internal: add kernelversion package from runc

cyphar · cyphar · commit 422c59f931c6 · 2025-09-04T04:40:46.000+10:00
Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/internal/gocompat/gocompat_generics_go121.go b/internal/gocompat/gocompat_generics_go121.go
@@ -9,6 +9,7 @@
 package gocompat
 
 import (
+	"cmp"
 	"slices"
 	"sync"
 )
@@ -37,3 +38,16 @@ func SyncOnceValue[T any](f func() T) func() T {
 func SyncOnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
 	return sync.OnceValues(f)
 }
+
+// CmpOrdered is equivalent to Go 1.21's cmp.Ordered generic type definition.
+type CmpOrdered = cmp.Ordered
+
+// CmpCompare is equivalent to Go 1.21's cmp.Compare.
+func CmpCompare[T CmpOrdered](x, y T) int {
+	return cmp.Compare(x, y)
+}
+
+// Max2 is equivalent to Go 1.21's max builtin (but only for two parameters).
+func Max2[T CmpOrdered](x, y T) T {
+	return max(x, y)
+}
diff --git a/internal/gocompat/gocompat_generics_unsupported.go b/internal/gocompat/gocompat_generics_unsupported.go
@@ -5,7 +5,7 @@
 // Copyright (C) 2021, 2022 The Go Authors. All rights reserved.
 // Copyright (C) 2024-2025 SUSE LLC. All rights reserved.
 // Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+// license that can be found in the LICENSE.BSD file.
 
 package gocompat
 
@@ -137,3 +137,51 @@ func SyncOnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) {
 		return d.r1, d.r2
 	}
 }
+
+// CmpOrdered is equivalent to Go 1.21's cmp.Ordered generic type definition.
+// Copied from the Go 1.25 stdlib implementation.
+type CmpOrdered interface {
+	~int | ~int8 | ~int16 | ~int32 | ~int64 |
+		~uint | ~uint8 | ~uint16 | ~uint32 | ~uint64 | ~uintptr |
+		~float32 | ~float64 |
+		~string
+}
+
+// isNaN reports whether x is a NaN without requiring the math package.
+// This will always return false if T is not floating-point.
+// Copied from the Go 1.25 stdlib implementation.
+func isNaN[T CmpOrdered](x T) bool {
+	return x != x
+}
+
+// CmpCompare is equivalent to Go 1.21's cmp.Compare.
+// Copied from the Go 1.25 stdlib implementation.
+func CmpCompare[T CmpOrdered](x, y T) int {
+	xNaN := isNaN(x)
+	yNaN := isNaN(y)
+	if xNaN {
+		if yNaN {
+			return 0
+		}
+		return -1
+	}
+	if yNaN {
+		return +1
+	}
+	if x < y {
+		return -1
+	}
+	if x > y {
+		return +1
+	}
+	return 0
+}
+
+// Max2 is equivalent to Go 1.21's max builtin for two parameters.
+func Max2[T CmpOrdered](x, y T) T {
+	m := x
+	if y > m {
+		m = y
+	}
+	return m
+}
diff --git a/internal/kernelversion/kernel_linux.go b/internal/kernelversion/kernel_linux.go
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Copyright (C) 2022 The Go Authors. All rights reserved.
+// Copyright (C) 2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE.BSD file.
+
+// The parsing logic is very loosely based on the Go stdlib's
+// src/internal/syscall/unix/kernel_version_linux.go but with an API that looks
+// a bit like runc's libcontainer/system/kernelversion.
+//
+// TODO(cyphar): This API has been copied around to a lot of different projects
+// (Docker, containerd, runc, and now filepath-securejoin) -- maybe we should
+// put it in a separate project?
+
+// Package kernelversion provides a simple mechanism for checking whether the
+// running kernel is at least as new as some baseline kernel version. This is
+// often useful when checking for features that would be too complicated to
+// test support for (or in cases where we know that some kernel features in
+// backport-heavy kernels are broken and need to be avoided).
+package kernelversion
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/cyphar/filepath-securejoin/internal/gocompat"
+)
+
+// KernelVersion is a numeric representation of the key numerical elements of a
+// kernel version (for instance, "4.1.2-default-1" would be represented as
+// KernelVersion{4, 1, 2}).
