.github
alerting
client
config
controller
core
docs
example
jsonpath
k8s
k8stest
metric
pattern
security
storage
util
vendor
cloud.google.com
github.com
go.etcd.io
golang.org
x
crypto
net
oauth2
sys
internal
plan9
unix
.gitignore
README.md
affinity_linux.go
aliases.go
asm_aix_ppc64.s
asm_darwin_386.s
asm_darwin_amd64.s
asm_darwin_arm.s
asm_darwin_arm64.s
asm_dragonfly_amd64.s
asm_freebsd_386.s
asm_freebsd_amd64.s
asm_freebsd_arm.s
asm_freebsd_arm64.s
asm_linux_386.s
asm_linux_amd64.s
asm_linux_arm.s
asm_linux_arm64.s
asm_linux_mips64x.s
asm_linux_mipsx.s
asm_linux_ppc64x.s
asm_linux_riscv64.s
asm_linux_s390x.s
asm_netbsd_386.s
asm_netbsd_amd64.s
asm_netbsd_arm.s
asm_netbsd_arm64.s
asm_openbsd_386.s
asm_openbsd_amd64.s
asm_openbsd_arm.s
asm_openbsd_arm64.s
asm_openbsd_mips64.s
asm_solaris_amd64.s
bluetooth_linux.go
cap_freebsd.go
constants.go
dev_aix_ppc.go
dev_aix_ppc64.go
dev_darwin.go
dev_dragonfly.go
dev_freebsd.go
dev_linux.go
dev_netbsd.go
dev_openbsd.go
dirent.go
endian_big.go
endian_little.go
env_unix.go
errors_freebsd_386.go
errors_freebsd_amd64.go
errors_freebsd_arm.go
errors_freebsd_arm64.go
fcntl.go
fcntl_darwin.go
fcntl_linux_32bit.go
fdset.go
gccgo.go
gccgo_c.c
gccgo_linux_amd64.go
ioctl.go
mkall.sh
mkerrors.sh
pagesize_unix.go
pledge_openbsd.go
ptrace_darwin.go
ptrace_ios.go
race.go
race0.go
readdirent_getdents.go
readdirent_getdirentries.go
sockcmsg_dragonfly.go
sockcmsg_linux.go
sockcmsg_unix.go
sockcmsg_unix_other.go
str.go
syscall.go
syscall_aix.go
syscall_aix_ppc.go
syscall_aix_ppc64.go
syscall_bsd.go
syscall_darwin.1_12.go
syscall_darwin.1_13.go
syscall_darwin.go
syscall_darwin_386.go
syscall_darwin_amd64.go
syscall_darwin_arm.go
syscall_darwin_arm64.go
syscall_darwin_libSystem.go
syscall_dragonfly.go
syscall_dragonfly_amd64.go
syscall_freebsd.go
syscall_freebsd_386.go
syscall_freebsd_amd64.go
syscall_freebsd_arm.go
syscall_freebsd_arm64.go
syscall_illumos.go
syscall_linux.go
syscall_linux_386.go
syscall_linux_amd64.go
syscall_linux_amd64_gc.go
syscall_linux_arm.go
syscall_linux_arm64.go
syscall_linux_gc.go
syscall_linux_gc_386.go
syscall_linux_gc_arm.go
syscall_linux_gccgo_386.go
syscall_linux_gccgo_arm.go
syscall_linux_mips64x.go
syscall_linux_mipsx.go
syscall_linux_ppc64x.go
syscall_linux_riscv64.go
syscall_linux_s390x.go
syscall_linux_sparc64.go
syscall_netbsd.go
syscall_netbsd_386.go
syscall_netbsd_amd64.go
syscall_netbsd_arm.go
syscall_netbsd_arm64.go
syscall_openbsd.go
syscall_openbsd_386.go
syscall_openbsd_amd64.go
syscall_openbsd_arm.go
syscall_openbsd_arm64.go
syscall_openbsd_mips64.go
syscall_solaris.go
syscall_solaris_amd64.go
syscall_unix.go
syscall_unix_gc.go
syscall_unix_gc_ppc64x.go
timestruct.go
unveil_openbsd.go
xattr_bsd.go
