From 7035407c96efd21ba5dfc8ba6617f7631292d78a Mon Sep 17 00:00:00 2001 From: Dwight Engen Date: Thu, 19 Jun 2014 17:58:11 -0400 Subject: [PATCH] allow lxc.cap.keep = none Commit 1fb86a7c introduced a way to drop capabilities without having to specify them all explicitly. Unfortunately, there is no way to drop them all, as just specifying an empty keep list, ie: lxc.cap.keep = clears the keep list, causing no capabilities to be dropped. This change allows a special value "none" to be given, which will clear all keep capabilities parsed up to this point. If the last parsed value is none, all capabilities will be dropped. Signed-off-by: Dwight Engen Acked-by: Serge E. Hallyn --- doc/lxc.container.conf.sgml.in | 5 ++++- src/lxc/conf.c | 6 ++++++ src/lxc/confile.c | 3 +++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in index 30fe4a815..2050d7c46 100644 --- a/doc/lxc.container.conf.sgml.in +++ b/doc/lxc.container.conf.sgml.in @@ -1010,7 +1010,10 @@ proc proc proc nodev,noexec,nosuid 0 0 Specify the capability to be kept in the container. All other - capabilities will be dropped. + capabilities will be dropped. When a special value of "none" is + encountered, lxc will clear any keep capabilities specified up + to this point. A value of "none" alone can be used to drop all + capabilities. diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 50fff2703..c8b573a0a 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap) char *ptr = NULL; int i, capid = -1; + if (!strcmp(cap, "none")) + return -2; + for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) { if (strcmp(cap, caps_opt[i].name)) @@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list *caps) capid = parse_cap(keep_entry); + if (capid == -2) + continue; + if (capid < 0) { ERROR("unknown capability %s", keep_entry); return -1; diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 9ecda6a31..3462e9c03 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -1479,6 +1479,9 @@ static int config_cap_keep(const char *key, const char *value, break; } + if (!strcmp(token, "none")) + lxc_clear_config_keepcaps(lxc_conf); + keeplist = malloc(sizeof(*keeplist)); if (!keeplist) { SYSERROR("failed to allocate keepcap list"); -- 2.47.2