From 8b69bcd2154fdc7903aceca662e9694588c982f2 Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 26 Mar 2025 06:19:19 +0900
Subject: [PATCH] sandbox: cache kernel.cap_last_cap value

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 sandbox/overflow.go | 37 -----------------------------------
 sandbox/sysctl.go   | 47 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 37 deletions(-)
 delete mode 100644 sandbox/overflow.go
 create mode 100644 sandbox/sysctl.go

diff --git a/sandbox/overflow.go b/sandbox/overflow.go
deleted file mode 100644
index ebaad70..0000000
--- a/sandbox/overflow.go
+++ /dev/null
@@ -1,37 +0,0 @@
-package sandbox
-
-import (
-	"bytes"
-	"log"
-	"os"
-	"strconv"
-	"sync"
-)
-
-var (
-	ofUid  int
-	ofGid  int
-	ofOnce sync.Once
-)
-
-const (
-	ofUidPath = "/proc/sys/kernel/overflowuid"
-	ofGidPath = "/proc/sys/kernel/overflowgid"
-)
-
-func mustReadOverflow() {
-	if v, err := os.ReadFile(ofUidPath); err != nil {
-		log.Fatalf("cannot read %q: %v", ofUidPath, err)
-	} else if ofUid, err = strconv.Atoi(string(bytes.TrimSpace(v))); err != nil {
-		log.Fatalf("cannot interpret %q: %v", ofUidPath, err)
-	}
-
-	if v, err := os.ReadFile(ofGidPath); err != nil {
-		log.Fatalf("cannot read %q: %v", ofGidPath, err)
-	} else if ofGid, err = strconv.Atoi(string(bytes.TrimSpace(v))); err != nil {
-		log.Fatalf("cannot interpret %q: %v", ofGidPath, err)
-	}
-}
-
-func OverflowUid() int { ofOnce.Do(mustReadOverflow); return ofUid }
-func OverflowGid() int { ofOnce.Do(mustReadOverflow); return ofGid }
diff --git a/sandbox/sysctl.go b/sandbox/sysctl.go
new file mode 100644
index 0000000..22046b6
--- /dev/null
+++ b/sandbox/sysctl.go
@@ -0,0 +1,47 @@
+package sandbox
+
+import (
+	"bytes"
+	"log"
+	"os"
+	"strconv"
+	"sync"
+)
+
+var (
+	kernelOverflowuid int
+	kernelOverflowgid int
+	kernelCapLastCap  int
+
+	sysctlOnce sync.Once
+)
+
+const (
+	kernelOverflowuidPath = "/proc/sys/kernel/overflowuid"
+	kernelOverflowgidPath = "/proc/sys/kernel/overflowgid"
+	kernelCapLastCapPath  = "/proc/sys/kernel/cap_last_cap"
+)
+
+func mustReadSysctl() {
+	if v, err := os.ReadFile(kernelOverflowuidPath); err != nil {
+		log.Fatalf("cannot read %q: %v", kernelOverflowuidPath, err)
+	} else if kernelOverflowuid, err = strconv.Atoi(string(bytes.TrimSpace(v))); err != nil {
+		log.Fatalf("cannot interpret %q: %v", kernelOverflowuidPath, err)
+	}
+
+	if v, err := os.ReadFile(kernelOverflowgidPath); err != nil {
+		log.Fatalf("cannot read %q: %v", kernelOverflowgidPath, err)
+	} else if kernelOverflowgid, err = strconv.Atoi(string(bytes.TrimSpace(v))); err != nil {
+		log.Fatalf("cannot interpret %q: %v", kernelOverflowgidPath, err)
+	}
+
+	if v, err := os.ReadFile(kernelCapLastCapPath); err != nil {
+		log.Fatalf("cannot read %q: %v", kernelCapLastCapPath, err)
+	} else if kernelCapLastCap, err = strconv.Atoi(string(bytes.TrimSpace(v))); err != nil {
+		log.Fatalf("cannot interpret %q: %v", kernelCapLastCapPath, err)
+	}
+}
+
+func OverflowUid() int { sysctlOnce.Do(mustReadSysctl); return kernelOverflowuid }
+func OverflowGid() int { sysctlOnce.Do(mustReadSysctl); return kernelOverflowgid }
+func LastCap() uintptr { sysctlOnce.Do(mustReadSysctl); return uintptr(kernelCapLastCap) }