talm

1
// This Source Code Form is subject to the terms of the Mozilla Public
2
// License, v. 2.0. If a copy of the MPL was not distributed with this
3
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4

5
// Package capability provides utility functions to work with capabilities.
6
package capability
7

8
import (
9
	"strings"
10

11
	"github.com/siderolabs/gen/maps"
12
	"kernel.org/pub/linux/libs/security/libcap/cap"
13

14
	"github.com/siderolabs/talos/pkg/machinery/constants"
15
)
16

17
// AllCapabilitiesSet returns the set of all available capabilities.
18
//
19
// Returned capabilities are in UPPERCASE.
20
func AllCapabilitiesSet() map[string]struct{} {
21
	capabilities := make(map[string]struct{})
22

23
	for v := cap.Value(0); v < cap.MaxBits(); v++ {
24
		if set, _ := cap.GetBound(v); set { //nolint:errcheck
25
			capabilities[strings.ToUpper(v.String())] = struct{}{}
26
		}
27
	}
28

29
	return capabilities
30
}
31

32
// AllCapabilitiesSetLowercase returns the set of all available capabilities.
33
//
34
// Returned capabilities are in lowercase.
35
func AllCapabilitiesSetLowercase() map[string]struct{} {
36
	return maps.Map(AllCapabilitiesSet(),
37
		func(capability string, _ struct{}) (string, struct{}) {
38
			return strings.ToLower(capability), struct{}{}
39
		})
40
}
41

42
// AllGrantableCapabilities returns list of capabilities that can be granted to the container based on
43
// process bounding capabilities.
44
//
45
// Returned capabilities are in UPPERCASE.
46
func AllGrantableCapabilities() []string {
47
	allCapabilities := AllCapabilitiesSet()
48

49
	for dropped := range constants.DefaultDroppedCapabilities {
50
		delete(allCapabilities, strings.ToUpper(dropped))
51
	}
52

53
	return maps.Keys(allCapabilities)
54
}
55