本文整理汇总了Golang中github.com/syndtr/gocapability/capability.NewPid函数的典型用法代码示例。如果您正苦于以下问题:Golang NewPid函数的具体用法?Golang NewPid怎么用?Golang NewPid使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了NewPid函数的18个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Golang代码示例。
示例1: setupCapabilities
func setupCapabilities(args *DockerInitArgs) error {
if args.privileged {
return nil
}
drop := []capability.Cap{
capability.CAP_SETPCAP,
capability.CAP_SYS_MODULE,
capability.CAP_SYS_RAWIO,
capability.CAP_SYS_PACCT,
capability.CAP_SYS_ADMIN,
capability.CAP_SYS_NICE,
capability.CAP_SYS_RESOURCE,
capability.CAP_SYS_TIME,
capability.CAP_SYS_TTY_CONFIG,
capability.CAP_MKNOD,
capability.CAP_AUDIT_WRITE,
capability.CAP_AUDIT_CONTROL,
capability.CAP_MAC_OVERRIDE,
capability.CAP_MAC_ADMIN,
}
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
c.Unset(capability.CAPS|capability.BOUNDS, drop...)
if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {
return err
}
return nil
}
开发者ID:kelsieflynn,项目名称:docker,代码行数:35,代码来源:sysinit.go
示例2: haveMacAdmin
func haveMacAdmin() bool {
c, err := capability.NewPid(0)
if err != nil {
return false
}
if c.Get(capability.EFFECTIVE, capability.CAP_MAC_ADMIN) {
return true
}
return false
}
开发者ID:mickydelfavero,项目名称:lxd,代码行数:10,代码来源:daemon.go
示例3: HasChrootCapability
// HasChrootCapability checks if the current process has the CAP_SYS_CHROOT
// capability
func HasChrootCapability() bool {
// Checking the capabilities should be enough, but in case there're
// problem retrieving them, fallback checking for the effective uid
// (hoping it hasn't dropped its CAP_SYS_CHROOT).
caps, err := capability.NewPid(0)
if err == nil {
return caps.Get(capability.EFFECTIVE, capability.CAP_SYS_CHROOT)
} else {
return os.Geteuid() == 0
}
}
开发者ID:sinfomicien,项目名称:rkt,代码行数:13,代码来源:capability.go
示例4: PrintCap
func PrintCap(capName string, cap capability.Cap) {
caps, err := capability.NewPid(0)
if err != nil {
panic(err)
}
b := caps.Get(capability.BOUNDING, cap)
p := caps.Get(capability.PERMITTED, cap)
e := caps.Get(capability.EFFECTIVE, cap)
i := caps.Get(capability.INHERITABLE, cap)
fmt.Printf("%s bounding=%t, permitted=%t, effective=%t, inheritable=%t\n", capName, b, p, e, i)
}
开发者ID:nagyistoce,项目名称:garden-linux,代码行数:13,代码来源:inspector_linux.go
示例5: DropCapabilities
// DropCapabilities drops capabilities for the current process based
// on the container's configuration.
func DropCapabilities(container *libcontainer.Container) error {
if drop := getCapabilities(container); len(drop) > 0 {
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
c.Unset(capability.CAPS|capability.BOUNDS, drop...)
if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil {
return err
}
}
return nil
}
开发者ID:kippandrew,项目名称:docker,代码行数:16,代码来源:capabilities.go
示例6: DropCapabilities
// DropCapabilities drops all capabilities for the current process expect those specified in the container configuration.
func DropCapabilities(container *libcontainer.Container) error {
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
keep := getEnabledCapabilities(container)
c.Clear(allCapabilityTypes)
c.Set(allCapabilityTypes, keep...)
if err := c.Apply(allCapabilityTypes); err != nil {
return err
}
return nil
}
开发者ID:JasonGiedymin,项目名称:docker,代码行数:16,代码来源:capabilities.go
示例7: DropCapabilities
// DropCapabilities drops all capabilities for the current process except those specified in the container configuration.
