chiark / gitweb /
nspawn: introduce --capability=all for retaining all capabilities
authorLennart Poettering <lennart@poettering.net>
Thu, 13 Feb 2014 01:45:11 +0000 (02:45 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 13 Feb 2014 01:45:11 +0000 (02:45 +0100)
man/systemd-nspawn.xml
src/nspawn/nspawn.c

index 8f92b84..ba2c5a4 100644 (file)
                                 CAP_SYS_CHROOT, CAP_SYS_NICE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
-                                CAP_AUDIT_WRITE,
-                                CAP_AUDIT_CONTROL.</para></listitem>
+                                CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
+                                the special value
+                                <literal>all</literal> is passed all
+                                capabilities are
+                                retained.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
index d5add4a..0b25334 100644 (file)
@@ -300,25 +300,29 @@ static int parse_argv(int argc, char *argv[]) {
                         size_t length;
 
                         FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
+                                _cleanup_free_ char *t;
                                 cap_value_t cap;
-                                char *t;
 
                                 t = strndup(word, length);
                                 if (!t)
                                         return log_oom();
 
-                                if (cap_from_name(t, &cap) < 0) {
-                                        log_error("Failed to parse capability %s.", t);
-                                        free(t);
-                                        return -EINVAL;
+                                if (streq(t, "all")) {
+                                        if (c == ARG_CAPABILITY)
+                                                arg_retain = (uint64_t) -1;
+                                        else
+                                                arg_retain = 0;
+                                } else {
+                                        if (cap_from_name(t, &cap) < 0) {
+                                                log_error("Failed to parse capability %s.", t);
+                                                return -EINVAL;
+                                        }
+
+                                        if (c == ARG_CAPABILITY)
+                                                arg_retain |= 1ULL << (uint64_t) cap;
+                                        else
+                                                arg_retain &= ~(1ULL << (uint64_t) cap);
                                 }
-
-                                free(t);
-
-                                if (c == ARG_CAPABILITY)
-                                        arg_retain |= 1ULL << (uint64_t) cap;
-                                else
-                                        arg_retain &= ~(1ULL << (uint64_t) cap);
                         }
 
                         break;