Less interfaces

libcontainer/capabilities/capabilities.go

@@ -7,7 +7,7 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/syndtr/gocapability/capability"
 )
@@ -49,7 +49,7 @@ func KnownCapabilities() []string {
 // New creates a new Caps from the given Capabilities config. Unknown Capabilities
 // or Capabilities that are unavailable in the current environment are ignored,
 // printing a warning instead.
-func New(capConfig *configs.Capabilities) (*Caps, error) {
+func New(capConfig *specs.LinuxCapabilities) (*Caps, error) {
 	var (
 		err error
 		c   Caps

libcontainer/capabilities/capabilities_linux_test.go

@@ -5,15 +5,15 @@ import (
 	"os"
 	"testing"
 
-	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 	"github.com/sirupsen/logrus/hooks/test"
 	"github.com/syndtr/gocapability/capability"
 )
 
 func TestNew(t *testing.T) {
 	cs := []string{"CAP_CHOWN", "CAP_UNKNOWN", "CAP_UNKNOWN2"}
-	conf := configs.Capabilities{
+	conf := specs.LinuxCapabilities{
 		Bounding:    cs,
 		Effective:   cs,
 		Inheritable: cs,

libcontainer/configs/config.go

@@ -124,7 +124,7 @@ type Config struct {
 
 	// Capabilities specify the capabilities to keep when executing the process inside the container
 	// All capabilities not specified will be dropped from the processes capability mask
-	Capabilities *Capabilities `json:"capabilities"`
+	Capabilities *specs.LinuxCapabilities `json:"capabilities"`
 
 	// Networks specifies the container's network setup to be created
 	Networks []*Network `json:"networks"`
@@ -261,19 +261,6 @@ func KnownHookNames() []string {
 	}
 }
 
-type Capabilities struct {
-	// Bounding is the set of capabilities checked by the kernel.
-	Bounding []string
-	// Effective is the set of capabilities checked by the kernel.
-	Effective []string
-	// Inheritable is the capabilities preserved across execve.
-	Inheritable []string
-	// Permitted is the limiting superset for effective capabilities.
-	Permitted []string
-	// Ambient is the ambient set of capabilities that are kept.
-	Ambient []string
-}
-
 func (hooks HookList) RunHooks(state *specs.State) error {
 	for i, h := range hooks {
 		if err := h.Run(state); err != nil {

libcontainer/init_linux.go

@@ -49,27 +49,27 @@ type network struct {
 
 // initConfig is used for transferring parameters from Exec() to Init()
 type initConfig struct {
-	Args             []string              `json:"args"`
-	Env              []string              `json:"env"`
-	Cwd              string                `json:"cwd"`
-	Capabilities     *configs.Capabilities `json:"capabilities"`
-	ProcessLabel     string                `json:"process_label"`
-	AppArmorProfile  string                `json:"apparmor_profile"`
-	NoNewPrivileges  bool                  `json:"no_new_privileges"`
-	User             string                `json:"user"`
-	AdditionalGroups []string              `json:"additional_groups"`
-	Config           *configs.Config       `json:"config"`
-	Networks         []*network            `json:"network"`
-	PassedFilesCount int                   `json:"passed_files_count"`
-	ContainerID      string                `json:"containerid"`
-	Rlimits          []configs.Rlimit      `json:"rlimits"`
-	CreateConsole    bool                  `json:"create_console"`
-	ConsoleWidth     uint16                `json:"console_width"`
-	ConsoleHeight    uint16                `json:"console_height"`
-	RootlessEUID     bool                  `json:"rootless_euid,omitempty"`
-	RootlessCgroups  bool                  `json:"rootless_cgroups,omitempty"`
-	SpecState        *specs.State          `json:"spec_state,omitempty"`
-	Cgroup2Path      string                `json:"cgroup2_path,omitempty"`
+	Args             []string                 `json:"args"`
+	Env              []string                 `json:"env"`
+	Cwd              string                   `json:"cwd"`
+	Capabilities     *specs.LinuxCapabilities `json:"capabilities"`
+	ProcessLabel     string                   `json:"process_label"`
+	AppArmorProfile  string                   `json:"apparmor_profile"`
+	NoNewPrivileges  bool                     `json:"no_new_privileges"`
+	User             string                   `json:"user"`
+	AdditionalGroups []string                 `json:"additional_groups"`
+	Config           *configs.Config          `json:"config"`
+	Networks         []*network               `json:"network"`
+	PassedFilesCount int                      `json:"passed_files_count"`
+	ContainerID      string                   `json:"containerid"`
+	Rlimits          []configs.Rlimit         `json:"rlimits"`
+	CreateConsole    bool                     `json:"create_console"`
+	ConsoleWidth     uint16                   `json:"console_width"`
+	ConsoleHeight    uint16                   `json:"console_height"`
+	RootlessEUID     bool                     `json:"rootless_euid,omitempty"`
+	RootlessCgroups  bool                     `json:"rootless_cgroups,omitempty"`
+	SpecState        *specs.State             `json:"spec_state,omitempty"`
+	Cgroup2Path      string                   `json:"cgroup2_path,omitempty"`
 }
 
 type initer interface {
@@ -167,7 +167,7 @@ func finalizeNamespace(config *initConfig) error {
 		}
 	}
 
