Switch to github.com/moby/sys/capability v0.4.0

This is an example to explain how to keep the behavior
or runc after we repalce the package capability.

Signed-off-by: lfbzhm <[email protected]>

Author: lifubang

go.mod

@@ -7,6 +7,8 @@ go 1.22
 // Note that toolchain does not impose a requirement on other modules using runc.
 toolchain go1.22.4
 
+replace github.com/moby/sys/capability v0.3.0 => github.com/lifubang/moby_sys/capability v0.0.0-20241013102214-92ccf7035c8d
+
 require (
 	github.com/checkpoint-restore/go-criu/v6 v6.3.0
 	github.com/cilium/ebpf v0.16.0
@@ -15,6 +17,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.3.4
 	github.com/docker/go-units v0.5.0
 	github.com/godbus/dbus/v5 v5.1.0
+	github.com/moby/sys/capability v0.3.0
 	github.com/moby/sys/mountinfo v0.7.1
 	github.com/moby/sys/user v0.3.0
 	github.com/moby/sys/userns v0.1.0
@@ -23,7 +26,6 @@ require (
 	github.com/opencontainers/selinux v1.11.0
 	github.com/seccomp/libseccomp-golang v0.10.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	github.com/urfave/cli v1.22.14
 	github.com/vishvananda/netlink v1.1.0
 	golang.org/x/net v0.24.0

go.sum

@@ -34,6 +34,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lifubang/moby_sys/capability v0.0.0-20241013102214-92ccf7035c8d h1:EhSBja/Vl3FnEgJEvQ7B2dPrv9PjRmq9+DnWSbtlLDI=
+github.com/lifubang/moby_sys/capability v0.0.0-20241013102214-92ccf7035c8d/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
 github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
 github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
@@ -71,8 +73,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
 github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
 github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0=

libcontainer/capabilities/capabilities.go

@@ -6,9 +6,9 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 )
 
 const allCapabilityTypes = capability.CAPS | capability.BOUNDING | capability.AMBIENT
@@ -25,19 +25,23 @@ var (
 )
 
 func init() {
-	capabilityMap = make(map[string]capability.Cap, capability.CAP_LAST_CAP+1)
-	for _, c := range capability.List() {
-		if c > capability.CAP_LAST_CAP {
-			continue
-		}
+	list, err := capability.ListSupported()
+	if err != nil {
+		return
+	}
+	capabilityMap = make(map[string]capability.Cap, len(list))
+	for _, c := range list {
 		capabilityMap["CAP_"+strings.ToUpper(c.String())] = c
 	}
 }
 
 // KnownCapabilities returns the list of the known capabilities.
 // Used by `runc features`.
 func KnownCapabilities() []string {
-	list := capability.List()
+	list, err := capability.ListSupported()
+	if err != nil {
+		return nil
+	}
 	res := make([]string, len(list))
 	for i, c := range list {
 		res[i] = "CAP_" + strings.ToUpper(c.String())
@@ -118,5 +122,25 @@ func (c *Caps) ApplyCaps() error {
 	for _, g := range capTypes {
 		c.pid.Set(g, c.caps[g]...)
 	}
-	return c.pid.Apply(allCapabilityTypes)
+	if err := c.pid.Apply(capability.BOUNDING | capability.CAPS); err != nil {
+		return err
+	}
+	// As there was a bug for ambient implementation in package capability,
+	// the error of raise/lower ambient caps has been masked. Please see:
+	// https://github.com/kolyshkin/capability/pull/3
+	// Though the bug has been fixed in v0.4.0, but we should have a
+	// compatibility for ambient cap set.
+	ambientCaps := c.caps[capability.AMBIENT]
+	err := capability.AmbientClearAll()
+	if err != nil {
+		logrus.Warnf("can't lower all ambient caps: %v", err)
+		return nil
+	}
+	for _, ambient := range ambientCaps {
+		err = capability.AmbientRaise(ambient)
+		if err != nil {
+			logrus.Warnf("can't raise ambient cap(%s): %v", ambient.String(), err)
+		}
+	}
+	return nil
 }

libcontainer/capabilities/capabilities_linux_test.go

@@ -5,10 +5,10 @@ import (
 	"os"
 	"testing"
 
+	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/sirupsen/logrus"
 	"github.com/sirupsen/logrus/hooks/test"
-	"github.com/syndtr/gocapability/capability"
 )
 
 func TestNew(t *testing.T) {