in cmd/hotdog-hotpatch/main.go [99:146]
func constrainHotdogCapabilities() error {
capJSON := os.Getenv(hotdog.EnvCapability)
if len(capJSON) == 0 {
logger.Println("cannot find container capabilities!")
return errors.New(hotdog.EnvCapability + " empty")
}
var containerCapabilities specs.LinuxCapabilities
err := json.Unmarshal([]byte(capJSON), &containerCapabilities)
if err != nil {
return fmt.Errorf("cannot unmarshal container capabilities: %w", err)
}
containerBSet := make([]cap.Value, 0)
for _, name := range containerCapabilities.Bounding {
v, err := cap.FromName(strings.ToLower(name))
if err != nil {
return fmt.Errorf("cannot parse %q: %w", name, err)
}
containerBSet = append(containerBSet, v)
}
set := cap.NewSet()
if err := set.SetFlag(cap.Permitted, true, append(containerBSet, hotdogCaps...)...); err != nil {
return fmt.Errorf("failed to set permitted caps: %w", err)
}
if err := set.Fill(cap.Effective, cap.Permitted); err != nil {
return fmt.Errorf("failed to set effective caps: %w", err)
}
if err := set.ClearFlag(cap.Inheritable); err != nil {
return fmt.Errorf("failed to set inheritable caps: %w", err)
}
logger.Printf("Reducing capabilities to: %q", set.String())
if err := set.SetProc(); err != nil {
return fmt.Errorf("failed to setpcap: %w", err)
}
if err := cap.ResetAmbient(); err != nil {
return fmt.Errorf("failed to clear ambient caps: %w", err)
}
for i := 0; i < int(cap.MaxBits()); i++ {
if ok, err := set.GetFlag(cap.Permitted, cap.Value(i)); err != nil || !ok {
if err := cap.DropBound(cap.Value(i)); err != nil {
return fmt.Errorf("failed to drop %s: %w", cap.Value(i).String(), err)
}
}
}
return nil
}