func DropCapabilities(capList []string) error {
c, err := capability.NewPid(0)
if err != nil {
return err
}
keep := getEnabledCapabilities(capList)
c.Clear(allCapabilityTypes)
c.Set(allCapabilityTypes, keep...)
if err := c.Apply(allCapabilityTypes); err != nil {
return err
}
return nil
}
开发者ID:bmanas,项目名称:amazon-ecs-agent,代码行数:16,代码来源:capabilities.go
示例8: DropBoundingSet
// DropBoundingSet drops the capability bounding set to those specified in the
// container configuration.
func DropBoundingSet(container *libcontainer.Container) error {
c, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
keep := getEnabledCapabilities(container)
c.Clear(capability.BOUNDS)
c.Set(capability.BOUNDS, keep...)
if err := c.Apply(capability.BOUNDS); err != nil {
return err
}
return nil
}
开发者ID:JasonGiedymin,项目名称:docker,代码行数:18,代码来源:capabilities.go
示例9: DropBoundingSet
// DropBoundingSet drops the capability bounding set to those specified in the
// container configuration.
func DropBoundingSet(capabilities []string) error {
c, err := capability.NewPid(0)
if err != nil {
return err
}
keep := getEnabledCapabilities(capabilities)
c.Clear(capability.BOUNDS)
c.Set(capability.BOUNDS, keep...)
if err := c.Apply(capability.BOUNDS); err != nil {
return err
}
return nil
}
开发者ID:bmanas,项目名称:amazon-ecs-agent,代码行数:18,代码来源:capabilities.go
示例10: newCapWhitelist
func newCapWhitelist(caps []string) (*whitelist, error) {
l := []capability.Cap{}
for _, c := range caps {
v, ok := capabilityList[c]
if !ok {
return nil, fmt.Errorf("unknown capability %q", c)
}
l = append(l, v)
}
pid, err := capability.NewPid(os.Getpid())
if err != nil {
return nil, err
}
return &whitelist{
keep: l,
pid: pid,
}, nil
}
开发者ID:chenzhen411,项目名称:kubernetes,代码行数:18,代码来源:capabilities_linux.go
示例11: validateCapabilities
func validateCapabilities(spec *specs.LinuxSpec, rspec *specs.LinuxRuntimeSpec) error {
fmt.Println("validating capabilities")
capabilityMap := make(map[string]capability.Cap)
expectedCaps := make(map[capability.Cap]bool)
last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
capabilityMap[capKey] = cap
expectedCaps[cap] = false
}
for _, ec := range spec.Linux.Capabilities {
cap := capabilityMap[ec]
expectedCaps[cap] = true
}
processCaps, err := capability.NewPid(1)
if err != nil {
return err
}
for _, cap := range capability.List() {
expectedSet := expectedCaps[cap]
actuallySet := processCaps.Get(capability.EFFECTIVE, cap)
if expectedSet != actuallySet {
if expectedSet {
return fmt.Errorf("Expected Capability %v not set for process", cap.String())
} else {
return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
}
}
}
return nil
}
开发者ID:rajasec,项目名称:ocitools,代码行数:42,代码来源:main.go
示例12: validateCapabilities
func validateCapabilities(spec *rspec.Spec) error {
logrus.Debugf("validating capabilities")
last := capability.CAP_LAST_CAP
// workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap
if last == capability.Cap(63) {
last = capability.CAP_BLOCK_SUSPEND
}
processCaps, err := capability.NewPid(1)
if err != nil {
return err
}
expectedCaps := make(map[string]bool)
for _, ec := range spec.Process.Capabilities {
expectedCaps[ec] = true
}
for _, cap := range capability.List() {
if cap > last {
continue
}
capKey := fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String()))
expectedSet := expectedCaps[capKey]
actuallySet := processCaps.Get(capability.EFFECTIVE, cap)
if expectedSet != actuallySet {
if expectedSet {
return fmt.Errorf("Expected Capability %v not set for process", cap.String())
}
return fmt.Errorf("Unexpected Capability %v set for process", cap.String())
}
}
return nil
}
开发者ID:opencontainers,项目名称:ocitools,代码行数:37,代码来源:main.go
示例13: checkPrerequisite
func checkPrerequisite(cfg config.Config) error {
dummyPID := 0
capInst, err := cap.NewPid(dummyPID)
if err != nil {
return err
}
if cfg.GetBool("containerParam.enableEthernetInspector") {
if !capInst.Get(cap.EFFECTIVE, cap.CAP_NET_ADMIN) {
return fmt.Errorf("CAP_NET_ADMIN is needed.")
