summaryrefslogtreecommitdiff
path: root/src/nspawn
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2013-01-18 18:13:01 +0100
committerLennart Poettering <lennart@poettering.net>2013-01-18 18:23:20 +0100
commit88d04e31ce0837ebf937ab46c3c39a0d93ab4c7c (patch)
tree99a477e474eafb70183b5b26d31734301cbe4da4 /src/nspawn
parent96cde13ace6406582688028f3df5668a172ba628 (diff)
nspawn: add audit caps to default set to keep
Due to the brokeness of much of the userspace audit code we cannot really start too many systems without the audit caps set. To make nspawn easier to use just add the audit caps by default. To boot up containers successfully the kernel's auditing needs to be turned off still (use "audit=0" on the kernel command line), but at least no manual caps have to be passed anymore. In the long run auditing will be fixed for containers and ve virtualized properly at which time it should be safe to enable these caps anyway.
Diffstat (limited to 'src/nspawn')
-rw-r--r--src/nspawn/nspawn.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 98b583d747..62dc20d824 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -96,7 +96,9 @@ static uint64_t arg_retain =
(1ULL << CAP_SYS_PTRACE) |
(1ULL << CAP_SYS_TTY_CONFIG) |
(1ULL << CAP_SYS_RESOURCE) |
- (1ULL << CAP_SYS_BOOT);
+ (1ULL << CAP_SYS_BOOT) |
+ (1ULL << CAP_AUDIT_WRITE) |
+ (1ULL << CAP_AUDIT_CONTROL);
static int help(void) {