Commit
1fb86a7c introduced a way to drop capabilities without having to
specify them all explicitly. Unfortunately, there is no way to drop them
all, as just specifying an empty keep list, ie:
lxc.cap.keep =
clears the keep list, causing no capabilities to be dropped.
This change allows a special value "none" to be given, which will clear
all keep capabilities parsed up to this point. If the last parsed value
is none, all capabilities will be dropped.
Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
<listitem>
<para>
Specify the capability to be kept in the container. All other
- capabilities will be dropped.
+ capabilities will be dropped. When a special value of "none" is
+ encountered, lxc will clear any keep capabilities specified up
+ to this point. A value of "none" alone can be used to drop all
+ capabilities.
</para>
</listitem>
</varlistentry>
char *ptr = NULL;
int i, capid = -1;
+ if (!strcmp(cap, "none"))
+ return -2;
+
for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
if (strcmp(cap, caps_opt[i].name))
capid = parse_cap(keep_entry);
+ if (capid == -2)
+ continue;
+
if (capid < 0) {
ERROR("unknown capability %s", keep_entry);
return -1;
break;
}
+ if (!strcmp(token, "none"))
+ lxc_clear_config_keepcaps(lxc_conf);
+
keeplist = malloc(sizeof(*keeplist));
if (!keeplist) {
SYSERROR("failed to allocate keepcap list");
projects / thirdparty / lxc.git / commitdiff
