Fix validateCapabilities to handle nil and empty arrays for spec validation.

nybidari · gvisor-bot · commit 22b0d1ce26e6 · 2025-09-25T11:43:38.000-07:00
validateCapabilities was using reflect.DeepEqual which considers nil and empty
slices as different. But for validation of spec, these should be considered as
same. Fix this by calling validateArray (for each field within capabilities)
which compares the length of the array.

PiperOrigin-RevId: 811436172
diff --git a/runsc/container/container_test.go b/runsc/container/container_test.go
@@ -3879,7 +3879,7 @@ func TestSpecValidation(t *testing.T) {
 			mutate: func(spec, restoreSpec *specs.Spec, _, _ string) {
 				restoreSpec.Process.Capabilities.Bounding = append(restoreSpec.Process.Capabilities.Bounding, "CAP_NET_RAW")
 			},
-			wantErr: "Capabilities does not match across checkpoint restore",
+			wantErr: "Capabilities.Bounding does not match across checkpoint restore",
 		},
 		{
 			name: "Resources",
@@ -4111,6 +4111,23 @@ func TestSpecValidationForArgs(t *testing.T) {
 	}
 }
 
+func TestSpecValidationForCapabilities(t *testing.T) {
+	conf := testutil.TestConfig(t)
+	oldSpecs := make(map[string]*specs.Spec)
+	spec, _ := sleepSpecConf(t)
+	spec.Process.Capabilities.Bounding = nil
+	oldSpecs["container1"] = spec
+
+	newSpecs := make(map[string]*specs.Spec)
+	restoreSpec, _ := sleepSpecConf(t)
+	restoreSpec.Process.Capabilities.Bounding = []string{}
+	newSpecs["container1"] = restoreSpec
+
+	if err := specutils.RestoreValidateSpec(oldSpecs, newSpecs, conf); err != nil {
+		t.Errorf("spec validation failed, got: %v, want: nil", err)
+	}
+}
+
 func TestCheckpointResume(t *testing.T) {
 	for name, conf := range configs(t, true /* noOverlay */) {
 		t.Run(name, func(t *testing.T) {
diff --git a/runsc/specutils/restore.go b/runsc/specutils/restore.go
@@ -210,25 +210,28 @@ func validateMap[K comparable, V comparable](field, cName string, oldM map[K]V,
 	return nil
 }
 
-func sortCapabilities(o *specs.LinuxCapabilities) {
-	sort.Strings(o.Bounding)
-	sort.Strings(o.Effective)
-	sort.Strings(o.Inheritable)
-	sort.Strings(o.Permitted)
-	sort.Strings(o.Ambient)
-}
-
 func validateCapabilities(field, cName string, oldCaps, newCaps *specs.LinuxCapabilities) error {
 	if oldCaps == nil && newCaps == nil {
 		return nil
 	}
 	if oldCaps == nil || newCaps == nil {
 		return validateError(field, cName, oldCaps, newCaps)
 	}
-	sortCapabilities(oldCaps)
-	sortCapabilities(newCaps)
-	if !reflect.DeepEqual(oldCaps, newCaps) {
-		return validateError(field, cName, oldCaps, newCaps)
+
+	if err := validateArray(field+".Bounding", cName, oldCaps.Bounding, newCaps.Bounding); err != nil {
+		return err
+	}
+	if err := validateArray(field+".Effective", cName, oldCaps.Effective, newCaps.Effective); err != nil {
+		return err
+	}
+	if err := validateArray(field+".Inheritable", cName, oldCaps.Inheritable, newCaps.Inheritable); err != nil {
+		return err
+	}
+	if err := validateArray(field+".Permitted", cName, oldCaps.Permitted, newCaps.Permitted); err != nil {
+		return err
+	}
+	if err := validateArray(field+".Ambient", cName, oldCaps.Ambient, newCaps.Ambient); err != nil {
+		return err
 	}
 	return nil
 }
