detect required capabilities

aojea · Jul 16, 2021 · 10b7e95 · 10b7e95
1 parent fff3e52
commit 10b7e95
Show file tree

Hide file tree

Showing 28 changed files with 4,753 additions and 13 deletions.
diff --git a/go.mod b/go.mod
@@ -9,4 +9,5 @@ require (
 	golang.org/x/net v0.0.0-20201224014010-6772e930b67b
 	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c
 	gvisor.dev/gvisor v0.0.0-20210506004418-fbfeba3024f0
+	kernel.org/pub/linux/libs/security/libcap/cap v1.2.51
 )
diff --git a/go.sum b/go.sum
@@ -602,6 +602,10 @@ k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
 k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/kube-openapi v0.0.0-20200410163147-594e756bea31/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
 k8s.io/utils v0.0.0-20190801114015-581e00157fb1/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.51 h1:2CHkVUXuBnW/jLVgbpfJ0PRdewDCS9h45Mmp6sLhurk=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.51/go.mod h1:1H1c41mQKQi1964hjtZ/Sb+KWgRsLos79wIwOOfwTVU=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.51 h1:VXVXjnTUsA9zeHIolNb6moSXZavDe1pD8Q0lPXZEOwc=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.51/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

diff --git a/nk.go b/nk.go
@@ -6,11 +6,11 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"os/exec"
 	"os/signal"
-	"strconv"
 
 	"golang.org/x/sys/unix"
+
+	"kernel.org/pub/linux/libs/security/libcap/cap"
 )
 
 //go:generate bpf2go filter bpf/filter.c -- -I/usr/include -I./bpf -nostdinc -O3
@@ -65,19 +65,13 @@ func main() {
 			k, m, 5, 2)
 	}
 
-	cmd := exec.Command("id", "-u")
-	output, err := cmd.Output()
-	if err != nil {
-		log.Fatal(err)
+	c := cap.GetProc()
+	if on, _ := c.GetFlag(cap.Permitted, cap.NET_RAW); !on {
+		log.Fatalf("insufficient privilege to open RAW sockets - want %q, have %q", cap.NET_RAW, c)
 	}
 
-	// 0 = root, 501 = non-root user
-	i, err := strconv.Atoi(string(output[:len(output)-1]))
-	if err != nil {
-		log.Fatal(err)
-	}
-	if i != 0 {
-		log.Fatal("This program must be run as root! (sudo)")
+	if on, _ := c.GetFlag(cap.Permitted, cap.SYS_RESOURCE); !on {
+		log.Fatalf("insufficient privilege to set rlimit - want %q, have %q", cap.SYS_RESOURCE, c)
 	}
 
 	// Parse command line flags and arguments

diff --git a/vendor/kernel.org/pub/linux/libs/security/libcap/cap/License b/vendor/kernel.org/pub/linux/libs/security/libcap/cap/License
diff --git a/vendor/kernel.org/pub/linux/libs/security/libcap/cap/README b/vendor/kernel.org/pub/linux/libs/security/libcap/cap/README