nspawn: allow Capability=all in systemd.nspawn [EXEC] section

Just like --capability=all is allowed in the systemd-nspawn command line.
2019-11-29 17:08:05 +08:00 · 2019-11-29 17:08:05 +08:00 · c152a2ba54
parent dd08aa6488
commit c152a2ba54
2 changed files with 12 additions and 7 deletions
--- a/man/systemd.nspawn.xml
+++ b/man/systemd.nspawn.xml
@ -189,7 +189,8 @@
        <filename>/etc/systemd/nspawn/</filename> and
        <filename>/run/system/nspawn/</filename> (see above). On the
        other hand, <varname>DropCapability=</varname> takes effect in
-        all cases.</para></listitem>
+        all cases. If the special value <literal>all</literal> is passed, all
+        capabilities are retained (or dropped).</para></listitem>
      </varlistentry>

      <varlistentry>
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@ -275,13 +275,17 @@ int config_parse_capability(
                if (r == 0)
                        break;

-                r = capability_from_name(word);
-                if (r < 0) {
-                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word);
-                        continue;
-                }
+                if (streq(word, "all"))
+                        u = (uint64_t) -1;
+                else {
+                        r = capability_from_name(word);
+                        if (r < 0) {
+                                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word);
+                                continue;
+                        }

-                u |= UINT64_C(1) << r;
+                        u |= UINT64_C(1) << r;
+                }
        }

        if (u == 0)