From c5f59c5488cc529a5a7c7a89e1da56c2b44db16c Mon Sep 17 00:00:00 2001 From: Ophestra Date: Wed, 22 Oct 2025 05:26:54 +0900 Subject: [PATCH] container/syscall: export prctl wrapper This is useful as package "syscall" does not provide such a wrapper. This change also improves error handling to fully conform to the manpage. Signed-off-by: Ophestra --- container/capability.go | 37 +++---------------------------------- container/syscall.go | 33 ++++++++++++--------------------- 2 files changed, 15 insertions(+), 55 deletions(-) diff --git a/container/capability.go b/container/capability.go index f41bffa..11d95b3 100644 --- a/container/capability.go +++ b/container/capability.go @@ -49,41 +49,10 @@ func capset(hdrp *capHeader, datap *[2]capData) error { } // capBoundingSetDrop drops a capability from the calling thread's capability bounding set. -func capBoundingSetDrop(cap uintptr) error { - r, _, errno := syscall.Syscall( - syscall.SYS_PRCTL, - syscall.PR_CAPBSET_DROP, - cap, 0, - ) - if r != 0 { - return errno - } - return nil -} +func capBoundingSetDrop(cap uintptr) error { return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) } // capAmbientClearAll clears the ambient capability set of the calling thread. -func capAmbientClearAll() error { - r, _, errno := syscall.Syscall( - syscall.SYS_PRCTL, - PR_CAP_AMBIENT, - PR_CAP_AMBIENT_CLEAR_ALL, 0, - ) - if r != 0 { - return errno - } - return nil -} +func capAmbientClearAll() error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) } // capAmbientRaise adds to the ambient capability set of the calling thread. -func capAmbientRaise(cap uintptr) error { - r, _, errno := syscall.Syscall( - syscall.SYS_PRCTL, - PR_CAP_AMBIENT, - PR_CAP_AMBIENT_RAISE, - cap, - ) - if r != 0 { - return errno - } - return nil -} +func capAmbientRaise(cap uintptr) error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) } diff --git a/container/syscall.go b/container/syscall.go index 48819d4..ef9fb15 100644 --- a/container/syscall.go +++ b/container/syscall.go @@ -5,38 +5,29 @@ import ( "unsafe" ) -// SetPtracer allows processes to ptrace(2) the calling process. -func SetPtracer(pid uintptr) error { - _, _, errno := Syscall(SYS_PRCTL, PR_SET_PTRACER, pid, 0) - if errno == 0 { - return nil +// Prctl manipulates various aspects of the behavior of the calling thread or process. +func Prctl(op, arg2, arg3 uintptr) error { + r, _, errno := Syscall(SYS_PRCTL, op, arg2, arg3) + if r < 0 { + return errno } - return errno + return nil } +// SetPtracer allows processes to ptrace(2) the calling process. +func SetPtracer(pid uintptr) error { return Prctl(PR_SET_PTRACER, pid, 0) } + +// linux/sched/coredump.h const ( SUID_DUMP_DISABLE = iota SUID_DUMP_USER ) // SetDumpable sets the "dumpable" attribute of the calling process. -func SetDumpable(dumpable uintptr) error { - // linux/sched/coredump.h - if _, _, errno := Syscall(SYS_PRCTL, PR_SET_DUMPABLE, dumpable, 0); errno != 0 { - return errno - } - - return nil -} +func SetDumpable(dumpable uintptr) error { return Prctl(PR_SET_DUMPABLE, dumpable, 0) } // SetNoNewPrivs sets the calling thread's no_new_privs attribute. -func SetNoNewPrivs() error { - _, _, errno := Syscall(SYS_PRCTL, PR_SET_NO_NEW_PRIVS, 1, 0) - if errno == 0 { - return nil - } - return errno -} +func SetNoNewPrivs() error { return Prctl(PR_SET_NO_NEW_PRIVS, 1, 0) } // Isatty tests whether a file descriptor refers to a terminal. func Isatty(fd int) bool {