diff options
-rw-r--r-- | man/systemd-nspawn.xml | 10 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 12 |
2 files changed, 20 insertions, 2 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 3707a5ec94..75d2e6d72e 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -304,6 +304,16 @@ </varlistentry> <varlistentry> + <term><option>--drop-capability=</option></term> + + <listitem><para>Specify one or more + additional capabilities to drop for + the container. This allows running the + container with fewer capabilities than + the default (see above).</para></listitem> + </varlistentry> + + <varlistentry> <term><option>--link-journal=</option></term> <listitem><para>Control whether the diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 2778cd8411..81d17484ac 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -127,6 +127,7 @@ static int help(void) { " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" " capability\n" + " --drop-capability=CAP Drop the specified capability from the default set\n" " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n" " -j Equivalent to --link-journal=host\n" " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n" @@ -145,6 +146,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_UUID, ARG_READ_ONLY, ARG_CAPABILITY, + ARG_DROP_CAPABILITY, ARG_LINK_JOURNAL, ARG_BIND, ARG_BIND_RO @@ -160,6 +162,7 @@ static int parse_argv(int argc, char *argv[]) { { "uuid", required_argument, NULL, ARG_UUID }, { "read-only", no_argument, NULL, ARG_READ_ONLY }, { "capability", required_argument, NULL, ARG_CAPABILITY }, + { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, { "bind", required_argument, NULL, ARG_BIND }, { "bind-ro", required_argument, NULL, ARG_BIND_RO }, @@ -243,7 +246,8 @@ static int parse_argv(int argc, char *argv[]) { arg_read_only = true; break; - case ARG_CAPABILITY: { + case ARG_CAPABILITY: + case ARG_DROP_CAPABILITY: { char *state, *word; size_t length; @@ -262,7 +266,11 @@ static int parse_argv(int argc, char *argv[]) { } free(t); - arg_retain |= 1ULL << (uint64_t) cap; + + if (c == ARG_CAPABILITY) + arg_retain |= 1ULL << (uint64_t) cap; + else + arg_retain &= ~(1ULL << (uint64_t) cap); } break; |