container/syscall: export prctl wrapper

This is useful as package "syscall" does not provide such a wrapper. This change also improves error handling to fully conform to the manpage. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-10-22 05:26:54 +09:00
parent fcd9becf9a
commit c5f59c5488
2 changed files with 15 additions and 55 deletions
--- a/container/capability.go
+++ b/container/capability.go
@@ -49,41 +49,10 @@ func capset(hdrp *capHeader, datap *[2]capData) error {
 }

 // capBoundingSetDrop drops a capability from the calling thread's capability bounding set.
-func capBoundingSetDrop(cap uintptr) error {
-	r, _, errno := syscall.Syscall(
-		syscall.SYS_PRCTL,
-		syscall.PR_CAPBSET_DROP,
-		cap, 0,
-	)
-	if r != 0 {
-		return errno
-	}
-	return nil
-}
+func capBoundingSetDrop(cap uintptr) error { return Prctl(syscall.PR_CAPBSET_DROP, cap, 0) }

 // capAmbientClearAll clears the ambient capability set of the calling thread.
-func capAmbientClearAll() error {
-	r, _, errno := syscall.Syscall(
-		syscall.SYS_PRCTL,
-		PR_CAP_AMBIENT,
-		PR_CAP_AMBIENT_CLEAR_ALL, 0,
-	)
-	if r != 0 {
-		return errno
-	}
-	return nil
-}
+func capAmbientClearAll() error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0) }

 // capAmbientRaise adds to the ambient capability set of the calling thread.
-func capAmbientRaise(cap uintptr) error {
-	r, _, errno := syscall.Syscall(
-		syscall.SYS_PRCTL,
-		PR_CAP_AMBIENT,
-		PR_CAP_AMBIENT_RAISE,
-		cap,
-	)
-	if r != 0 {
-		return errno
-	}
-	return nil
-}
+func capAmbientRaise(cap uintptr) error { return Prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap) }