zerrors_aix_ppc.go
zerrors_aix_ppc64.go
zerrors_darwin_386.go
zerrors_darwin_amd64.go
zerrors_darwin_arm.go
zerrors_darwin_arm64.go
zerrors_dragonfly_amd64.go
zerrors_freebsd_386.go
zerrors_freebsd_amd64.go
zerrors_freebsd_arm.go
zerrors_freebsd_arm64.go
zerrors_linux.go
zerrors_linux_386.go
zerrors_linux_amd64.go
zerrors_linux_arm.go
zerrors_linux_arm64.go
zerrors_linux_mips.go
zerrors_linux_mips64.go
zerrors_linux_mips64le.go
zerrors_linux_mipsle.go
zerrors_linux_ppc64.go
zerrors_linux_ppc64le.go
zerrors_linux_riscv64.go
zerrors_linux_s390x.go
zerrors_linux_sparc64.go
zerrors_netbsd_386.go
zerrors_netbsd_amd64.go
zerrors_netbsd_arm.go
zerrors_netbsd_arm64.go
zerrors_openbsd_386.go
zerrors_openbsd_amd64.go
zerrors_openbsd_arm.go
zerrors_openbsd_arm64.go
zerrors_openbsd_mips64.go
zerrors_solaris_amd64.go
zptrace_armnn_linux.go
zptrace_linux_arm64.go
zptrace_mipsnn_linux.go
zptrace_mipsnnle_linux.go
zptrace_x86_linux.go
zsyscall_aix_ppc.go
zsyscall_aix_ppc64.go
zsyscall_aix_ppc64_gc.go
zsyscall_aix_ppc64_gccgo.go
zsyscall_darwin_386.1_13.go
zsyscall_darwin_386.1_13.s
zsyscall_darwin_386.go
zsyscall_darwin_386.s
zsyscall_darwin_amd64.1_13.go
zsyscall_darwin_amd64.1_13.s
zsyscall_darwin_amd64.go
zsyscall_darwin_amd64.s
zsyscall_darwin_arm.1_13.go
zsyscall_darwin_arm.1_13.s
zsyscall_darwin_arm.go
zsyscall_darwin_arm.s
zsyscall_darwin_arm64.1_13.go
zsyscall_darwin_arm64.1_13.s
zsyscall_darwin_arm64.go
zsyscall_darwin_arm64.s
zsyscall_dragonfly_amd64.go
zsyscall_freebsd_386.go
zsyscall_freebsd_amd64.go
zsyscall_freebsd_arm.go
zsyscall_freebsd_arm64.go
zsyscall_illumos_amd64.go
zsyscall_linux.go
zsyscall_linux_386.go
zsyscall_linux_amd64.go
zsyscall_linux_arm.go
zsyscall_linux_arm64.go
zsyscall_linux_mips.go
zsyscall_linux_mips64.go
zsyscall_linux_mips64le.go
zsyscall_linux_mipsle.go
zsyscall_linux_ppc64.go
zsyscall_linux_ppc64le.go
zsyscall_linux_riscv64.go
zsyscall_linux_s390x.go
zsyscall_linux_sparc64.go
zsyscall_netbsd_386.go
zsyscall_netbsd_amd64.go
zsyscall_netbsd_arm.go
zsyscall_netbsd_arm64.go
zsyscall_openbsd_386.go
zsyscall_openbsd_amd64.go
zsyscall_openbsd_arm.go
zsyscall_openbsd_arm64.go
zsyscall_openbsd_mips64.go
zsyscall_solaris_amd64.go
zsysctl_openbsd_386.go
zsysctl_openbsd_amd64.go
zsysctl_openbsd_arm.go
zsysctl_openbsd_arm64.go
zsysctl_openbsd_mips64.go
zsysnum_darwin_386.go
zsysnum_darwin_amd64.go
zsysnum_darwin_arm.go
zsysnum_darwin_arm64.go
zsysnum_dragonfly_amd64.go
zsysnum_freebsd_386.go
zsysnum_freebsd_amd64.go
zsysnum_freebsd_arm.go
zsysnum_freebsd_arm64.go
zsysnum_linux_386.go
zsysnum_linux_amd64.go
zsysnum_linux_arm.go
zsysnum_linux_arm64.go
zsysnum_linux_mips.go
zsysnum_linux_mips64.go
zsysnum_linux_mips64le.go
zsysnum_linux_mipsle.go