}
if !capInst.Get(cap.EFFECTIVE, cap.CAP_SYS_ADMIN) {
return fmt.Errorf("CAP_SYS_ADMIN is needed.")
}
}
if cfg.GetBool("containerParam.enableProcInspector") {
if !capInst.Get(cap.EFFECTIVE, cap.CAP_SYS_NICE) {
return fmt.Errorf("CAP_SYS_NICE is needed.")
}
}
return nil
}
开发者ID:terminiter,项目名称:earthquake,代码行数:24,代码来源:runprereq.go
示例14: Limit
func (c ProcessCapabilities) Limit(extendedWhitelist bool) error {
caps, err := capability.NewPid(c.Pid)
if err != nil {
return fmt.Errorf("system: getting capabilities: %s", err)
}
sets := capability.BOUNDING | capability.CAPS
caps.Clear(sets)
caps.Set(sets,
capability.CAP_CHOWN,
capability.CAP_DAC_OVERRIDE,
capability.CAP_FSETID,
capability.CAP_FOWNER,
capability.CAP_MKNOD,
capability.CAP_NET_RAW,
capability.CAP_SETGID,
capability.CAP_SETUID,
capability.CAP_SETFCAP,
capability.CAP_SETPCAP,
capability.CAP_NET_BIND_SERVICE,
capability.CAP_SYS_CHROOT,
capability.CAP_KILL,
capability.CAP_AUDIT_WRITE,
)
if extendedWhitelist {
caps.Set(sets, capability.CAP_SYS_ADMIN)
}
err = caps.Apply(sets)
if err != nil {
return fmt.Errorf("system: applying capabilities: %s", err)
}
return nil
}
开发者ID:nagyistoce,项目名称:garden-linux,代码行数:36,代码来源:capabilities_linux.go
示例15: run
func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
if s.ExitOnLockContention && s.LockFilePath == "" {
return errors.New("cannot exit on lock file contention: no lock file specified")
}
done := make(chan struct{})
if s.LockFilePath != "" {
glog.Infof("acquiring lock on %q", s.LockFilePath)
if err := flock.Acquire(s.LockFilePath); err != nil {
return fmt.Errorf("unable to acquire file lock on %q: %v", s.LockFilePath, err)
}
if s.ExitOnLockContention {
glog.Infof("watching for inotify events for: %v", s.LockFilePath)
if err := watchForLockfileContention(s.LockFilePath, done); err != nil {
return err
}
}
}
if c, err := configz.New("componentconfig"); err == nil {
c.Set(s.KubeletConfiguration)
} else {
glog.Errorf("unable to register configz: %s", err)
}
// check if we have CAP_SYS_ADMIN to setgroup properly
pid, err := capability.NewPid(os.Getpid())
if err != nil {
return err
}
if !pid.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) {
return fmt.Errorf("Kubelet needs the CAP_SYS_ADMIN capability. Please run kubelet as root or in a privileged container")
}
if kcfg == nil {
cfg, err := UnsecuredKubeletConfig(s)
if err != nil {
return err
}
kcfg = cfg
clientConfig, err := CreateAPIServerClientConfig(s)
if err == nil {
kcfg.KubeClient, err = clientset.NewForConfig(clientConfig)
// make a separate client for events
eventClientConfig := *clientConfig
eventClientConfig.QPS = float32(s.EventRecordQPS)
eventClientConfig.Burst = int(s.EventBurst)
kcfg.EventClient, err = clientset.NewForConfig(&eventClientConfig)
}
if err != nil && len(s.APIServerList) > 0 {
glog.Warningf("No API client: %v", err)
}
if s.CloudProvider == kubeExternal.AutoDetectCloudProvider {
kcfg.AutoDetectCloudProvider = true
} else {
cloud, err := cloudprovider.InitCloudProvider(s.CloudProvider, s.CloudConfigFile)
if err != nil {
return err
}
if cloud == nil {