+type KernelVersion []uint64
+
+func (kver KernelVersion) String() string {
+	var str strings.Builder
+	for idx, elem := range kver {
+		if idx != 0 {
+			_, _ = str.WriteRune('.')
+		}
+		_, _ = str.WriteString(strconv.FormatUint(elem, 10))
+	}
+	return str.String()
+}
+
+var errInvalidKernelVersion = errors.New("invalid kernel version")
+
+// parseKernelVersion parses a string and creates a KernelVersion based on it.
+func parseKernelVersion(kverStr string) (KernelVersion, error) {
+	kver := make(KernelVersion, 1, 3)
+	for idx, ch := range kverStr {
+		if '0' <= ch && ch <= '9' {
+			v := &kver[len(kver)-1]
+			*v = (*v * 10) + uint64(ch-'0')
+		} else {
+			if idx == 0 || kverStr[idx-1] < '0' || '9' < kverStr[idx-1] {
+				// "." must be preceded by a digit while in version section
+				return nil, fmt.Errorf("%w %q: kernel version has dot(s) followed by non-digit in version section", errInvalidKernelVersion, kverStr)
+			}
+			if ch != '.' {
+				break
+			}
+			kver = append(kver, 0)
+		}
+	}
+	if len(kver) < 2 {
+		return nil, fmt.Errorf("%w %q: kernel versions must contain at least two components", errInvalidKernelVersion, kverStr)
+	}
+	return kver, nil
+}
+
+// getKernelVersion gets the current kernel version.
+var getKernelVersion = gocompat.SyncOnceValues(func() (KernelVersion, error) {
+	var uts unix.Utsname
+	if err := unix.Uname(&uts); err != nil {
+		return nil, err
+	}
+	// Remove the \x00 from the release.
+	release := uts.Release[:]
+	return parseKernelVersion(string(release[:bytes.IndexByte(release, 0)]))
+})
+
+// GreaterEqualThan returns true if the the host kernel version is greater than
+// or equal to the provided [KernelVersion]. When doing this comparison, any
+// non-numerical suffixes of the host kernel version are ignored.
+//
+// If the number of components provided is not equal to the number of numerical
+// components of the host kernel version, any missing components are treated as
+// 0. This means that GreaterEqualThan(KernelVersion{4}) will be treated the
+// same as GreaterEqualThan(KernelVersion{4, 0, 0, ..., 0, 0}), and that if the
+// host kernel version is "4" then GreaterEqualThan(KernelVersion{4, 1}) will
+// return false (because the host version will be treated as "4.0").
+func GreaterEqualThan(wantKver KernelVersion) (bool, error) {
+	hostKver, err := getKernelVersion()
+	if err != nil {
+		return false, err
+	}
+
+	// Pad out the kernel version lengths to match one another.
+	cmpLen := gocompat.Max2(len(hostKver), len(wantKver))
+	hostKver = append(hostKver, make(KernelVersion, cmpLen-len(hostKver))...)
+	wantKver = append(wantKver, make(KernelVersion, cmpLen-len(wantKver))...)
+
+	for i := 0; i < cmpLen; i++ {
+		switch gocompat.CmpCompare(hostKver[i], wantKver[i]) {
+		case -1:
+			// host < want
+			return false, nil
+		case +1:
+			// host > want
+			return true, nil
+		case 0:
+			continue
+		}
+	}
+	// equal version values
+	return true, nil
+}
diff --git a/internal/kernelversion/kernel_linux_test.go b/internal/kernelversion/kernel_linux_test.go
@@ -0,0 +1,101 @@
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Copyright (C) 2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE.BSD file.