zsysnum_linux_ppc64.go
zsysnum_linux_ppc64le.go
zsysnum_linux_riscv64.go
zsysnum_linux_s390x.go
zsysnum_linux_sparc64.go
zsysnum_netbsd_386.go
zsysnum_netbsd_amd64.go
zsysnum_netbsd_arm.go
zsysnum_netbsd_arm64.go
zsysnum_openbsd_386.go
zsysnum_openbsd_amd64.go
zsysnum_openbsd_arm.go
zsysnum_openbsd_arm64.go
zsysnum_openbsd_mips64.go
ztypes_aix_ppc.go
ztypes_aix_ppc64.go
ztypes_darwin_386.go
ztypes_darwin_amd64.go
ztypes_darwin_arm.go
ztypes_darwin_arm64.go
ztypes_dragonfly_amd64.go
ztypes_freebsd_386.go
ztypes_freebsd_amd64.go
ztypes_freebsd_arm.go
ztypes_freebsd_arm64.go
ztypes_linux.go
ztypes_linux_386.go
ztypes_linux_amd64.go
ztypes_linux_arm.go
ztypes_linux_arm64.go
ztypes_linux_mips.go
ztypes_linux_mips64.go
ztypes_linux_mips64le.go
ztypes_linux_mipsle.go
ztypes_linux_ppc64.go
ztypes_linux_ppc64le.go
ztypes_linux_riscv64.go
ztypes_linux_s390x.go
ztypes_linux_sparc64.go
ztypes_netbsd_386.go
ztypes_netbsd_amd64.go
ztypes_netbsd_arm.go
ztypes_netbsd_arm64.go
ztypes_openbsd_386.go
ztypes_openbsd_amd64.go
ztypes_openbsd_arm.go
ztypes_openbsd_arm64.go
ztypes_openbsd_mips64.go
ztypes_solaris_amd64.go
windows
AUTHORS
CONTRIBUTORS
LICENSE
PATENTS
term
text
time
google.golang.org
gopkg.in
k8s.io
sigs.k8s.io
modules.txt
watchdog
web
.dockerignore
.gitattributes
.gitignore
Dockerfile
LICENSE.md
Makefile
README.md
config.yaml
go.mod
go.sum
main.go
196 lines
5.0 KiB
Go
196 lines
5.0 KiB
Go
// Copyright 2017 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// +build freebsd
|
|
|
|
package unix
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
)
|
|
|
|
// Go implementation of C mostly found in /usr/src/sys/kern/subr_capability.c
|
|
|
|
const (
|
|
// This is the version of CapRights this package understands. See C implementation for parallels.
|
|
capRightsGoVersion = CAP_RIGHTS_VERSION_00
|
|
capArSizeMin = CAP_RIGHTS_VERSION_00 + 2
|
|
capArSizeMax = capRightsGoVersion + 2
|
|
)
|
|
|
|
var (
|
|
bit2idx = []int{
|
|
-1, 0, 1, -1, 2, -1, -1, -1, 3, -1, -1, -1, -1, -1, -1, -1,
|
|
4, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
|
|
}
|
|
)
|
|
|
|
func capidxbit(right uint64) int {
|
|
return int((right >> 57) & 0x1f)
|
|
}
|
|
|
|
func rightToIndex(right uint64) (int, error) {
|
|
idx := capidxbit(right)
|
|
if idx < 0 || idx >= len(bit2idx) {
|
|
return -2, fmt.Errorf("index for right 0x%x out of range", right)
|
|
}
|
|
return bit2idx[idx], nil
|
|
}
|
|
|
|
func caprver(right uint64) int {
|
|
return int(right >> 62)
|
|
}
|
|
|
|
func capver(rights *CapRights) int {
|
|
return caprver(rights.Rights[0])
|
|
}
|
|
|
|
func caparsize(rights *CapRights) int {
|
|
return capver(rights) + 2
|
|
}
|
|
|
|
// CapRightsSet sets the permissions in setrights in rights.
