From c152a2ba54dc77322997e8f5e302518fe4b07e57 Mon Sep 17 00:00:00 2001
From: afg <afg984@gmail.com>
Date: Fri, 29 Nov 2019 17:08:05 +0800
Subject: [PATCH] nspawn: allow Capability=all in systemd.nspawn [EXEC] section

Just like --capability=all is allowed in the systemd-nspawn
command line.
---
 man/systemd.nspawn.xml       |  3 ++-
 src/nspawn/nspawn-settings.c | 16 ++++++++++------
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml
index 8f5590c73a..11df4623b4 100644
--- a/man/systemd.nspawn.xml
+++ b/man/systemd.nspawn.xml
@@ -189,7 +189,8 @@
         <filename>/etc/systemd/nspawn/</filename> and
         <filename>/run/system/nspawn/</filename> (see above). On the
         other hand, <varname>DropCapability=</varname> takes effect in
-        all cases.</para></listitem>
+        all cases. If the special value <literal>all</literal> is passed, all
+        capabilities are retained (or dropped).</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c
index 3a99736813..5fb5b49bbc 100644
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@@ -275,13 +275,17 @@ int config_parse_capability(
                 if (r == 0)
                         break;
 
-                r = capability_from_name(word);
-                if (r < 0) {
-                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word);
-                        continue;
-                }
+                if (streq(word, "all"))
+                        u = (uint64_t) -1;
+                else {
+                        r = capability_from_name(word);
+                        if (r < 0) {
+                                log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word);
+                                continue;
+                        }
 
-                u |= UINT64_C(1) << r;
+                        u |= UINT64_C(1) << r;
+                }
         }
 
         if (u == 0)