One of the nice things about a goto is it gives you a single place to clean things up, like this:

if (caps != NULL)
cap_free(caps);

@tylerharter I actually didn't get what you mean here. I tried to use the goto statement already. Is there an even better way to do it?

You have cap_free in multiples places. What I mean is that cap_free can be after "out:". You'll need to check whether it is NULL before freeing there, of course.

To what extent can we just create Python wrappers around the cap API (can_get_proc, cap_set_flag, etc), and then have the logic using it in Python code only?

@tylerharter I couldn't actually find a native way to do this in Python (atleast at a granular level) and then came across the seccomp code in this file. It feels like we should be able to do a lot with the wrappers - like we have good amount of control over how we want to expose these functions to Python. Is there a concern around doing it in this way?

We may have to do it in a different way (or use an external module?) for dropping privileges in sock.go since these would only work in Python.

We only plan to support Python in the forseeable future, and the more code we have in Python (rather than C), the more people will be able to understand and contribute.

@tylerharter I see. Based on my research, I couldn't find any official Python libraries that would give us control over capabilities. There are some community wrappers available but I'm assuming they use similar C code underneath. I'm also concerned that if we rely on them, we could open a channel for untrustworthy libraries/ packages that aren't well maintained or supported. What are your thoughts on that?

Can we make capability dropping optional, via config, like it is for seccomp? https://github.com/open-lambda/open-lambda/blob/main/min-image/runtimes/python/server.py#L189

@tylerharter I added the command line argument for enabling capabilities as well. However, we'll need to pass the flag on to everywhere we drop capabilities - to check it and drop only if it's true. Wondering what would be the best way to do that.

Let's leave this out of this PR. Maybe you can drop me a note about why you want this?

@tylerharter upon setting up OpenLambda for the first time, the DockerFile errored out due to some dependency or cleanup issue and suggested to run this to remove any conflicting stale package in the instance. I don't remember the exact error now but I adding this should make sure none of that happens

Better to delete old code than comment out.

@tylerharter This is only here for testing reasons. I think due to how Python is set up on my system, I have to make that particular change (mentioning the exact version in the include statement) or my C linter complains. I'll remove this in the final iteration

We only plan to support Python in the forseeable future, and the more code we have in Python (rather than C), the more people will be able to understand and contribute.

You have cap_free in multiples places. What I mean is that cap_free can be after "out:". You'll need to check whether it is NULL before freeing there, of course.

Let's add a TODO to move to named args (in a future PR) now that we're getting more than a couple.

Can we avoid hardcoding this? Anyway we can expose some consts (like CAP_SYS_ADMIN) from our ol module to Python?

Wait, aren't we always doing this, regardless of cmd line args?

@tylerharter Right, for that, I was concerned that I would have to pass that boolean flag down the function calls. enable-seccomp bool is only needed in the beginning where it is "enabled" and then that's it. But since we would have to drop privileges at certain points in the code, we would need the drop-capabilities bool value to propagate down.

I left it as it is for now for testing while I thought of a good solution for it or if you have any suggestions.

I wonder if we should call it drop-capabilities or something like that? I think it is intuitive that "enable-seccomp" is going to restrict you. But it's less obvious whether "enable-capabilities" is going to give you more capabilities, or turn on logic that limits your capabilities.

That makes sense, I'll change the name