Apache Mesos
capabilities.hpp
Go to the documentation of this file.
1 // Licensed to the Apache Software Foundation (ASF) under one
2 // or more contributor license agreements. See the NOTICE file
3 // distributed with this work for additional information
4 // regarding copyright ownership. The ASF licenses this file
5 // to you under the Apache License, Version 2.0 (the
6 // "License"); you may not use this file except in compliance
7 // with the License. You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 
17 #ifndef __LINUX_CAPABILITIES_HPP__
18 #define __LINUX_CAPABILITIES_HPP__
19 
20 #include <set>
21 
22 #include <stout/flags.hpp>
23 #include <stout/nothing.hpp>
24 #include <stout/protobuf.hpp>
25 #include <stout/try.hpp>
26 
27 #include <mesos/mesos.hpp>
28 
29 namespace mesos {
30 namespace internal {
31 namespace capabilities {
32 
33 // Superset of all capabilities. This is the set currently supported
34 // by linux (kernel 4.0).
35 enum Capability : int
36 {
37  CHOWN = 0,
38  DAC_OVERRIDE = 1,
39  DAC_READ_SEARCH = 2,
40  FOWNER = 3,
41  FSETID = 4,
42  KILL = 5,
43  SETGID = 6,
44  SETUID = 7,
45  SETPCAP = 8,
46  LINUX_IMMUTABLE = 9,
47  NET_BIND_SERVICE = 10,
48  NET_BROADCAST = 11,
49  NET_ADMIN = 12,
50  NET_RAW = 13,
51  IPC_LOCK = 14,
52  IPC_OWNER = 15,
53  SYS_MODULE = 16,
54  SYS_RAWIO = 17,
55  SYS_CHROOT = 18,
56  SYS_PTRACE = 19,
57  SYS_PACCT = 20,
58  SYS_ADMIN = 21,
59  SYS_BOOT = 22,
60  SYS_NICE = 23,
61  SYS_RESOURCE = 24,
62  SYS_TIME = 25,
63  SYS_TTY_CONFIG = 26,
64  MKNOD = 27,
65  LEASE = 28,
66  AUDIT_WRITE = 29,
67  AUDIT_CONTROL = 30,
68  SETFCAP = 31,
69  MAC_OVERRIDE = 32,
70  MAC_ADMIN = 33,
71  SYSLOG = 34,
72  WAKE_ALARM = 35,
73  BLOCK_SUSPEND = 36,
74  AUDIT_READ = 37,
75  MAX_CAPABILITY = 38,
76 };
77 
78 
79 enum Type
80 {
81  EFFECTIVE,
82  PERMITTED,
83  INHERITABLE,
84  BOUNDING,
85  AMBIENT,
86 };
87 
88 
92 class ProcessCapabilities
93 {
94 public:
95  const std::set<Capability>& get(const Type& type) const;
96  void set(const Type& type, const std::set<Capability>& capabilities);
97  void add(const Type& type, const Capability& capability);
98  void drop(const Type& type, const Capability& capability);
99 
100  bool operator==(const ProcessCapabilities& right) const
101  {
102  return right.effective == effective &&
103  right.permitted == permitted &&
104  right.inheritable == inheritable &&
105  right.bounding == bounding &&
106  right.ambient == ambient;
107  }
108 
109 private:
110  friend std::ostream& operator<<(
111  std::ostream& stream,
112  const ProcessCapabilities& processCapabilities);
113 
114  std::set<Capability> effective;
115  std::set<Capability> permitted;
116  std::set<Capability> inheritable;
117  std::set<Capability> bounding;
118  std::set<Capability> ambient;
119 };
120 
121 
131 class Capabilities
132 {
133 public:
144  static Try<Capabilities> create();
145 
152  Try<ProcessCapabilities> get() const;
153 
161  Try<Nothing> set(const ProcessCapabilities& processCapabilities);
162 
170  Try<Nothing> setKeepCaps();
171 
177  std::set<Capability> getAllSupportedCapabilities();
178 
185  const bool ambientCapabilitiesSupported;
186 
187 private:
188  Capabilities(int _lastCap, bool _ambientSupported);
189 
190  // Maximum count of capabilities supported by the system.
191  const int lastCap;
192 };
193 
194 
195 Capability convert(const CapabilityInfo::Capability& capability);
196 std::set<Capability> convert(const CapabilityInfo& capabilityInfo);
197 CapabilityInfo convert(const std::set<Capability>& capabilitySet);
198 
199 
200 std::ostream& operator<<(
201  std::ostream& stream,
202  const Capability& capability);
203 
204 
205 std::ostream& operator<<(
206  std::ostream& stream,
207  const Type& type);
208 
209 
210 std::ostream& operator<<(
211  std::ostream& stream,
212  const ProcessCapabilities& capabilities);
213 
214 } // namespace capabilities {
215 } // namespace internal {
216 } // namespace mesos {
217 
218 #endif // __LINUX_CAPABILITIES_HPP__
mesos::internal::capabilities::SYS_PACCT
Definition: capabilities.hpp:57
mesos::internal::capabilities::Capabilities::setKeepCaps
Try< Nothing > setKeepCaps()
Process control interface to enforce keeping the parent process&#39;s capabilities after a change in uid/...
mesos::internal::capabilities::ProcessCapabilities
Encapsulation of capability value sets.
