feat: add check permission

cmd/cgtproxy/cmd/checkpermission.go

@@ -0,0 +1,52 @@
+package cmd
+
+import (
+	"errors"
+	"fmt"
+
+	. "github.com/black-desk/lib/go/errwrap"
+	"github.com/spf13/cobra"
+	"kernel.org/pub/linux/libs/security/libcap/cap"
+)
+
+// checkPermissionCmd represents the permission command
+var checkPermissionCmd = &cobra.Command{
+	Use:   "permission",
+	Short: "Check permission",
+	Long:  `Check cgtproxy have get all required capabilities.`,
+	RunE: func(cmd *cobra.Command, args []string) (err error) {
+		defer func() {
+			if err == nil {
+				return
+			}
+
+			err = fmt.Errorf("\n\n%w\n"+CheckDocumentString, err)
+
+			return
+		}()
+
+		err = checkPermissionCmdRun()
+		return
+	},
+}
+
+func checkPermissionCmdRun() (err error) {
+	defer Wrap(&err)
+	capSet := cap.GetProc()
+	hasCapNetAdmin := false
+	hasCapNetAdmin, err = capSet.GetFlag(cap.Effective, cap.NET_ADMIN)
+	if err != nil {
+		return
+	}
+
+	if !hasCapNetAdmin {
+		err = errors.New("CAP_NET_ADMIN is required to update nftable.")
+		return
+	}
+
+	return
+}
+
+func init() {
+	checkCmd.AddCommand(checkPermissionCmd)
+}

go.mod

@@ -16,11 +16,13 @@ require (
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/sys v0.13.0
 	gopkg.in/yaml.v3 v3.0.1
+	kernel.org/pub/linux/libs/security/libcap/cap v1.2.69
 )
 
 require (
 	github.com/black-desk/zap-journal v0.0.0-20230529080551-a8e82d81454b // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	kernel.org/pub/linux/libs/security/libcap/psx v1.2.69 // indirect
 )
 
 require (

go.sum

@@ -117,3 +117,7 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.69 h1:N0m3tKYbkRMmDobh/47ngz+AWeV7PcfXMDi8xu3Vrag=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.69/go.mod h1:Tk5Ip2TuxaWGpccL7//rAsLRH6RQ/jfqTGxuN/+i/FQ=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.69 h1:IdrOs1ZgwGw5CI+BH6GgVVlOt+LAXoPyh7enr8lfaXs=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.69/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=

pkg/cgtproxy/config/config_test.go

@@ -47,7 +47,7 @@ var _ = Describe("Configuration", func() {
 		ContextTableEntry("../../../test/data/example_config.yaml"),
 	)
 
-	ContextTable("load from invalid configuration (%s)", func(path string, expectErr error) {
+	ContextTable("load from invalid configuration (%s)", func(path string, expectErr error, errString string) {
 		var (
 			err     error
 			file    *os.File
@@ -67,17 +67,20 @@ var _ = Describe("Configuration", func() {
 
 			_, err = config.New(config.WithContent(content))
 		})
+
 		AfterEach(func() {
-			file.Close()
+			if file != nil {
+				file.Close()
+			}
 		})
 
-		It(fmt.Sprintf("should fail with error: %s", expectErr), func() {
+		It(fmt.Sprintf("should fail with error: %s", errString), func() {
 			Expect(err).To(MatchErr(expectErr))
 		})
 	},
-		ContextTableEntry("../../../test/data/wrong_type.yaml", new(yaml.TypeError)).
+		ContextTableEntry("../../../test/data/wrong_type.yaml", new(yaml.TypeError), "yaml.TypeError").
 			WithFmt("../../../test/data/wrong_type.yaml"),
-		ContextTableEntry("../../../test/data/validation_fail.yaml", validator.ValidationErrors{}).
+		ContextTableEntry("../../../test/data/validation_fail.yaml", validator.ValidationErrors{}, "validator.ValidationErrors").
 			WithFmt("../../../test/data/validation_fail.yaml"),
 	)
 })