the container. This makes all network
interfaces unavailable in the
container, with the exception of the
- loopback device.</para></listitem>
+ loopback device and those specified
+ with
+ <option>--network-interface=</option>. If
+ this option is specified the
+ CAP_NET_ADMIN capability will be added
+ to the set of capabilities the
+ container retains. The latter may be
+ disabled by using
+ <option>--drop-capability=</option>.</para></listitem>
</varlistentry>
<varlistentry>
namespace and place it in the
container. When the container
terminates it is moved back to the
- host namespace.</para></listitem>
+ host namespace. Note that
+ <option>--network-interface=</option>
+ implies
+ <option>--private-network</option>. This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.</para></listitem>
</varlistentry>
<varlistentry>
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
- CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
- the special value
+ CAP_AUDIT_WRITE,
+ CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+ is retained if
+ <option>--private-network</option> is
+ specified. If the special value
<literal>all</literal> is passed all
capabilities are
retained.</para></listitem>
};
int c, r;
+ uint64_t plus = 0, minus = 0;
assert(argc >= 0);
assert(argv);
if (streq(t, "all")) {
if (c == ARG_CAPABILITY)
- arg_retain = (uint64_t) -1;
+ plus = (uint64_t) -1;
else
- arg_retain = 0;
+ minus = (uint64_t) -1;
} else {
if (cap_from_name(t, &cap) < 0) {
log_error("Failed to parse capability %s.", t);
}
if (c == ARG_CAPABILITY)
- arg_retain |= 1ULL << (uint64_t) cap;
+ plus |= 1ULL << (uint64_t) cap;
else
- arg_retain &= ~(1ULL << (uint64_t) cap);
+ minus |= 1ULL << (uint64_t) cap;
}
}
return -EINVAL;
}
+ arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
+
return 1;
}
~ianmdlvl / elogind.git / commitdiff