validate: optimize capabilites check

Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>

Author: Ma Shimiao

cmd/oci-runtime-tool/validate.go

@@ -4,9 +4,8 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/urfave/cli"
-
 	"github.com/opencontainers/runtime-tools/validate"
+	"github.com/urfave/cli"
 )
 
 var bundleValidateFlags = []cli.Flag{

generate/generate.go

@@ -679,12 +679,12 @@ func lastCap() capability.Cap {
 	return last
 }
 
-func checkCap(c string, hostSpecific bool) error {
+func ValidCap(c string, hostSpecific bool) error {
 	isValid := false
 	cp := strings.ToUpper(c)
 
 	for _, cap := range capability.List() {
-		if cp == strings.ToUpper(cap.String()) {
+		if cp == fmt.Sprintf("CAP_%s", strings.ToUpper(cap.String())) {
 			if hostSpecific && cap > lastCap() {
 				return fmt.Errorf("CAP_%s is not supported on the current host", cp)
 			}
@@ -694,7 +694,7 @@ func checkCap(c string, hostSpecific bool) error {
 	}
 
 	if !isValid {
-		return fmt.Errorf("Invalid value passed for adding capability")
+		return fmt.Errorf("Invalid capability value: %s", cp)
 	}
 	return nil
 }
@@ -709,12 +709,11 @@ func (g *Generator) ClearProcessCapabilities() {
 
 // AddProcessCapability adds a process capability into g.spec.Process.Capabilities.
 func (g *Generator) AddProcessCapability(c string) error {
-	if err := checkCap(c, g.HostSpecific); err != nil {
+	cp := fmt.Sprintf("CAP_%s", strings.ToUpper(c))
+	if err := ValidCap(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
-	cp := fmt.Sprintf("CAP_%s", strings.ToUpper(c))
-
 	g.initSpec()
 	for _, cap := range g.spec.Process.Capabilities {
 		if strings.ToUpper(cap) == cp {
@@ -728,12 +727,11 @@ func (g *Generator) AddProcessCapability(c string) error {
 
 // DropProcessCapability drops a process capability from g.spec.Process.Capabilities.
 func (g *Generator) DropProcessCapability(c string) error {
-	if err := checkCap(c, g.HostSpecific); err != nil {
+	cp := fmt.Sprintf("CAP_%s", strings.ToUpper(c))
+	if err := ValidCap(cp, g.HostSpecific); err != nil {
 		return err
 	}
 
-	cp := fmt.Sprintf("CAP_%s", strings.ToUpper(c))
-
 	g.initSpec()
 	for i, cap := range g.spec.Process.Capabilities {
 		if strings.ToUpper(cap) == cp {

validate/validate.go

@@ -14,29 +14,30 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	"github.com/blang/semver"
+	"github.com/opencontainers/runtime-tools/generate"
 	rspec "github.com/opencontainers/runtime-spec/specs-go"
 )
 
 const specConfig = "config.json"
 
 var (
 	defaultRlimits = []string{
+		"RLIMIT_AS",
+		"RLIMIT_CORE",
 		"RLIMIT_CPU",
-		"RLIMIT_FSIZE",
 		"RLIMIT_DATA",
-		"RLIMIT_STACK",
-		"RLIMIT_CORE",
-		"RLIMIT_RSS",
-		"RLIMIT_NPROC",
-		"RLIMIT_NOFILE",
-		"RLIMIT_MEMLOCK",
-		"RLIMIT_AS",
+		"RLIMIT_FSIZE",
 		"RLIMIT_LOCKS",
-		"RLIMIT_SIGPENDING",
+		"RLIMIT_MEMLOCK",
 		"RLIMIT_MSGQUEUE",
 		"RLIMIT_NICE",
+		"RLIMIT_NOFILE",
+		"RLIMIT_NPROC",
+		"RLIMIT_RSS",
 		"RLIMIT_RTPRIO",
 		"RLIMIT_RTTIME",
+		"RLIMIT_SIGPENDING",
+		"RLIMIT_STACK",
 	}
 	defaultCaps = []string{
 		"CAP_CHOWN",
@@ -217,19 +218,18 @@ func (v *Validator) CheckProcess() (msgs []string) {
 		}
 	}
 
-	for index := 0; index < len(process.Capabilities); index++ {
-		capability := process.Capabilities[index]
-		if !capValid(capability) {
-			msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", process.Capabilities[index]))
+	for _, capability := range process.Capabilities {
+		if err := generate.ValidCap(capability, v.HostSpecific); err != nil {
+			msgs = append(msgs, fmt.Sprintf("capability %q is not valid, man capabilities(7)", capability))
 		}
 	}
 
-	for index := 0; index < len(process.Rlimits); index++ {
-		if !rlimitValid(process.Rlimits[index].Type) {
-			msgs = append(msgs, fmt.Sprintf("rlimit type %q is invalid.", process.Rlimits[index].Type))
+	for _, rlimit := range process.Rlimits {
+		if !rlimitValid(rlimit.Type) {
+			msgs = append(msgs, fmt.Sprintf("rlimit type %q is invalid.", rlimit.Type))
 		}
-		if process.Rlimits[index].Hard < process.Rlimits[index].Soft {
-			msgs = append(msgs, fmt.Sprintf("hard limit of rlimit %s should not be less than soft limit.", process.Rlimits[index].Type))
+		if rlimit.Hard < rlimit.Soft {
+			msgs = append(msgs, fmt.Sprintf("hard limit of rlimit %s should not be less than soft limit.", rlimit.Type))
 		}
 	}
 
@@ -457,15 +457,6 @@ func envValid(env string) bool {
 	return true
 }
 
-func capValid(capability string) bool {
-	for _, val := range defaultCaps {
-		if val == capability {
-			return true
-		}
-	}
-	return false
-}
-
 func rlimitValid(rlimit string) bool {
 	for _, val := range defaultRlimits {
 		if val == rlimit {