git.ipfire.org Git - thirdparty/systemd.git/commit

systemd-nspawn: Allow setting ambient capability set

The old code was only able to pass the value 0 for the inheritable
and ambient capability set when a non-root user was specified.

However, sometimes it is useful to run a program in its own container
with a user specification and some capabilities set. This is needed
when the capabilities cannot be provided by file capabilities (because
the file system is mounted with MS_NOSUID for additional security).

This commit introduces the option --ambient-capability and the config
file option AmbientCapability=. Both are used in a similar way to the
existing Capability= setting. It changes the inheritable and ambient
set (which is 0 by default). The code also checks that the settings
for the bounding set (as defined by Capability= and DropCapability=)
and the setting for the ambient set (as defined by AmbientCapability=)
are compatible. Otherwise, the operation would fail in any way.

Due to the current use of -1 to indicate no support for ambient
capability set the special value "all" cannot be supported.

Also, the setting of ambient capability is restricted to running a
single program in the container payload.

author	Torsten Hilbrich <torsten.hilbrich@secunet.com>
	Fri, 4 Dec 2020 10:27:12 +0000 (11:27 +0100)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Mon, 7 Dec 2020 18:56:59 +0000 (19:56 +0100)
commit	88fc9c9bad006a9fd05fbe4fe0107a2adccdae3c
tree	8f00d836042f838004d0e330ecab309124951244	tree \| snapshot
parent	bf20d937501c796c0c01ffe6e09000b6ddf9ec03	commit \| diff

man/systemd-nspawn.xml		diff \| blob \| blame \| history
man/systemd.nspawn.xml		diff \| blob \| blame \| history
src/nspawn/nspawn-gperf.gperf		diff \| blob \| blame \| history
src/nspawn/nspawn-settings.h		diff \| blob \| blame \| history
src/nspawn/nspawn.c		diff \| blob \| blame \| history