diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-13 02:45:11 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-13 02:45:11 +0100 |
commit | 39ed67d14694983dabd6641c02216aa440eed767 (patch) | |
tree | 462dbc0b766b683ba5159975aec601b22c334e60 | |
parent | 89fffa2735ea975b3716ee47820d194bd86cce5f (diff) |
nspawn: introduce --capability=all for retaining all capabilities
-rw-r--r-- | man/systemd-nspawn.xml | 7 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 28 |
2 files changed, 21 insertions, 14 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 8f92b84304..ba2c5a487b 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -310,8 +310,11 @@ CAP_SYS_CHROOT, CAP_SYS_NICE, CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG, CAP_SYS_RESOURCE, CAP_SYS_BOOT, - CAP_AUDIT_WRITE, - CAP_AUDIT_CONTROL.</para></listitem> + CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If + the special value + <literal>all</literal> is passed all + capabilities are + retained.</para></listitem> </varlistentry> <varlistentry> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index d5add4a45e..0b25334fe9 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -300,25 +300,29 @@ static int parse_argv(int argc, char *argv[]) { size_t length; FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) { + _cleanup_free_ char *t; cap_value_t cap; - char *t; t = strndup(word, length); if (!t) return log_oom(); - if (cap_from_name(t, &cap) < 0) { - log_error("Failed to parse capability %s.", t); - free(t); - return -EINVAL; + if (streq(t, "all")) { + if (c == ARG_CAPABILITY) + arg_retain = (uint64_t) -1; + else + arg_retain = 0; + } else { + if (cap_from_name(t, &cap) < 0) { + log_error("Failed to parse capability %s.", t); + return -EINVAL; + } + + if (c == ARG_CAPABILITY) + arg_retain |= 1ULL << (uint64_t) cap; + else + arg_retain &= ~(1ULL << (uint64_t) cap); } - - free(t); - - if (c == ARG_CAPABILITY) - arg_retain |= 1ULL << (uint64_t) cap; - else - arg_retain &= ~(1ULL << (uint64_t) cap); } break; |