chiark / gitweb /
~ianmdlvl / elogind.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d595c5c)
nspawn: --private-network should imply CAP_NET_ADMIN
authorLennart Poettering <lennart@poettering.net>
Thu, 13 Feb 2014 13:07:59 +0000 (14:07 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 13 Feb 2014 13:07:59 +0000 (14:07 +0100)
man/systemd-nspawn.xml patch | blob | history
src/nspawn/nspawn.c patch | blob | history

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 7a88436bcfd17ae61b5f619994e785b72b702884..ffd707092c013d87553066f9ac46ff26a4cd2275 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -277,7 +277,15 @@
                                 the container. This makes all network
                                 interfaces unavailable in the
                                 container, with the exception of the
                                 the container. This makes all network
                                 interfaces unavailable in the
                                 container, with the exception of the
-                                loopback device.</para></listitem>
+                                loopback device and those specified
+                                with
+                                <option>--network-interface=</option>. If
+                                this option is specified the
+                                CAP_NET_ADMIN capability will be added
+                                to the set of capabilities the
+                                container retains. The latter may be
+                                disabled by using
+                                <option>--drop-capability=</option>.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -290,7 +298,13 @@
                                 namespace and place it in the
                                 container. When the container
                                 terminates it is moved back to the
                                 namespace and place it in the
                                 container. When the container
                                 terminates it is moved back to the
-                                host namespace.</para></listitem>
+                                host namespace. Note that
+                                <option>--network-interface=</option>
+                                implies
+                                <option>--private-network</option>. This
+                                option may be used more than once to
+                                add multiple network interfaces to the
+                                container.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
                         </varlistentry>
 
                         <varlistentry>
@@ -323,8 +337,11 @@
                                 CAP_SYS_CHROOT, CAP_SYS_NICE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
                                 CAP_SYS_CHROOT, CAP_SYS_NICE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
-                                CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
-                                the special value
+                                CAP_AUDIT_WRITE,
+                                CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+                                is retained if
+                                <option>--private-network</option> is
+                                specified. If the special value
                                 <literal>all</literal> is passed all
                                 capabilities are
                                 retained.</para></listitem>
                                 <literal>all</literal> is passed all
                                 capabilities are
                                 retained.</para></listitem>
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 679c005071dc2558ec11f6a85a98823bf109c9cd..9ce1fa9b49cd72fdcf4b683ba231ccd5fd862488 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -216,6 +216,7 @@ static int parse_argv(int argc, char *argv[]) {
         };
 
         int c, r;
         };
 
         int c, r;
+        uint64_t plus = 0, minus = 0;
 
         assert(argc >= 0);
         assert(argv);
 
         assert(argc >= 0);
         assert(argv);
@@ -325,9 +326,9 @@ static int parse_argv(int argc, char *argv[]) {
 
                                 if (streq(t, "all")) {
                                         if (c == ARG_CAPABILITY)
 
                                 if (streq(t, "all")) {
                                         if (c == ARG_CAPABILITY)
-                                                arg_retain = (uint64_t) -1;
+                                                plus = (uint64_t) -1;
                                         else
                                         else
-                                                arg_retain = 0;
+                                                minus = (uint64_t) -1;
                                 } else {
                                         if (cap_from_name(t, &cap) < 0) {
                                                 log_error("Failed to parse capability %s.", t);
                                 } else {
                                         if (cap_from_name(t, &cap) < 0) {
                                                 log_error("Failed to parse capability %s.", t);
@@ -335,9 +336,9 @@ static int parse_argv(int argc, char *argv[]) {
                                         }
 
                                         if (c == ARG_CAPABILITY)
                                         }
 
                                         if (c == ARG_CAPABILITY)
-                                                arg_retain |= 1ULL << (uint64_t) cap;
+                                                plus |= 1ULL << (uint64_t) cap;
                                         else
                                         else
-                                                arg_retain &= ~(1ULL << (uint64_t) cap);
+                                                minus |= 1ULL << (uint64_t) cap;
                                 }
                         }
 
                                 }
                         }
 
@@ -460,6 +461,8 @@ static int parse_argv(int argc, char *argv[]) {
                 return -EINVAL;
         }
 
                 return -EINVAL;
         }
 
+        arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
+
         return 1;
 }
 
         return 1;
 }
 
Unnamed repository; edit this file 'description' to name the repository.