[systemd-commits] man/systemd-nspawn.xml src/nspawn

Lennart Poettering lennart at kemper.freedesktop.org
Thu Feb 13 02:45:48 CET 2014


 man/systemd-nspawn.xml |    7 +++++--
 src/nspawn/nspawn.c    |   28 ++++++++++++++++------------
 2 files changed, 21 insertions(+), 14 deletions(-)

New commits:
commit 39ed67d14694983dabd6641c02216aa440eed767
Author: Lennart Poettering <lennart at poettering.net>
Date:   Thu Feb 13 02:45:11 2014 +0100

    nspawn: introduce --capability=all for retaining all capabilities

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 8f92b84..ba2c5a4 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -310,8 +310,11 @@
                                 CAP_SYS_CHROOT, CAP_SYS_NICE,
                                 CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
                                 CAP_SYS_RESOURCE, CAP_SYS_BOOT,
-                                CAP_AUDIT_WRITE,
-                                CAP_AUDIT_CONTROL.</para></listitem>
+                                CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
+                                the special value
+                                <literal>all</literal> is passed all
+                                capabilities are
+                                retained.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index d5add4a..0b25334 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -300,25 +300,29 @@ static int parse_argv(int argc, char *argv[]) {
                         size_t length;
 
                         FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
+                                _cleanup_free_ char *t;
                                 cap_value_t cap;
-                                char *t;
 
                                 t = strndup(word, length);
                                 if (!t)
                                         return log_oom();
 
-                                if (cap_from_name(t, &cap) < 0) {
-                                        log_error("Failed to parse capability %s.", t);
-                                        free(t);
-                                        return -EINVAL;
+                                if (streq(t, "all")) {
+                                        if (c == ARG_CAPABILITY)
+                                                arg_retain = (uint64_t) -1;
+                                        else
+                                                arg_retain = 0;
+                                } else {
+                                        if (cap_from_name(t, &cap) < 0) {
+                                                log_error("Failed to parse capability %s.", t);
+                                                return -EINVAL;
+                                        }
+
+                                        if (c == ARG_CAPABILITY)
+                                                arg_retain |= 1ULL << (uint64_t) cap;
+                                        else
+                                                arg_retain &= ~(1ULL << (uint64_t) cap);
                                 }
-
-                                free(t);
-
-                                if (c == ARG_CAPABILITY)
-                                        arg_retain |= 1ULL << (uint64_t) cap;
-                                else
-                                        arg_retain &= ~(1ULL << (uint64_t) cap);
                         }
 
                         break;



More information about the systemd-commits mailing list