+
+package kernelversion
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetKernelVersion(t *testing.T) {
+	version, err := getKernelVersion()
+	require.NoError(t, err)
+	assert.GreaterOrEqualf(t, len(version), 2, "KernelVersion %#v must have at least 2 elements", version)
+}
+
+func TestParseKernelVersion(t *testing.T) {
+	for _, test := range []struct {
+		kverStr     string
+		expected    KernelVersion
+		expectedErr error
+	}{
+		// <2 components
+		{"", nil, errInvalidKernelVersion},
+		{"dummy", nil, errInvalidKernelVersion},
+		{"1", nil, errInvalidKernelVersion},
+		{"420", nil, errInvalidKernelVersion},
+		// >=2 components
+		{"3.7", KernelVersion{3, 7}, nil},
+		{"3.8", KernelVersion{3, 8}, nil},
+		{"3.8.0", KernelVersion{3, 8, 0}, nil},
+		{"3.8.12", KernelVersion{3, 8, 12}, nil},
+		{"3.8.12.10.0.2", KernelVersion{3, 8, 12, 10, 0, 2}, nil},
+		{"42.12.1000", KernelVersion{42, 12, 1000}, nil},
+		// suffix
+		{"2.6.16foobar", KernelVersion{2, 6, 16}, nil},
+		{"2.6.16f00b4r", KernelVersion{2, 6, 16}, nil},
+		{"3.8.16-generic", KernelVersion{3, 8, 16}, nil},
+		{"6.12.0-1-default", KernelVersion{6, 12, 0}, nil},
+		{"4.9.27-default-foo.12.23", KernelVersion{4, 9, 27}, nil},
+		// invalid version section
+		{"-1.2", nil, errInvalidKernelVersion},
+		{"3a", nil, errInvalidKernelVersion},
+		{"3.a", nil, errInvalidKernelVersion},
+		{"3.4.a", nil, errInvalidKernelVersion},
+		{"a", nil, errInvalidKernelVersion},
+		{"aa", nil, errInvalidKernelVersion},
+		{"a.a", nil, errInvalidKernelVersion},
+		{"a.a.a", nil, errInvalidKernelVersion},
+		{"-3.1", nil, errInvalidKernelVersion},
+		{"-3.", nil, errInvalidKernelVersion},
+		{"1.-foo", nil, errInvalidKernelVersion},
+		{".1", nil, errInvalidKernelVersion},
+		{".1.2", nil, errInvalidKernelVersion},
+	} {
+		test := test // copy iterator
+		t.Run(test.kverStr, func(t *testing.T) {
+			kver, err := parseKernelVersion(test.kverStr)
+			if test.expectedErr != nil {
+				require.Errorf(t, err, "parseKernelVersion(%q)", test.kverStr)
+				require.ErrorIsf(t, err, test.expectedErr, "parseKernelVersion(%q)", test.kverStr)
+				assert.Nilf(t, kver, "parseKernelVersion(%q) returned kver", test.kverStr)
+			} else {
+				require.NoErrorf(t, err, "parseKernelVersion(%q)", test.kverStr)
+				assert.Equal(t, test.expected, kver, "parseKernelVersion(%q) return kver", test.kverStr)
+			}
+		})
+	}
+}
+
+func TestGreaterEqualThan(t *testing.T) {
+	hostKver, err := getKernelVersion()
+	require.NoError(t, err)
+
+	for _, test := range []struct {
+		name     string
+		wantKver KernelVersion
+		expected bool
+	}{
+		{"HostVersion", hostKver[:], true},
+		{"OlderMajor", KernelVersion{hostKver[0] - 1, hostKver[1]}, true},
+		{"OlderMinor", KernelVersion{hostKver[0], hostKver[1] - 1}, true},
+		{"NewerMajor", KernelVersion{hostKver[0] + 1, hostKver[1]}, false},
+		{"NewerMinor", KernelVersion{hostKver[0], hostKver[1] + 1}, false},
+		{"ExtraDot", append(hostKver, 1), false},
+		{"ExtraZeros", append(hostKver, make(KernelVersion, 10)...), true},
+	} {
+		test := test // copy iterator
+		t.Run(fmt.Sprintf("%s:%s", test.name, test.wantKver), func(t *testing.T) {
+			got, err := GreaterEqualThan(test.wantKver)
+			require.NoErrorf(t, err, "GreaterEqualThan(%s)", test.wantKver)
+			assert.Equalf(t, test.expected, got, "GreaterEqualThan(%s)", test.wantKver)
+		})
+	}
+}
