Merge pull request #25275 from dfr/freebsd-hascapresource

libpod: make hasCapSysResource platform-specific
containers · Feb 10, 2025 · e943a2b · e943a2b
2 parents 8bb1768 + ab04109
commit e943a2b
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 14 deletions.
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
@@ -18,7 +18,6 @@ import (
 	"slices"
 	"strconv"
 	"strings"
-	"sync"
 	"syscall"
 	"time"
 
@@ -53,7 +52,6 @@ import (
 	"github.com/containers/storage/pkg/unshare"
 	stypes "github.com/containers/storage/types"
 	securejoin "github.com/cyphar/filepath-securejoin"
-	"github.com/moby/sys/capability"
 	runcuser "github.com/moby/sys/user"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
@@ -179,18 +177,6 @@ func getOverlayUpperAndWorkDir(options []string) (string, string, error) {
 	return upperDir, workDir, nil
 }
 
-// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
-var hasCapSysResource = sync.OnceValues(func() (bool, error) {
-	currentCaps, err := capability.NewPid2(0)
-	if err != nil {
-		return false, err
-	}
-	if err = currentCaps.Load(); err != nil {
-		return false, err
-	}
-	return currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_RESOURCE), nil
-})
-
 // Generate spec for a container
 // Accepts a map of the container's dependencies
 func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFuncRet func(), err error) {

diff --git a/libpod/container_internal_freebsd.go b/libpod/container_internal_freebsd.go
@@ -410,3 +410,8 @@ func (c *Container) hasPrivateUTS() bool {
 	// specification.
 	return true
 }
+
+// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
+func hasCapSysResource() (bool, error) {
+	return true, nil
+}
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
@@ -21,6 +21,7 @@ import (
 	"github.com/containers/podman/v5/libpod/define"
 	"github.com/containers/podman/v5/libpod/shutdown"
 	"github.com/containers/podman/v5/pkg/rootless"
+	"github.com/moby/sys/capability"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/opencontainers/selinux/go-selinux/label"
@@ -835,3 +836,15 @@ func (c *Container) hasPrivateUTS() bool {
 	}
 	return privateUTS
 }
+
+// hasCapSysResource returns whether the current process has CAP_SYS_RESOURCE.
+var hasCapSysResource = sync.OnceValues(func() (bool, error) {
+	currentCaps, err := capability.NewPid2(0)
+	if err != nil {
+		return false, err
+	}
+	if err = currentCaps.Load(); err != nil {
+		return false, err
+	}
+	return currentCaps.Get(capability.EFFECTIVE, capability.CAP_SYS_RESOURCE), nil
+})