Definition: capabilities.hpp:92
mesos::internal::capabilities::DAC_OVERRIDE
Definition: capabilities.hpp:38
mesos::internal::capabilities::Capabilities::getAllSupportedCapabilities
std::set< Capability > getAllSupportedCapabilities()
Get all capabilities supported by the system.
mesos::internal::capabilities::KILL
Definition: capabilities.hpp:42
mesos::internal::capabilities::SYS_TTY_CONFIG
Definition: capabilities.hpp:63
mesos::internal::capabilities::ProcessCapabilities::operator<<
friend std::ostream & operator<<(std::ostream &stream, const ProcessCapabilities &processCapabilities)
mesos::internal::capabilities::MAC_ADMIN
Definition: capabilities.hpp:70
mesos::internal::capabilities::PERMITTED
Definition: capabilities.hpp:82
mesos::internal::capabilities::NET_BROADCAST
Definition: capabilities.hpp:48
Try
Definition: try.hpp:34
mesos::internal::capabilities::SYS_BOOT
Definition: capabilities.hpp:59
mesos::internal::capabilities::MKNOD
Definition: capabilities.hpp:64
mesos::internal::capabilities::SETFCAP
Definition: capabilities.hpp:68
mesos::internal::capabilities::AMBIENT
Definition: capabilities.hpp:85
mesos::internal::capabilities::ProcessCapabilities::drop
void drop(const Type &type, const Capability &capability)
mesos::internal::capabilities::FOWNER
Definition: capabilities.hpp:40
mesos::internal::capabilities::SYS_ADMIN
Definition: capabilities.hpp:58
mesos::internal::capabilities::Capabilities::create
static Try< Capabilities > create()
Factory method to create Capabilities object.
mesos::internal::capabilities::Capability
Capability
Definition: capabilities.hpp:35
mesos::internal::capabilities::SETUID
Definition: capabilities.hpp:44
mesos::internal::capabilities::ProcessCapabilities::operator==
bool operator==(const ProcessCapabilities &right) const
Definition: capabilities.hpp:100
mesos::internal::capabilities::LINUX_IMMUTABLE
Definition: capabilities.hpp:46
mesos::internal::capabilities::CHOWN
Definition: capabilities.hpp:37
mesos::internal::capabilities::IPC_OWNER
Definition: capabilities.hpp:52
mesos::internal::capabilities::NET_RAW
Definition: capabilities.hpp:50
mesos::internal::capabilities::Capabilities::ambientCapabilitiesSupported
const bool ambientCapabilitiesSupported
Whether ambient capabilities are supported on this host.
Definition: capabilities.hpp:185
mesos::internal::capabilities::ProcessCapabilities::add
void add(const Type &type, const Capability &capability)
mesos::internal::capabilities::SYS_RAWIO
Definition: capabilities.hpp:54
mesos::internal::capabilities::INHERITABLE
Definition: capabilities.hpp:83
mesos::internal::capabilities::BOUNDING
Definition: capabilities.hpp:84
mesos::internal::capabilities::SYS_MODULE
Definition: capabilities.hpp:53
mesos::internal::capabilities::SYS_TIME
Definition: capabilities.hpp:62
mesos::internal::capabilities::SYS_PTRACE
Definition: capabilities.hpp:56
mesos::internal::capabilities::WAKE_ALARM
Definition: capabilities.hpp:72
mesos::internal::capabilities::SYS_CHROOT
Definition: capabilities.hpp:55
mesos::internal::capabilities::SETGID
Definition: capabilities.hpp:43
mesos::internal::capabilities::convert
Capability convert(const CapabilityInfo::Capability &capability)
mesos::internal::capabilities::AUDIT_READ
Definition: capabilities.hpp:74
mesos::internal::capabilities::DAC_READ_SEARCH
Definition: capabilities.hpp:39
mesos::internal::capabilities::FSETID
Definition: capabilities.hpp:41
mesos::internal::capabilities::NET_ADMIN
Definition: capabilities.hpp:49
mesos::internal::capabilities::SYSLOG
Definition: capabilities.hpp:71
mesos::internal::capabilities::SYS_NICE
Definition: capabilities.hpp:60
mesos::internal::capabilities::Type
Type
Definition: capabilities.hpp:79
mesos::internal::capabilities::EFFECTIVE
Definition: capabilities.hpp:81
mesos::internal::capabilities::BLOCK_SUSPEND
Definition: capabilities.hpp:73
mesos::internal::fs::type
Try< uint32_t > type(const std::string &path)
mesos::internal::capabilities::MAC_OVERRIDE
Definition: capabilities.hpp:69
mesos::internal::capabilities::operator<<
std::ostream & operator<<(std::ostream &stream, const Capability &capability)
mesos::internal::capabilities::AUDIT_CONTROL
Definition: capabilities.hpp:67
mesos::internal::capabilities::SETPCAP
Definition: capabilities.hpp:45
mesos::internal::capabilities::SYS_RESOURCE
Definition: capabilities.hpp:61
mesos::internal::capabilities::LEASE
Definition: capabilities.hpp:65
mesos::internal::capabilities::ProcessCapabilities::set
void set(const Type &type, const std::set< Capability > &capabilities)
mesos::internal::capabilities::AUDIT_WRITE
Definition: capabilities.hpp:66
mesos::internal::capabilities::IPC_LOCK
Definition: capabilities.hpp:51
mesos::internal::capabilities::MAX_CAPABILITY
Definition: capabilities.hpp:75
mesos::internal::capabilities::Capabilities
Provides wrapper for the linux process capabilities interface.
Definition: capabilities.hpp:131
mesos::internal::capabilities::Capabilities::set
Try< Nothing > set(const ProcessCapabilities &processCapabilities)
Sets capabilities for the calling process.
Generated by   doxygen 1.8.5