mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-07-11 03:53:35 +00:00
allow lxc.cap.keep = none
Commit 1fb86a7c
introduced a way to drop capabilities without having to
specify them all explicitly. Unfortunately, there is no way to drop them
all, as just specifying an empty keep list, ie:
lxc.cap.keep =
clears the keep list, causing no capabilities to be dropped.
This change allows a special value "none" to be given, which will clear
all keep capabilities parsed up to this point. If the last parsed value
is none, all capabilities will be dropped.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
parent
58558042dc
commit
7035407c96
@ -1010,7 +1010,10 @@ proc proc proc nodev,noexec,nosuid 0 0
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Specify the capability to be kept in the container. All other
|
Specify the capability to be kept in the container. All other
|
||||||
capabilities will be dropped.
|
capabilities will be dropped. When a special value of "none" is
|
||||||
|
encountered, lxc will clear any keep capabilities specified up
|
||||||
|
to this point. A value of "none" alone can be used to drop all
|
||||||
|
capabilities.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap)
|
|||||||
char *ptr = NULL;
|
char *ptr = NULL;
|
||||||
int i, capid = -1;
|
int i, capid = -1;
|
||||||
|
|
||||||
|
if (!strcmp(cap, "none"))
|
||||||
|
return -2;
|
||||||
|
|
||||||
for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
|
for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
|
||||||
|
|
||||||
if (strcmp(cap, caps_opt[i].name))
|
if (strcmp(cap, caps_opt[i].name))
|
||||||
@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list *caps)
|
|||||||
|
|
||||||
capid = parse_cap(keep_entry);
|
capid = parse_cap(keep_entry);
|
||||||
|
|
||||||
|
if (capid == -2)
|
||||||
|
continue;
|
||||||
|
|
||||||
if (capid < 0) {
|
if (capid < 0) {
|
||||||
ERROR("unknown capability %s", keep_entry);
|
ERROR("unknown capability %s", keep_entry);
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -1479,6 +1479,9 @@ static int config_cap_keep(const char *key, const char *value,
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!strcmp(token, "none"))
|
||||||
|
lxc_clear_config_keepcaps(lxc_conf);
|
||||||
|
|
||||||
keeplist = malloc(sizeof(*keeplist));
|
keeplist = malloc(sizeof(*keeplist));
|
||||||
if (!keeplist) {
|
if (!keeplist) {
|
||||||
SYSERROR("failed to allocate keepcap list");
|
SYSERROR("failed to allocate keepcap list");
|
||||||
|
Loading…
Reference in New Issue
Block a user