From: afg <afg984@gmail.com>
Date: Fri, 29 Nov 2019 09:08:05 +0000 (+0800)
Subject: nspawn: allow Capability=all in systemd.nspawn [EXEC] section
X-Git-Tag: v244~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c152a2ba54dc77322997e8f5e302518fe4b07e57;p=thirdparty%2Fsystemd.git

nspawn: allow Capability=all in systemd.nspawn [EXEC] section

Just like --capability=all is allowed in the systemd-nspawn
command line.
---

diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml
index 8f5590c73ad..11df4623b44 100644
--- a/man/systemd.nspawn.xml
+++ b/man/systemd.nspawn.xml
@@ -189,7 +189,8 @@
         <filename>/etc/systemd/nspawn/</filename> and
         <filename>/run/system/nspawn/</filename> (see above). On the
         other hand, <varname>DropCapability=</varname> takes effect in
-        all cases.</para></listitem>
+        all cases. If the special value <literal>all</literal> is passed, all
+        capabilities are retained (or dropped).</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c
index 3a997368137..5fb5b49bbcc 100644
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@@ -275,13 +275,17 @@ int config_parse_capability(
                 if (r == 0)
                         break;
 
-                r = capability_from_name(word);
-                if (r < 0) {
-                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word);
-                        continue;
-                }
+                if (streq(word, "all"))
+                        u = (uint64_t) -1;
+                else {
+                        r = capability_from_name(word);
+                        if (r < 0) {
+                                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word);
+                                continue;
+                        }
 
-                u |= UINT64_C(1) << r;
+                        u |= UINT64_C(1) << r;
+                }
         }
 
         if (u == 0)