From b55c8fbbb8ecfd407a1d9eeec850b8c4885f4331 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Wed, 8 Jan 2025 12:25:42 -0800 Subject: [PATCH] libct/cap: allow New(nil) In runtime-spec, capabilities property is optional, but libcontainer/capabilities panics when New(nil) is called. Because of this, there's a kludge in finalizeNamespace to ensure capabilities.New is not called with nil argument, and there's a TestProcessEmptyCaps to ensure runc won't panic. Let's fix this at the source, allowing libct/cap to work with nil capabilities. (The caller is fixed by the next commit.) Signed-off-by: Kir Kolyshkin --- libcontainer/capabilities/capabilities.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libcontainer/capabilities/capabilities.go b/libcontainer/capabilities/capabilities.go index d38b8a7c..49b842ca 100644 --- a/libcontainer/capabilities/capabilities.go +++ b/libcontainer/capabilities/capabilities.go @@ -54,6 +54,9 @@ func New(capConfig *configs.Capabilities) (*Caps, error) { err error c Caps ) + if capConfig == nil { + return &c, nil + } unknownCaps := make(map[string]struct{}) c.caps = map[capability.CapType][]capability.Cap{ @@ -108,6 +111,9 @@ type Caps struct { // ApplyBoundingSet sets the capability bounding set to those specified in the whitelist. func (c *Caps) ApplyBoundingSet() error { + if c.pid == nil { + return nil + } c.pid.Clear(capability.BOUNDING) c.pid.Set(capability.BOUNDING, c.caps[capability.BOUNDING]...) return c.pid.Apply(capability.BOUNDING) @@ -115,6 +121,9 @@ func (c *Caps) ApplyBoundingSet() error { // Apply sets all the capabilities for the current process in the config. func (c *Caps) ApplyCaps() error { + if c.pid == nil { + return nil + } c.pid.Clear(allCapabilityTypes) for _, g := range capTypes { c.pid.Set(g, c.caps[g]...) -- 2.33.0