From: Lennart Poettering Date: Thu, 13 Feb 2014 01:45:11 +0000 (+0100) Subject: nspawn: introduce --capability=all for retaining all capabilities X-Git-Tag: v209~157 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=39ed67d14694983dabd6641c02216aa440eed767;ds=sidebyside nspawn: introduce --capability=all for retaining all capabilities --- diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 8f92b8430..ba2c5a487 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -310,8 +310,11 @@ CAP_SYS_CHROOT, CAP_SYS_NICE, CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG, CAP_SYS_RESOURCE, CAP_SYS_BOOT, - CAP_AUDIT_WRITE, - CAP_AUDIT_CONTROL. + CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If + the special value + all is passed all + capabilities are + retained. diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index d5add4a45..0b25334fe 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -300,25 +300,29 @@ static int parse_argv(int argc, char *argv[]) { size_t length; FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) { + _cleanup_free_ char *t; cap_value_t cap; - char *t; t = strndup(word, length); if (!t) return log_oom(); - if (cap_from_name(t, &cap) < 0) { - log_error("Failed to parse capability %s.", t); - free(t); - return -EINVAL; + if (streq(t, "all")) { + if (c == ARG_CAPABILITY) + arg_retain = (uint64_t) -1; + else + arg_retain = 0; + } else { + if (cap_from_name(t, &cap) < 0) { + log_error("Failed to parse capability %s.", t); + return -EINVAL; + } + + if (c == ARG_CAPABILITY) + arg_retain |= 1ULL << (uint64_t) cap; + else + arg_retain &= ~(1ULL << (uint64_t) cap); } - - free(t); - - if (c == ARG_CAPABILITY) - arg_retain |= 1ULL << (uint64_t) cap; - else - arg_retain &= ~(1ULL << (uint64_t) cap); } break;