try to source namespaces dynamically

containers · Nov 13, 2023 · 44fcf79 · 44fcf79
1 parent 10d267a
commit 44fcf79
Showing 1 changed file with 43 additions and 66 deletions.
diff --git a/crates/youki/src/commands/features.rs b/crates/youki/src/commands/features.rs
@@ -1,15 +1,17 @@
 //! Contains Functionality of `features` container command
+use anyhow::{Context, Result};
+use caps::{CapSet, Capability};
+use liboci_cli::Features;
+use procfs::process::Process;
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+use std::path::Path;
+
 pub const ANNOTATION_RUNC_VERSION: &str = "org.opencontainers.runc.version";
 pub const ANNOTATION_RUNC_COMMIT: &str = "org.opencontainers.runc.commit";
 pub const ANNOTATION_RUNC_CHECKPOINT_ENABLED: &str = "org.opencontainers.runc.checkpoint.enabled";
 pub const ANNOTATION_LIBSECCOMP_VERSION: &str = "io.github.seccomp.libseccomp.version";
 
-use anyhow::Result;
-use caps::{all, CapSet, Capability};
-use liboci_cli::Features;
-use serde::{Deserialize, Serialize};
-use std::collections::HashMap;
-
 #[derive(Debug, Serialize, Deserialize)]
 pub struct HardFeatures {
     // Minimum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.0".
@@ -66,23 +68,49 @@ struct Cgroup {
 }
 
 // Function to query and return capabilities
-fn query_caps() -> Vec<String> {
-    let all_caps = all();
-    let mut local_caps = Vec::new();
+fn query_caps() -> Result<Vec<String>> {
+    let mut capabilities = Vec::new();
+    for cap in Capability::iter_variants() {
+        if caps::has_cap(None, CapSet::Effective, cap).context("Failed to check capability")? {
+            capabilities.push(format!("{:?}", cap));
+        }
+    }
+    Ok(capabilities)
+}
+
+// Function to query and return namespaces
+fn query_supported_namespaces() -> Result<Vec<String>> {
+    let mut supported_namespaces = Vec::new();
+
+    let ns_types = vec!["pid", "net", "uts", "ipc", "mnt", "user", "cgroup", "time"];
 
-    for cap in all_caps {
-        if caps::has_cap(None, CapSet::Permitted, cap).unwrap_or(false) {
-            local_caps.push(format!("{:?}", cap));
+    for ns in ns_types {
+        let ns_path = format!("/proc/self/ns/{}", ns);
+        if Path::new(&ns_path).exists() {
+            supported_namespaces.push(ns.to_string());
         }
     }
 
-    local_caps
+    Ok(supported_namespaces)
 }
 
 /// lists all existing containers
 pub fn features(_: Features) -> Result<()> {
-    let capabilities = query_caps();
+    // Query supported namespaces
+    let namespaces = match query_supported_namespaces() {
+        Ok(ns) => ns,
+        Err(e) => {
+            eprintln!("Error querying supported namespaces: {}", e);
+        }
+    };
 
+    // Query available capabilities
+    let capabilities = match query_caps() {
+        Ok(caps) => caps,
+        Err(e) => {
+            eprintln!("Error querying available capabilities: {}", e);
+        }
+    };
     let features = HardFeatures {
         ociVersionMin: Some(String::from("1.0.0")),
         ociVersionMax: Some(String::from("1.0.2-dev")),
@@ -159,59 +187,8 @@ pub fn features(_: Features) -> Result<()> {
             String::from("unbindable"),
         ]),
         linux: Some(Linux {
-            namespaces: Some(vec![
-                String::from("cgroup"),
-                String::from("ipc"),
-                String::from("mount"),
-                String::from("network"),
-                String::from("pid"),
-                String::from("user"),
-                String::from("uts"),
-            ]),
+            namespaces: Some(namespaces),
             capabilities: Some(capabilities),
-            // capabilities: Some(vec![
-            //     String::from("CAP_CHOWN"),
-            //     String::from("CAP_DAC_OVERRIDE"),
-            //     String::from("CAP_DAC_READ_SEARCH"),
-            //     String::from("CAP_FOWNER"),
-            //     String::from("CAP_FSETID"),
-            //     String::from("CAP_KILL"),
-            //     String::from("CAP_SETGID"),
-            //     String::from("CAP_SETUID"),
-            //     String::from("CAP_SETPCAP"),
-            //     String::from("CAP_LINUX_IMMUTABLE"),
-            //     String::from("CAP_NET_BIND_SERVICE"),
-            //     String::from("CAP_NET_BROADCAST"),
-            //     String::from("CAP_NET_ADMIN"),
-            //     String::from("CAP_NET_RAW"),
-            //     String::from("CAP_IPC_LOCK"),
-            //     String::from("CAP_IPC_OWNER"),
-            //     String::from("CAP_SYS_MODULE"),
-            //     String::from("CAP_SYS_RAWIO"),
-            //     String::from("CAP_SYS_CHROOT"),
-            //     String::from("CAP_SYS_PTRACE"),
-            //     String::from("CAP_SYS_PACCT"),
-            //     String::from("CAP_SYS_ADMIN"),
-            //     String::from("CAP_SYS_BOOT"),
-            //     String::from("CAP_SYS_NICE"),
-            //     String::from("CAP_SYS_RESOURCE"),
-            //     String::from("CAP_SYS_TIME"),
-            //     String::from("CAP_SYS_TTY_CONFIG"),
-            //     String::from("CAP_MKNOD"),
-            //     String::from("CAP_LEASE"),
-            //     String::from("CAP_AUDIT_WRITE"),
-            //     String::from("CAP_AUDIT_CONTROL"),
-            //     String::from("CAP_SETFCAP"),
-            //     String::from("CAP_MAC_OVERRIDE"),
-            //     String::from("CAP_MAC_ADMIN"),
-            //     String::from("CAP_SYSLOG"),
-            //     String::from("CAP_WAKE_ALARM"),
-            //     String::from("CAP_BLOCK_SUSPEND"),
-            //     String::from("CAP_AUDIT_READ"),
-            //     String::from("CAP_PERFMON"),
-            //     String::from("CAP_BPF"),
-            //     String::from("CAP_CHECKPOINT_RESTORE"),
-            // ]),
             cgroup: Some(Cgroup {
                 v1: Some(true),
                 v2: Some(true),