glog.V(2).Infof("No cloud provider specified: %q from the config file: %q\n", s.CloudProvider, s.CloudConfigFile)
} else {
glog.V(2).Infof("Successfully initialized cloud provider: %q from the config file: %q\n", s.CloudProvider, s.CloudConfigFile)
kcfg.Cloud = cloud
}
}
}
if kcfg.CAdvisorInterface == nil {
kcfg.CAdvisorInterface, err = cadvisor.New(uint(s.CAdvisorPort), kcfg.ContainerRuntime)
if err != nil {
return err
}
}
if kcfg.ContainerManager == nil {
if kcfg.SystemCgroups != "" && kcfg.CgroupRoot == "" {
return fmt.Errorf("invalid configuration: system container was specified and cgroup root was not specified")
}
kcfg.ContainerManager, err = cm.NewContainerManager(kcfg.Mounter, kcfg.CAdvisorInterface, cm.NodeConfig{
RuntimeCgroupsName: kcfg.RuntimeCgroups,
SystemCgroupsName: kcfg.SystemCgroups,
KubeletCgroupsName: kcfg.KubeletCgroups,
ContainerRuntime: kcfg.ContainerRuntime,
CgroupsPerQOS: kcfg.CgroupsPerQOS,
CgroupRoot: kcfg.CgroupRoot,
})
if err != nil {
return err
}
}
runtime.ReallyCrash = s.ReallyCrashForTesting
rand.Seed(time.Now().UTC().UnixNano())
// TODO(vmarmol): Do this through container config.
oomAdjuster := kcfg.OOMAdjuster
if err := oomAdjuster.ApplyOOMScoreAdj(0, int(s.OOMScoreAdj)); err != nil {
//.........这里部分代码省略.........
开发者ID:maxfrei,项目名称:kubernetes,代码行数:101,代码来源:server.go
示例16: bootstrapData
// bootstrapData encodes the necessary data in netlink binary format
// as a io.Reader.
// Consumer can write the data to a bootstrap program
// such as one that uses nsenter package to bootstrap the container's
// init process correctly, i.e. with correct namespaces, uid/gid
// mapping etc.
func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string, consolePath string) (io.Reader, error) {
// create the netlink message
r := nl.NewNetlinkRequest(int(InitMsg), 0)
// write cloneFlags
r.AddData(&Int32msg{
Type: CloneFlagsAttr,
Value: uint32(cloneFlags),
})
// write console path
if consolePath != "" {
r.AddData(&Bytemsg{
Type: ConsolePathAttr,
Value: []byte(consolePath),
})
}
// write custom namespace paths
if len(nsMaps) > 0 {
nsPaths, err := c.orderNamespacePaths(nsMaps)
if err != nil {
return nil, err
}
r.AddData(&Bytemsg{
Type: NsPathsAttr,
Value: []byte(strings.Join(nsPaths, ",")),
})
}
// write namespace paths only when we are not joining an existing user ns
_, joinExistingUser := nsMaps[configs.NEWUSER]
if !joinExistingUser {
// write uid mappings
if len(c.config.UidMappings) > 0 {
b, err := encodeIDMapping(c.config.UidMappings)
if err != nil {
return nil, err
}
r.AddData(&Bytemsg{
Type: UidmapAttr,
Value: b,
})
}
// write gid mappings
if len(c.config.GidMappings) > 0 {
b, err := encodeIDMapping(c.config.GidMappings)
if err != nil {
return nil, err
}
r.AddData(&Bytemsg{
Type: GidmapAttr,
Value: b,
})
// check if we have CAP_SETGID to setgroup properly
pid, err := capability.NewPid(os.Getpid())
if err != nil {
return nil, err
}
if !pid.Get(capability.EFFECTIVE, capability.CAP_SETGID) {
r.AddData(&Boolmsg{
Type: SetgroupAttr,
Value: true,
})
}
}
}
return bytes.NewReader(r.Serialize()), nil
}
开发者ID:imikushin,项目名称:runc,代码行数:77,代码来源:container_linux.go
示例17: main
//.........这里部分代码省略.........
