Merge pull request #5083 from AkihiroSuda/remove-dep-gocapability

drop dependency on github.com/syndtr/gocapability

go.mod

@@ -48,7 +48,6 @@ require (
 	github.com/prometheus/client_golang v1.7.1
 	github.com/sirupsen/logrus v1.7.0
 	github.com/stretchr/testify v1.6.1
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	github.com/tchap/go-patricia v2.2.6+incompatible
 	github.com/urfave/cli v1.22.2
 	go.etcd.io/bbolt v1.3.5

pkg/cap/cap_linux.go

@@ -25,29 +25,31 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"github.com/syndtr/gocapability/capability"
 )
 
-// FromUint64 parses an integer into string slice like
+// FromNumber returns a cap string like "CAP_SYS_ADMIN"
+// that corresponds to the given number like 21.
+//
+// FromNumber returns an empty string for unknown cap number.
+func FromNumber(num int) string {
+	if num < 0 || num > len(capsLatest)-1 {
+		return ""
+	}
+	return capsLatest[num]
+}
+
+// FromBitmap parses an uint64 bitmap into string slice like
 // []{"CAP_SYS_ADMIN", ...}.
 //
 // Unknown cap numbers are returned as []int.
-func FromUint64(v uint64) ([]string, []int) {
+func FromBitmap(v uint64) ([]string, []int) {
 	var (
 		res     []string
 		unknown []int
 	)
-	knownList := capability.List()
-	known := make(map[string]struct{}, len(knownList))
-	for _, f := range knownList {
-		known[f.String()] = struct{}{}
-	}
 	for i := 0; i <= 63; i++ {
 		if b := (v >> i) & 0x1; b == 0x1 {
-			c := capability.Cap(i)
-			sRaw := c.String()
-			if _, ok := known[sRaw]; ok {
-				s := "CAP_" + strings.ToUpper(sRaw)
+			if s := FromNumber(i); s != "" {
 				res = append(res, s)
 			} else {
 				unknown = append(unknown, i)
@@ -57,9 +59,25 @@ func FromUint64(v uint64) ([]string, []int) {
 	return res, unknown
 }
 
-// ParseProcPIDStatus returns uint64 value from /proc/<PID>/status file
-func ParseProcPIDStatus(r io.Reader) (map[capability.CapType]uint64, error) {
-	res := make(map[capability.CapType]uint64)
+// Type is the type of capability
+type Type int
+
+const (
+	// Effective is CapEff
+	Effective Type = 1 << iota
+	// Effective is CapPrm
+	Permitted
+	// Inheritable is CapInh
+	Inheritable
+	// Bounding is CapBnd
+	Bounding
+	// Ambient is CapAmb
+	Ambient
+)
+
+// ParseProcPIDStatus returns uint64 bitmap value from /proc/<PID>/status file
+func ParseProcPIDStatus(r io.Reader) (map[Type]uint64, error) {
+	res := make(map[Type]uint64)
 	scanner := bufio.NewScanner(r)
 	for scanner.Scan() {
 		line := scanner.Text()
@@ -77,15 +95,15 @@ func ParseProcPIDStatus(r io.Reader) (map[capability.CapType]uint64, error) {
 			}
 			switch k {
 			case "CapInh":
-				res[capability.INHERITABLE] = ui64
+				res[Inheritable] = ui64
 			case "CapPrm":
-				res[capability.PERMITTED] = ui64
+				res[Permitted] = ui64
 			case "CapEff":
-				res[capability.EFFECTIVE] = ui64
+				res[Effective] = ui64
 			case "CapBnd":
-				res[capability.BOUNDING] = ui64
+				res[Bounding] = ui64
 			case "CapAmb":
-				res[capability.AMBIENT] = ui64
+				res[Ambient] = ui64
 			}
 		}
 	}
@@ -112,8 +130,8 @@ func Current() ([]string, error) {
 	if err != nil {
 		return nil, err
 	}
-	capEff := caps[capability.EFFECTIVE]
-	names, _ := FromUint64(capEff)
+	capEff := caps[Effective]
+	names, _ := FromBitmap(capEff)
 	return names, nil
 }
 
@@ -163,10 +181,12 @@ var (
 	// caps58 is the caps of kernel 5.8 (40 entries)
 	caps58 = append(caps316, []string{"CAP_PERFMON", "CAP_BPF"}...)
 	// caps59 is the caps of kernel 5.9 (41 entries)
-	caps59 = append(caps58, "CAP_CHECKPOINT_RESTORE")
+	caps59     = append(caps58, "CAP_CHECKPOINT_RESTORE")
+	capsLatest = caps59
 )
 
-// Known returns the known cap strings as of kernel 5.9
+// Known returns the known cap strings of the latest kernel.
+// The current latest kernel is 5.9.
 func Known() []string {
-	return caps59
+	return capsLatest
 }

pkg/cap/cap_linux_test.go

@@ -21,7 +21,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/syndtr/gocapability/capability"
 )
 
 func TestCapsList(t *testing.T) {
@@ -30,7 +29,16 @@ func TestCapsList(t *testing.T) {
 	assert.Len(t, caps59, 41)
 }
 
-func TestFromUint64(t *testing.T) {
+func TestFromNumber(t *testing.T) {
+	assert.Equal(t, "CAP_CHOWN", FromNumber(0))
+	assert.Equal(t, "CAP_SYS_ADMIN", FromNumber(21))
+	assert.Equal(t, "CAP_CHECKPOINT_RESTORE", FromNumber(40))
+	assert.Equal(t, "", FromNumber(-1))
+	assert.Equal(t, "", FromNumber(63))
+	assert.Equal(t, "", FromNumber(255))
+}
+
+func TestFromBitmap(t *testing.T) {
 	type testCase struct {
 		comment    string
 		v          uint64
@@ -72,7 +80,7 @@ func TestFromUint64(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		knownNames, unknown := FromUint64(tc.v)
+		knownNames, unknown := FromBitmap(tc.v)
 		t.Logf("[%s] v=0x%x, got=%+v (%d entries), unknown=%v",
 			tc.comment, tc.v, knownNames, len(knownNames), unknown)
 		assert.Equal(t, tc.knownNames, knownNames)
@@ -139,12 +147,12 @@ nonvoluntary_ctxt_switches:     0
 `
 	res, err := ParseProcPIDStatus(strings.NewReader(procPIDStatus))
 	assert.NoError(t, err)
-	expected := map[capability.CapType]uint64{
-		capability.INHERITABLE: 0,
-		capability.PERMITTED:   0xffffffffff,
-		capability.EFFECTIVE:   0xffffffffff,
-		capability.BOUNDING:    0xffffffffff,
-		capability.AMBIENT:     0,
+	expected := map[Type]uint64{
+		Inheritable: 0,
+		Permitted:   0xffffffffff,
+		Effective:   0xffffffffff,
+		Bounding:    0xffffffffff,
+		Ambient:     0,
 	}
 	assert.EqualValues(t, expected, res)
 }