|
|
func CapRightsSet(rights *CapRights, setrights []uint64) error {
|
|
// This is essentially a copy of cap_rights_vset()
|
|
if capver(rights) != CAP_RIGHTS_VERSION_00 {
|
|
return fmt.Errorf("bad rights version %d", capver(rights))
|
|
}
|
|
|
|
n := caparsize(rights)
|
|
if n < capArSizeMin || n > capArSizeMax {
|
|
return errors.New("bad rights size")
|
|
}
|
|
|
|
for _, right := range setrights {
|
|
if caprver(right) != CAP_RIGHTS_VERSION_00 {
|
|
return errors.New("bad right version")
|
|
}
|
|
i, err := rightToIndex(right)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if i >= n {
|
|
return errors.New("index overflow")
|
|
}
|
|
if capidxbit(rights.Rights[i]) != capidxbit(right) {
|
|
return errors.New("index mismatch")
|
|
}
|
|
rights.Rights[i] |= right
|
|
if capidxbit(rights.Rights[i]) != capidxbit(right) {
|
|
return errors.New("index mismatch (after assign)")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CapRightsClear clears the permissions in clearrights from rights.
|
|
func CapRightsClear(rights *CapRights, clearrights []uint64) error {
|
|
// This is essentially a copy of cap_rights_vclear()
|
|
if capver(rights) != CAP_RIGHTS_VERSION_00 {
|
|
return fmt.Errorf("bad rights version %d", capver(rights))
|
|
}
|
|
|
|
n := caparsize(rights)
|
|
if n < capArSizeMin || n > capArSizeMax {
|
|
return errors.New("bad rights size")
|
|
}
|
|
|
|
for _, right := range clearrights {
|
|
if caprver(right) != CAP_RIGHTS_VERSION_00 {
|
|
return errors.New("bad right version")
|
|
}
|
|
i, err := rightToIndex(right)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if i >= n {
|
|
return errors.New("index overflow")
|
|
}
|
|
if capidxbit(rights.Rights[i]) != capidxbit(right) {
|
|
return errors.New("index mismatch")
|
|
}
|
|
rights.Rights[i] &= ^(right & 0x01FFFFFFFFFFFFFF)
|
|
if capidxbit(rights.Rights[i]) != capidxbit(right) {
|
|
return errors.New("index mismatch (after assign)")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CapRightsIsSet checks whether all the permissions in setrights are present in rights.
|
|
func CapRightsIsSet(rights *CapRights, setrights []uint64) (bool, error) {
|
|
// This is essentially a copy of cap_rights_is_vset()
|
|
if capver(rights) != CAP_RIGHTS_VERSION_00 {
|
|
return false, fmt.Errorf("bad rights version %d", capver(rights))
|
|
}
|
|
|
|
n := caparsize(rights)
|
|
if n < capArSizeMin || n > capArSizeMax {
|
|
return false, errors.New("bad rights size")
|
|
}
|
|
|
|
for _, right := range setrights {
|
|
if caprver(right) != CAP_RIGHTS_VERSION_00 {
|
|
return false, errors.New("bad right version")
|
|
}
|
|
i, err := rightToIndex(right)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
if i >= n {
|
|
return false, errors.New("index overflow")
|
|
}
|
|
if capidxbit(rights.Rights[i]) != capidxbit(right) {
|
|
return false, errors.New("index mismatch")
|
|
}
|
|
if (rights.Rights[i] & right) != right {
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
func capright(idx uint64, bit uint64) uint64 {
|
|
return ((1 << (57 + idx)) | bit)
|
|
}
|
|
|
|
// CapRightsInit returns a pointer to an initialised CapRights structure filled with rights.
|
|
// See man cap_rights_init(3) and rights(4).
|
|
func CapRightsInit(rights []uint64) (*CapRights, error) {
|
|
var r CapRights
|
|
r.Rights[0] = (capRightsGoVersion << 62) | capright(0, 0)
|
|
r.Rights[1] = capright(1, 0)
|
|
|
|
err := CapRightsSet(&r, rights)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &r, nil
|
|
}
|
|
|
|
// CapRightsLimit reduces the operations permitted on fd to at most those contained in rights.
|
|
// The capability rights on fd can never be increased by CapRightsLimit.
|
|
// See man cap_rights_limit(2) and rights(4).
|
|
func CapRightsLimit(fd uintptr, rights *CapRights) error {
|
|
return capRightsLimit(int(fd), rights)
|
|
}
|
|
|
|
// CapRightsGet returns a CapRights structure containing the operations permitted on fd.
|
|
// See man cap_rights_get(3) and rights(4).
|
|
func CapRightsGet(fd uintptr) (*CapRights, error) {
|
|
r, err := CapRightsInit(nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = capRightsGet(capRightsGoVersion, int(fd), r)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return r, nil
|
|
}
|