allow lxc.cap.keep = none

Commit 1fb86a7c introduced a way to drop capabilities without having to
specify them all explicitly. Unfortunately, there is no way to drop them
all, as just specifying an empty keep list, ie:

    lxc.cap.keep =

clears the keep list, causing no capabilities to be dropped.

This change allows a special value "none" to be given, which will clear
all keep capabilities parsed up to this point. If the last parsed value
is none, all capabilities will be dropped.

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

doc/lxc.container.conf.sgml.in

@@ -1010,7 +1010,10 @@ proc proc proc nodev,noexec,nosuid 0 0
 	  <listitem>
 	    <para>
 	      Specify the capability to be kept in the container. All other
-	      capabilities will be dropped.
+	      capabilities will be dropped. When a special value of "none" is
+	      encountered, lxc will clear any keep capabilities specified up
+	      to this point. A value of "none" alone can be used to drop all
+	      capabilities.
 	    </para>
 	  </listitem>
 	</varlistentry>

src/lxc/conf.c

@@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap)
 	char *ptr = NULL;
 	int i, capid = -1;
 
+	if (!strcmp(cap, "none"))
+		return -2;
+
 	for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
 
 		if (strcmp(cap, caps_opt[i].name))
@@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list *caps)
 
 		capid = parse_cap(keep_entry);
 
+		if (capid == -2)
+			continue;
+
 	        if (capid < 0) {
 			ERROR("unknown capability %s", keep_entry);
 			return -1;

src/lxc/confile.c

@@ -1479,6 +1479,9 @@ static int config_cap_keep(const char *key, const char *value,
                         break;
 		}
 
+		if (!strcmp(token, "none"))
+			lxc_clear_config_keepcaps(lxc_conf);
+
 		keeplist = malloc(sizeof(*keeplist));
 		if (!keeplist) {
 			SYSERROR("failed to allocate keepcap list");