Merge pull request #877 from giuseppe/add-function-to-check-for-CAP_S…

…YS_ADMIN unshare: new function HasCapSysAdmin
containers · Apr 20, 2021 · 8f31414 · 8f31414
2 parents 29560b3 + edf765f
commit 8f31414
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/pkg/unshare/unshare.go b/pkg/unshare/unshare.go
@@ -7,12 +7,17 @@ import (
 	"sync"
 
 	"github.com/pkg/errors"
+	"github.com/syndtr/gocapability/capability"
 )
 
 var (
 	homeDirOnce sync.Once
 	homeDirErr  error
 	homeDir     string
+
+	hasCapSysAdminOnce sync.Once
+	hasCapSysAdminRet  bool
+	hasCapSysAdminErr  error
 )
 
 // HomeDir returns the home directory for the current user.
@@ -32,3 +37,20 @@ func HomeDir() (string, error) {
 	})
 	return homeDir, homeDirErr
 }
+
+// HasCapSysAdmin returns whether the current process has CAP_SYS_ADMIN.
+func HasCapSysAdmin() (bool, error) {
+	hasCapSysAdminOnce.Do(func() {
+		currentCaps, err := capability.NewPid2(0)
+		if err != nil {
+			hasCapSysAdminErr = err
+			return
+		}
+		if err = currentCaps.Load(); err != nil {
+			hasCapSysAdminErr = err
+			return
+		}
+		hasCapSysAdminRet = currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN)
+	})
+	return hasCapSysAdminRet, hasCapSysAdminErr
+}