summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-13 02:45:11 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-13 02:45:11 +0100
commit39ed67d14694983dabd6641c02216aa440eed767 (patch)
tree462dbc0b766b683ba5159975aec601b22c334e60
parent89fffa2735ea975b3716ee47820d194bd86cce5f (diff)
nspawn: introduce --capability=all for retaining all capabilities
-rw-r--r--man/systemd-nspawn.xml7
-rw-r--r--src/nspawn/nspawn.c28
2 files changed, 21 insertions, 14 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 8f92b84304..ba2c5a487b 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -310,8 +310,11 @@
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
- CAP_AUDIT_WRITE,
- CAP_AUDIT_CONTROL.</para></listitem>
+ CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
+ the special value
+ <literal>all</literal> is passed all
+ capabilities are
+ retained.</para></listitem>
</varlistentry>
<varlistentry>
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index d5add4a45e..0b25334fe9 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -300,25 +300,29 @@ static int parse_argv(int argc, char *argv[]) {
size_t length;
FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
+ _cleanup_free_ char *t;
cap_value_t cap;
- char *t;
t = strndup(word, length);
if (!t)
return log_oom();
- if (cap_from_name(t, &cap) < 0) {
- log_error("Failed to parse capability %s.", t);
- free(t);
- return -EINVAL;
+ if (streq(t, "all")) {
+ if (c == ARG_CAPABILITY)
+ arg_retain = (uint64_t) -1;
+ else
+ arg_retain = 0;
+ } else {
+ if (cap_from_name(t, &cap) < 0) {
+ log_error("Failed to parse capability %s.", t);
+ return -EINVAL;
+ }
+
+ if (c == ARG_CAPABILITY)
+ arg_retain |= 1ULL << (uint64_t) cap;
+ else
+ arg_retain &= ~(1ULL << (uint64_t) cap);
}
-
- free(t);
-
- if (c == ARG_CAPABILITY)
- arg_retain |= 1ULL << (uint64_t) cap;
- else
- arg_retain &= ~(1ULL << (uint64_t) cap);
}
break;