From: Christian Brauner Date: Mon, 4 Jan 2021 09:53:19 +0000 (+0100) Subject: conf: add new capabilities CAP_{BLOCK_SUSPEND,PERFMON,BPF,CAP_CHECKPOINT_RESTORE} X-Git-Tag: lxc-5.0.0~325^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b4cd4681da399acc1775773d7967a3c94635346;p=thirdparty%2Flxc.git conf: add new capabilities CAP_{BLOCK_SUSPEND,PERFMON,BPF,CAP_CHECKPOINT_RESTORE} Signed-off-by: Christian Brauner --- diff --git a/src/lxc/conf.c b/src/lxc/conf.c index bc0d01463..30870aa5b 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -181,44 +181,47 @@ static struct mount_opt propagation_opt[] = { static struct caps_opt caps_opt[] = { #if HAVE_LIBCAP - { "chown", CAP_CHOWN }, - { "dac_override", CAP_DAC_OVERRIDE }, - { "dac_read_search", CAP_DAC_READ_SEARCH }, - { "fowner", CAP_FOWNER }, - { "fsetid", CAP_FSETID }, - { "kill", CAP_KILL }, - { "setgid", CAP_SETGID }, - { "setuid", CAP_SETUID }, - { "setpcap", CAP_SETPCAP }, - { "linux_immutable", CAP_LINUX_IMMUTABLE }, - { "net_bind_service", CAP_NET_BIND_SERVICE }, - { "net_broadcast", CAP_NET_BROADCAST }, - { "net_admin", CAP_NET_ADMIN }, - { "net_raw", CAP_NET_RAW }, - { "ipc_lock", CAP_IPC_LOCK }, - { "ipc_owner", CAP_IPC_OWNER }, - { "sys_module", CAP_SYS_MODULE }, - { "sys_rawio", CAP_SYS_RAWIO }, - { "sys_chroot", CAP_SYS_CHROOT }, - { "sys_ptrace", CAP_SYS_PTRACE }, - { "sys_pacct", CAP_SYS_PACCT }, - { "sys_admin", CAP_SYS_ADMIN }, - { "sys_boot", CAP_SYS_BOOT }, - { "sys_nice", CAP_SYS_NICE }, - { "sys_resource", CAP_SYS_RESOURCE }, - { "sys_time", CAP_SYS_TIME }, - { "sys_tty_config", CAP_SYS_TTY_CONFIG }, - { "mknod", CAP_MKNOD }, - { "lease", CAP_LEASE }, - { "audit_read", CAP_AUDIT_READ }, - { "audit_write", CAP_AUDIT_WRITE }, - { "audit_control", CAP_AUDIT_CONTROL }, - { "setfcap", CAP_SETFCAP }, - { "mac_override", CAP_MAC_OVERRIDE }, - { "mac_admin", CAP_MAC_ADMIN }, - { "syslog", CAP_SYSLOG }, - { "wake_alarm", CAP_WAKE_ALARM }, - { "block_suspend", CAP_BLOCK_SUSPEND }, + { "chown", CAP_CHOWN }, + { "dac_override", CAP_DAC_OVERRIDE }, + { "dac_read_search", CAP_DAC_READ_SEARCH }, + { "fowner", CAP_FOWNER }, + { "fsetid", CAP_FSETID }, + { "kill", CAP_KILL }, + { "setgid", CAP_SETGID }, + { "setuid", CAP_SETUID }, + { "setpcap", CAP_SETPCAP }, + { "linux_immutable", CAP_LINUX_IMMUTABLE }, + { "net_bind_service", CAP_NET_BIND_SERVICE }, + { "net_broadcast", CAP_NET_BROADCAST }, + { "net_admin", CAP_NET_ADMIN }, + { "net_raw", CAP_NET_RAW }, + { "ipc_lock", CAP_IPC_LOCK }, + { "ipc_owner", CAP_IPC_OWNER }, + { "sys_module", CAP_SYS_MODULE }, + { "sys_rawio", CAP_SYS_RAWIO }, + { "sys_chroot", CAP_SYS_CHROOT }, + { "sys_ptrace", CAP_SYS_PTRACE }, + { "sys_pacct", CAP_SYS_PACCT }, + { "sys_admin", CAP_SYS_ADMIN }, + { "sys_boot", CAP_SYS_BOOT }, + { "sys_nice", CAP_SYS_NICE }, + { "sys_resource", CAP_SYS_RESOURCE }, + { "sys_time", CAP_SYS_TIME }, + { "sys_tty_config", CAP_SYS_TTY_CONFIG }, + { "mknod", CAP_MKNOD }, + { "lease", CAP_LEASE }, + { "audit_write", CAP_AUDIT_WRITE }, + { "audit_control", CAP_AUDIT_CONTROL }, + { "setfcap", CAP_SETFCAP }, + { "mac_override", CAP_MAC_OVERRIDE }, + { "mac_admin", CAP_MAC_ADMIN }, + { "syslog", CAP_SYSLOG }, + { "wake_alarm", CAP_WAKE_ALARM }, + { "block_suspend", CAP_BLOCK_SUSPEND }, + { "audit_read", CAP_AUDIT_READ }, + { "perfmon", CAP_PERFMON }, + { "bpf", CAP_BPF }, + { "checkpoint_restore", CAP_CHECKPOINT_RESTORE }, #endif }; diff --git a/src/lxc/macro.h b/src/lxc/macro.h index 4882b1781..24d80fe16 100644 --- a/src/lxc/macro.h +++ b/src/lxc/macro.h @@ -85,6 +85,18 @@ #define CAP_AUDIT_READ 37 #endif +#ifndef CAP_PERFMON +#define CAP_PERFMON 38 +#endif + +#ifndef CAP_BPF +#define CAP_BPF 39 +#endif + +#ifndef CAP_CHECKPOINT_RESTORE +#define CAP_CHECKPOINT_RESTORE 40 +#endif + /* prctl */ #ifndef PR_CAPBSET_READ #define PR_CAPBSET_READ 23