Try   HackMD

Go: Know if CAP_IPC_LOCK belongs to the process' effective set

package linux_cap

import (
	"bufio"
	"bytes"
	"fmt"
	"io/fs"
	"log"
	"strings"
)

// It is possible that the user will have started the process without
// CAP_IPC_LOCK in the bounding capability (i.e., set on the deployment). The
// process will start fine without it as Memguard doesn't use much
// memlocked memory. The argument `f` is meant for testing purposes, use
// os.DirFS("/").
//
// Read /proc/self/status to check for the capability CAP_IPC_LOCK in the
// effective capabilities. Go's standard library doesn't have an API for that.
func HasEffIpcLock(f fs.FS) (bool, error) {
	contents, err := fs.ReadFile(f, "proc/self/status")
	if err != nil {
		return false, fmt.Errorf("while checking capabilities in /proc/self/status: %w", err)
	}

	var capEff, capBnd, capPrm uint32
	scanner := bufio.NewScanner(bytes.NewReader(contents))
	for scanner.Scan() {
		line := scanner.Text()
		switch {
		case strings.HasPrefix(line, "CapEff:"):
			_, err := fmt.Sscanf(strings.TrimSpace(strings.TrimPrefix(line, "CapEff:")), "%x", &capEff)
			if err != nil {
				return false, fmt.Errorf("/proc/self/status: failed to parse CapEff: %w", err)
			}
		case strings.HasPrefix(line, "CapBnd:"):
			_, err := fmt.Sscanf(strings.TrimSpace(strings.TrimPrefix(line, "CapBnd:")), "%x", &capBnd)
			if err != nil {
				return false, fmt.Errorf("/proc/self/status: failed to parse CapBnd: %w", err)
			}
		case strings.HasPrefix(line, "CapPrm:"):
			_, err := fmt.Sscanf(strings.TrimSpace(strings.TrimPrefix(line, "CapPrm:")), "%x", &capPrm)
			if err != nil {
				return false, fmt.Errorf("/proc/self/status: failed to parse CapPrm: %w", err)
			}
		}
	}

	const capIpcLock uint32 = 0x0000000000004000
	log.Printf("capEff: %x, capBnd: %x, capPrm: %x", capEff, capBnd, capPrm)
	return capEff&capIpcLock != 0, nil
}

Tests:

package linux_cap

import (
	"testing"
	"testing/fstest"

	"github.com/stretchr/testify/assert"
)

func TestHasEffIpcLock(t *testing.T) {
	tests := []struct {
		name           string
		procStatusFile string
		want           bool
		err            string
	}{
		{
			name: "effective bit is set",
			procStatusFile: `
			CapInh:	0000000000000000
			CapPrm:	0000000000004000
			CapEff:	0000000000004000
			CapBnd:	00000000a80465fb
			CapAmb:	0000000000000000
			`,
			want: true,
		},
		{
			name: "permitted cap is set but not effective",
			procStatusFile: `
			CapInh:	0000000000000000
			CapPrm:	0000000000004000
			CapEff:	0000000000000000
			CapBnd:	00000000a80465fb
			CapAmb:	0000000000000000
			`,
			want: false,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			got, err := HasEffIpcLock(fstest.MapFS{
				"proc/self/status": {Data: []byte(tt.procStatusFile)},
			})

			if tt.err != "" {
				assert.EqualError(t, err, tt.err)
				return
			}
			assert.NoError(t, err)
			assert.Equal(t, tt.want, got)
		})
	}
}
Last changed by 
Maël Valais
0
144

Read more

Login into a Synology NAS using personal Google accounts

My parents and I share a DS923+. We mainly use it for storing photos.

Jun 26, 2025
My macOS tweaks coming from Ubuntu

🔥 Update 26 June 2023: I am abandoning "desktop" Linux! I can't bear having to work around everything all the time, not even counting the tons of problems that occur whenever I do a major version upgrade (e.g., when I upgraded from 21.10 to 22.04, my PPAs broken obviously, and also I lost all the hack I had made to the /etc to work around problems). I am officially back to macOS starting 26 June 2023. I'll still use my Linux workstation remotely over Mosh, but not as a desktop environment.

Jun 20, 2025
Work Around An Always-On VPN on macOS (Global Protect Edition)

sudo route add default 192.168.1.1

Jun 20, 2025
Troubleshooting Venafi Kubernetes Agent

To figure out whether it is being OOM killed:

May 29, 2025
Read more from Maël Valais
Published on HackMD