> On April 20, 2016, 3:15 a.m., Kevin Klues wrote:
> > src/linux/capabilities.hpp, lines 32-33
> > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line32>
> >
> >     This should all probably live in the mesos::internal::capabilities 
> > namespace.

The reasons why I chose to have it in mesos::internal is that we have 
Capabilities class (explained in the class's documentation why we need a class).


> On April 20, 2016, 3:15 a.m., Kevin Klues wrote:
> > src/linux/capabilities.hpp, lines 94-99
> > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line94>
> >
> >     From my reading of: 
> > http://man7.org/linux/man-pages/man7/capabilities.7.html
> >     
> >     this enum should probably be called `Set`.
> >     
> >     Note, the name `Capability` at the front is unnecessary if we embed 
> > this in the `capabilities` namespace.
> >     
> >     Also, it's pretty standard practice in C++ to define an `enum` as a 
> > `enum class` for better type checking.  As such, you can define the final 
> > element with a common name of `COUNT` to get at the size of the enum.
> >     
> >     For example, you can get at the size of the enum as: 
> > `capabilities::Set::COUNT` instead of relying on the `const` for 
> > `NUMBER_OF_CAP_SETS` defined above.

Although i agree that C++11 supports enum classes, couple of reasons for using 
plain enum here:
1. Other places in the code mostly use plain old enums.
2. Its hard(not impossible) to get the value of the enum class's element (say 
for printing).


> On April 20, 2016, 3:15 a.m., Kevin Klues wrote:
> > src/linux/capabilities.hpp, line 178
> > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line178>
> >
> >     Didn't we discuss not making this a class, and only having get()/set() 
> > calls as part of the namespace?

Explained in the class's documentation.


> On April 20, 2016, 3:15 a.m., Kevin Klues wrote:
> > src/linux/capabilities.hpp, line 209
> > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line209>
> >
> >     What did we decide about the `add()` pairing to this `drop()` call?

As mentioned in the documentation of `drop`, the `drop` API is for dropping 
`bounding` capabilities.


> On April 20, 2016, 3:15 a.m., Kevin Klues wrote:
> > src/linux/capabilities.cpp, lines 36-38
> > <https://reviews.apache.org/r/46370/diff/1/?file=1350685#file1350685line36>
> >
> >     Is there not a header file you can just include here?

No the standard header files dont provide the syscall declaration.


> On April 20, 2016, 3:15 a.m., Kevin Klues wrote:
> > src/linux/capabilities.hpp, lines 50-90
> > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line50>
> >
> >     Since we should probably be embedding this in a `capabilities` 
> > namespace, it is redundant to call this enum `Capability`. I'd sugggest 
> > `Privilege`.  That way one of these can be accessed as e.g. 
> > `capabiliites::Privilege::SETGID`.
> >     
> >     Also, as mentioned in a comment below, this should probably be declared 
> > as an `enum class` for better type checking.
> >     
> >     The `COUNT` trick mentioned below should probably be applied here as 
> > well.

I like Capability because that is what its referenced as in every documentation 
and literature.


- Jojy


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46370/#review129674
-----------------------------------------------------------


On April 19, 2016, 5:02 p.m., Jojy Varghese wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46370/
> -----------------------------------------------------------
> 
> (Updated April 19, 2016, 5:02 p.m.)
> 
> 
> Review request for mesos, Jie Yu and Kevin Klues.
> 
> 
> Bugs: MESOS-5051
>     https://issues.apache.org/jira/browse/MESOS-5051
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This change introduces basic API for linux capabilities. This is not a
> comprehensive API but is strictly limited to the need for securing Mesos
> containers using linux capabilities.
> 
> 
> Diffs
> -----
> 
>   src/CMakeLists.txt ca59a1824352423f4db6ef8bb41acc6fe602c041 
>   src/Makefile.am a8f68316c5d4d4c82d99363535a97fa5b1caafc5 
>   src/linux/capabilities.hpp PRE-CREATION 
>   src/linux/capabilities.cpp PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/46370/diff/
> 
> 
> Testing
> -------
> 
> make check.
> 
> 
> Thanks,
> 
> Jojy Varghese
> 
>

Reply via email to