> On April 20, 2016, 3:15 a.m., Kevin Klues wrote: > > src/linux/capabilities.hpp, lines 32-33 > > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line32> > > > > This should all probably live in the mesos::internal::capabilities > > namespace.
The reasons why I chose to have it in mesos::internal is that we have Capabilities class (explained in the class's documentation why we need a class). > On April 20, 2016, 3:15 a.m., Kevin Klues wrote: > > src/linux/capabilities.hpp, lines 94-99 > > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line94> > > > > From my reading of: > > http://man7.org/linux/man-pages/man7/capabilities.7.html > > > > this enum should probably be called `Set`. > > > > Note, the name `Capability` at the front is unnecessary if we embed > > this in the `capabilities` namespace. > > > > Also, it's pretty standard practice in C++ to define an `enum` as a > > `enum class` for better type checking. As such, you can define the final > > element with a common name of `COUNT` to get at the size of the enum. > > > > For example, you can get at the size of the enum as: > > `capabilities::Set::COUNT` instead of relying on the `const` for > > `NUMBER_OF_CAP_SETS` defined above. Although i agree that C++11 supports enum classes, couple of reasons for using plain enum here: 1. Other places in the code mostly use plain old enums. 2. Its hard(not impossible) to get the value of the enum class's element (say for printing). > On April 20, 2016, 3:15 a.m., Kevin Klues wrote: > > src/linux/capabilities.hpp, line 178 > > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line178> > > > > Didn't we discuss not making this a class, and only having get()/set() > > calls as part of the namespace? Explained in the class's documentation. > On April 20, 2016, 3:15 a.m., Kevin Klues wrote: > > src/linux/capabilities.hpp, line 209 > > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line209> > > > > What did we decide about the `add()` pairing to this `drop()` call? As mentioned in the documentation of `drop`, the `drop` API is for dropping `bounding` capabilities. > On April 20, 2016, 3:15 a.m., Kevin Klues wrote: > > src/linux/capabilities.cpp, lines 36-38 > > <https://reviews.apache.org/r/46370/diff/1/?file=1350685#file1350685line36> > > > > Is there not a header file you can just include here? No the standard header files dont provide the syscall declaration. > On April 20, 2016, 3:15 a.m., Kevin Klues wrote: > > src/linux/capabilities.hpp, lines 50-90 > > <https://reviews.apache.org/r/46370/diff/1/?file=1350684#file1350684line50> > > > > Since we should probably be embedding this in a `capabilities` > > namespace, it is redundant to call this enum `Capability`. I'd sugggest > > `Privilege`. That way one of these can be accessed as e.g. > > `capabiliites::Privilege::SETGID`. > > > > Also, as mentioned in a comment below, this should probably be declared > > as an `enum class` for better type checking. > > > > The `COUNT` trick mentioned below should probably be applied here as > > well. I like Capability because that is what its referenced as in every documentation and literature. - Jojy ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/46370/#review129674 ----------------------------------------------------------- On April 19, 2016, 5:02 p.m., Jojy Varghese wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/46370/ > ----------------------------------------------------------- > > (Updated April 19, 2016, 5:02 p.m.) > > > Review request for mesos, Jie Yu and Kevin Klues. > > > Bugs: MESOS-5051 > https://issues.apache.org/jira/browse/MESOS-5051 > > > Repository: mesos > > > Description > ------- > > This change introduces basic API for linux capabilities. This is not a > comprehensive API but is strictly limited to the need for securing Mesos > containers using linux capabilities. > > > Diffs > ----- > > src/CMakeLists.txt ca59a1824352423f4db6ef8bb41acc6fe602c041 > src/Makefile.am a8f68316c5d4d4c82d99363535a97fa5b1caafc5 > src/linux/capabilities.hpp PRE-CREATION > src/linux/capabilities.cpp PRE-CREATION > > Diff: https://reviews.apache.org/r/46370/diff/ > > > Testing > ------- > > make check. > > > Thanks, > > Jojy Varghese > >
