func (g *Generator) AddProcessCapability(c string) error {
 
 // DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
 func (g *Generator) DropProcessCapability(c string) error {
-	cp := strings.ToUpper(c)
-	if err := validate.CapValid(cp, g.HostSpecific); err != nil {
-		return err
-	}
-
 	g.initSpec()
+	cp := strings.ToUpper(c)
 
 	for i, cap := range g.spec.Process.Capabilities.Bounding {
 		if strings.ToUpper(cap) == cp {
diff --git a/validate/validate.go b/validate/validate.go
@@ -292,7 +292,7 @@ func (v *Validator) CheckProcess() (msgs []string) {
 	}
 
 	for _, capability := range caps {
-		if err := CapValid(capability, v.HostSpecific); err != nil {
+		if err := capValid(capability, v.HostSpecific); err != nil {
 			msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
 		}
 	}
@@ -589,16 +589,16 @@ func (v *Validator) CheckSeccomp() (msgs []string) {
 	return
 }
 
-// CapValid checks whether a capability is valid
-func CapValid(c string, hostSpecific bool) error {
+// capValid checks whether a capability is valid
+func capValid(c string, hostSpecific bool) error {
 	isValid := false
 
 	if !strings.HasPrefix(c, "CAP_") {
 		return fmt.Errorf("capability %s must start with CAP_", c)
 	}
 	for _, cap := range capability.List() {
 		if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
-			if hostSpecific && cap > LastCap() {
+			if hostSpecific && cap > lastCap() {
 				return fmt.Errorf("CAP_%s is not supported on the current host", c)
 			}
 			isValid = true
@@ -612,8 +612,9 @@ func CapValid(c string, hostSpecific bool) error {
 	return nil
 }
 
-// LastCap return last cap of system
-func LastCap() capability.Cap {
+// lastCap return last cap of system, and is required to hack around RHEL6.
+// This is an exact copy of "generate/generate.go".lastCap.
+func lastCap() capability.Cap {
 	last := capability.CAP_LAST_CAP
 	// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap
 	if last == capability.Cap(63) {

Original file line number	Diff line number	Diff line change
`@@ -292,7 +292,7 @@ func (v *Validator) CheckProcess() (msgs []string) {`
`292`	`292`	`}`
`293`	`293`
`294`	`294`	`for _, capability := range caps {`
`295`		`- if err := CapValid(capability, v.HostSpecific); err != nil {`
	`295`	`+ if err := capValid(capability, v.HostSpecific); err != nil {`
`296`	`296`	`msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))`
`297`	`297`	`}`
`298`	`298`	`}`
`@@ -589,16 +589,16 @@ func (v *Validator) CheckSeccomp() (msgs []string) {`
`589`	`589`	`return`
`590`	`590`	`}`
`591`	`591`
`592`		`-// CapValid checks whether a capability is valid`
`593`		`-func CapValid(c string, hostSpecific bool) error {`
	`592`	`+// capValid checks whether a capability is valid`
	`593`	`+func capValid(c string, hostSpecific bool) error {`
`594`	`594`	`isValid := false`
`595`	`595`
`596`	`596`	`if !strings.HasPrefix(c, "CAP_") {`
`597`	`597`	`return fmt.Errorf("capability %s must start with CAP_", c)`
`598`	`598`	`}`
`599`	`599`	`for _, cap := range capability.List() {`
`600`	`600`	`if c == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {`
`601`		`- if hostSpecific && cap > LastCap() {`
	`601`	`+ if hostSpecific && cap > lastCap() {`
`602`	`602`	`return fmt.Errorf("CAP_%s is not supported on the current host", c)`
`603`	`603`	`}`
`604`	`604`	`isValid = true`
`@@ -612,8 +612,9 @@ func CapValid(c string, hostSpecific bool) error {`
`612`	`612`	`return nil`
`613`	`613`	`}`
`614`	`614`
`615`		`-// LastCap return last cap of system`
`616`		`-func LastCap() capability.Cap {`
	`615`	`+// lastCap return last cap of system, and is required to hack around RHEL6.`
	`616`	`+// This is an exact copy of "generate/generate.go".lastCap.`
	`617`	`+func lastCap() capability.Cap {`
`617`	`618`	`last := capability.CAP_LAST_CAP`
`618`	`619`	`// hack for RHEL6 which has no /proc/sys/kernel/cap_last_cap`
`619`	`620`	`if last == capability.Cap(63) {`