} else {
fmt.Printf("PATH is good\n")
os.Exit(0)
}
} else {
continue
}
}
fmt.Fprintf(os.Stderr, "PATH not found")
os.Exit(1)
}
if globalFlags.PrintExec {
fmt.Fprintf(os.Stdout, "inspect execed as: %s\n", os.Args[0])
}
if globalFlags.PrintMsg != "" {
fmt.Fprintf(os.Stdout, "%s\n", globalFlags.PrintMsg)
messageLoopStr := os.Getenv("MESSAGE_LOOP")
messageLoop, err := strconv.Atoi(messageLoopStr)
if err == nil {
for i := 0; i < messageLoop; i++ {
time.Sleep(time.Second)
fmt.Fprintf(os.Stdout, "%s\n", globalFlags.PrintMsg)
}
}
}
if globalFlags.PrintEnv != "" {
fmt.Fprintf(os.Stdout, "%s=%s\n", globalFlags.PrintEnv, os.Getenv(globalFlags.PrintEnv))
}
if globalFlags.PrintCapsPid >= 0 {
caps, err := capability.NewPid(globalFlags.PrintCapsPid)
if err != nil {
fmt.Fprintf(os.Stderr, "Cannot get caps: %v\n", err)
os.Exit(1)
}
fmt.Printf("Capability set: effective: %s (%s)\n", caps.StringCap(capability.EFFECTIVE), globalFlags.SuffixMsg)
fmt.Printf("Capability set: permitted: %s (%s)\n", caps.StringCap(capability.PERMITTED), globalFlags.SuffixMsg)
fmt.Printf("Capability set: inheritable: %s (%s)\n", caps.StringCap(capability.INHERITABLE), globalFlags.SuffixMsg)
fmt.Printf("Capability set: bounding: %s (%s)\n", caps.StringCap(capability.BOUNDING), globalFlags.SuffixMsg)
if capStr := os.Getenv("CAPABILITY"); capStr != "" {
capInt, err := strconv.Atoi(capStr)
if err != nil {
fmt.Fprintf(os.Stderr, "Environment variable $CAPABILITY is not a valid capability number: %v\n", err)
os.Exit(1)
}
c := capability.Cap(capInt)
if caps.Get(capability.BOUNDING, c) {
fmt.Printf("%v=enabled (%s)\n", c.String(), globalFlags.SuffixMsg)
} else {
fmt.Printf("%v=disabled (%s)\n", c.String(), globalFlags.SuffixMsg)
}
}
}
if globalFlags.PrintUser {
fmt.Printf("User: uid=%d euid=%d gid=%d egid=%d\n", os.Getuid(), os.Geteuid(), os.Getgid(), os.Getegid())
}
if globalFlags.PrintGroups {
gids, err := os.Getgroups()
if err != nil {
fmt.Fprintf(os.Stderr, "Error getting groups: %v\n", err)
开发者ID:nak3,项目名称:rkt,代码行数:67,代码来源:inspect.go
示例18: main
func main() {
globalFlagset.Parse(os.Args[1:])
args := globalFlagset.Args()
if len(args) > 0 {
fmt.Fprintln(os.Stderr, "Wrong parameters")
os.Exit(1)
}
if globalFlags.PreSleep >= 0 {
time.Sleep(time.Duration(globalFlags.PreSleep) * time.Second)
}
if globalFlags.ReadStdin {
reader := bufio.NewReader(os.Stdin)
fmt.Printf("Enter text:\n")
text, _ := reader.ReadString('\n')
fmt.Printf("Received text: %s\n", text)
}
if globalFlags.CheckTty {
fd := int(os.Stdin.Fd())
var termios syscall.Termios
_, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), syscall.TCGETS, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)
if err == 0 {
fmt.Printf("stdin is a terminal\n")
} else {
fmt.Printf("stdin is not a terminal\n")
}
}
if globalFlags.PrintExec {
fmt.Fprintf(os.Stdout, "inspect execed as: %s\n", os.Args[0])
}
if globalFlags.PrintMsg != "" {
fmt.Fprintf(os.Stdout, "%s\n", globalFlags.PrintMsg)
messageLoopStr := os.Getenv("MESSAGE_LOOP")
messageLoop, err := strconv.Atoi(messageLoopStr)
if err == nil {
for i := 0; i < messageLoop; i++ {
time.Sleep(time.Second)
fmt.Fprintf(os.Stdout, "%s\n", globalFlags.PrintMsg)
}
}
}
if globalFlags.PrintEnv != "" {
fmt.Fprintf(os.Stdout, "%s=%s\n", globalFlags.PrintEnv, os.Getenv(globalFlags.PrintEnv))
}
if globalFlags.PrintCapsPid >= 0 {
caps, err := capability.NewPid(globalFlags.PrintCapsPid)
if err != nil {
fmt.Fprintf(os.Stderr, "Cannot get caps: %v\n", err)
os.Exit(1)
}
fmt.Printf("Capability set: effective: %s\n", caps.StringCap(capability.EFFECTIVE))
fmt.Printf("Capability set: permitted: %s\n", caps.StringCap(capability.PERMITTED))
fmt.Printf("Capability set: inheritable: %s\n", caps.StringCap(capability.INHERITABLE))
fmt.Printf("Capability set: bounding: %s\n", caps.StringCap(capability.BOUNDING))
if capStr := os.Getenv("CAPABILITY"); capStr != "" {
capInt, err := strconv.Atoi(capStr)
if err != nil {
fmt.Fprintf(os.Stderr, "Environment variable $CAPABILITY is not a valid capability number: %v\n", err)
os.Exit(1)
}
c := capability.Cap(capInt)
if caps.Get(capability.BOUNDING, c) {
fmt.Printf("%v=enabled\n", c.String())
} else {
fmt.Printf("%v=disabled\n", c.String())
}
}
}
if globalFlags.PrintUser {
fmt.Printf("User: uid=%d euid=%d gid=%d egid=%d\n", os.Getuid(), os.Geteuid(), os.Getgid(), os.Getegid())
}
if globalFlags.PrintGroups {
gids, err := os.Getgroups()
if err != nil {
fmt.Fprintf(os.Stderr, "Error getting groups: %v\n", err)
os.Exit(1)
}
// getgroups(2): It is unspecified whether the effective group ID of
// the calling process is included in the returned list. (Thus, an
// application should also call getegid(2) and add or remove the
// resulting value.)
egid := os.Getegid()
if !in(gids, egid) {
gids = append(gids, egid)
sort.Ints(gids)
}
var b bytes.Buffer
for _, gid := range gids {
b.WriteString(fmt.Sprintf("%d ", gid))
}
fmt.Printf("Groups: %s\n", b.String())
//.........这里部分代码省略.........
开发者ID:coderhaoxin,项目名称:rkt,代码行数:101,代码来源:inspect.go
注:本文中的github.com/syndtr/gocapability/capability.NewPid函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
请发表评论