Quoting Dwight Engen (dwight.en...@oracle.com):
> Commit 1fb86a7c introduced a way to drop capabilities without having to
> specify them all explicitly. Unfortunately, there is no way to drop them
> all, as just specifying an empty keep list, ie:
>
> lxc.cap.keep =
>
> clears the keep list, causing no capabilities to be dropped.
>
> This change allows a special value "none" to be given, which will clear
> all keep capabilities parsed up to this point. If the last parsed value
> is none, all capabilities will be dropped.
>
> Signed-off-by: Dwight Engen <dwight.en...@oracle.com>
Thanks.
Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>
> ---
> v2: implement as 'last wins' so none can be specified after caps, or
> vice versa as well
>
> doc/lxc.container.conf.sgml.in | 5 ++++-
> src/lxc/conf.c | 6 ++++++
> src/lxc/confile.c | 3 +++
> 3 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index 30fe4a8..2050d7c 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -1010,7 +1010,10 @@ proc proc proc nodev,noexec,nosuid 0 0
> <listitem>
> <para>
> Specify the capability to be kept in the container. All other
> - capabilities will be dropped.
> + capabilities will be dropped. When a special value of "none" is
> + encountered, lxc will clear any keep capabilities specified up
> + to this point. A value of "none" alone can be used to drop all
> + capabilities.
> </para>
> </listitem>
> </varlistentry>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 50fff27..c8b573a 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap)
> char *ptr = NULL;
> int i, capid = -1;
>
> + if (!strcmp(cap, "none"))
> + return -2;
> +
> for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
>
> if (strcmp(cap, caps_opt[i].name))
> @@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list *caps)
>
> capid = parse_cap(keep_entry);
>
> + if (capid == -2)
> + continue;
> +
> if (capid < 0) {
> ERROR("unknown capability %s", keep_entry);
> return -1;
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index 952b714..2455325 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -1498,6 +1498,9 @@ static int config_cap_keep(const char *key, const char
> *value,
> break;
> }
>
> + if (!strcmp(token, "none"))
> + lxc_clear_config_keepcaps(lxc_conf);
> +
> keeplist = malloc(sizeof(*keeplist));
> if (!keeplist) {
> SYSERROR("failed to allocate keepcap list");
> --
> 1.9.3
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