-	caps := &configs.Capabilities{}
+	caps := &specs.LinuxCapabilities{}
 	if config.Capabilities != nil {
 		caps = config.Capabilities
 	} else if config.Config.Capabilities != nil {

libcontainer/integration/exec_test.go

@@ -358,7 +358,7 @@ func TestProcessCaps(t *testing.T) {
 		Env:          standardEnvironment,
 		Stdin:        nil,
 		Stdout:       &stdout,
-		Capabilities: &configs.Capabilities{},
+		Capabilities: &specs.LinuxCapabilities{},
 		Init:         true,
 	}
 	pconfig.Capabilities.Bounding = append(config.Capabilities.Bounding, "CAP_NET_ADMIN")
@@ -1402,7 +1402,7 @@ func TestRootfsPropagationSharedMount(t *testing.T) {
 		Env:          standardEnvironment,
 		Stdin:        stdinR2,
 		Stdout:       &stdout2,
-		Capabilities: &configs.Capabilities{},
+		Capabilities: &specs.LinuxCapabilities{},
 	}
 
 	// Provide CAP_SYS_ADMIN

libcontainer/integration/template_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/devices"
 	"github.com/opencontainers/runc/libcontainer/specconv"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"golang.org/x/sys/unix"
 )
 
@@ -42,7 +43,7 @@ func newTemplateConfig(t *testing.T, p *tParam) *configs.Config {
 	}
 	config := &configs.Config{
 		Rootfs: newRootfs(t),
-		Capabilities: &configs.Capabilities{
+		Capabilities: &specs.LinuxCapabilities{
 			Bounding: []string{
 				"CAP_CHOWN",
 				"CAP_DAC_OVERRIDE",

libcontainer/process.go

@@ -7,6 +7,7 @@ import (
 	"os"
 
 	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
 var errInvalidProcess = errors.New("invalid process")
@@ -55,7 +56,7 @@ type Process struct {
 
 	// Capabilities specify the capabilities to keep when executing the process inside the container
 	// All capabilities not specified will be dropped from the processes capability mask
-	Capabilities *configs.Capabilities
+	Capabilities *specs.LinuxCapabilities
 
 	// AppArmorProfile specifies the profile to apply to the process and is
 	// changed at the time the process is execed

libcontainer/specconv/spec_linux.go

@@ -481,15 +481,7 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 		config.NoNewPrivileges = spec.Process.NoNewPrivileges
 		config.Umask = spec.Process.User.Umask
 		config.ProcessLabel = spec.Process.SelinuxLabel
-		if spec.Process.Capabilities != nil {
-			config.Capabilities = &configs.Capabilities{
-				Bounding:    spec.Process.Capabilities.Bounding,
-				Effective:   spec.Process.Capabilities.Effective,
-				Permitted:   spec.Process.Capabilities.Permitted,
-				Inheritable: spec.Process.Capabilities.Inheritable,
-				Ambient:     spec.Process.Capabilities.Ambient,
-			}
-		}
+		config.Capabilities = spec.Process.Capabilities
 	}
 	createHooks(spec, config)
 	config.Version = specs.Version

utils_linux.go

@@ -17,7 +17,6 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/opencontainers/runc/libcontainer"
-	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/specconv"
 	"github.com/opencontainers/runc/libcontainer/utils"
 )
@@ -86,21 +85,14 @@ func newProcess(p specs.Process) (*libcontainer.Process, error) {
 		Label:           p.SelinuxLabel,
 		NoNewPrivileges: &p.NoNewPrivileges,
 		AppArmorProfile: p.ApparmorProfile,
+		Capabilities:    p.Capabilities,
 	}
 
 	if p.ConsoleSize != nil {
 		lp.ConsoleWidth = uint16(p.ConsoleSize.Width)
 		lp.ConsoleHeight = uint16(p.ConsoleSize.Height)
 	}
 
-	if p.Capabilities != nil {
-		lp.Capabilities = &configs.Capabilities{}
-		lp.Capabilities.Bounding = p.Capabilities.Bounding
-		lp.Capabilities.Effective = p.Capabilities.Effective
-		lp.Capabilities.Inheritable = p.Capabilities.Inheritable
-		lp.Capabilities.Permitted = p.Capabilities.Permitted
-		lp.Capabilities.Ambient = p.Capabilities.Ambient
-	}
 	for _, gid := range p.User.AdditionalGids {
 		lp.AdditionalGroups = append(lp.AdditionalGroups, strconv.FormatUint(uint64(gid), 10))
 	}