picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

nspawn: allow Capability=all in systemd.nspawn [EXEC] section 

Just like --capability=all is allowed in the systemd-nspawn
command line.
This commit is contained in:
afg 2019-11-29 17:08:05 +08:00 committed by Lennart Poettering
parent dd08aa6488
commit c152a2ba54
2 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
man/systemd.nspawn.xml
View File

@ -189,7 +189,8 @@
<filename>/etc/systemd/nspawn/</filename> and <filename>/etc/systemd/nspawn/</filename> and
<filename>/run/system/nspawn/</filename> (see above). On the <filename>/run/system/nspawn/</filename> (see above). On the
other hand, <varname>DropCapability=</varname> takes effect in other hand, <varname>DropCapability=</varname> takes effect in
all cases.</para></listitem> all cases. If the special value <literal>all</literal> is passed, all
capabilities are retained (or dropped).</para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

16
src/nspawn/nspawn-settings.c
View File

@ -275,13 +275,17 @@ int config_parse_capability(
if (r == 0) if (r == 0)
break; break;
r = capability_from_name(word); if (streq(word, "all"))
if (r < 0) { u = (uint64_t) -1;
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word); else {
continue; r = capability_from_name(word);
} if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word);
continue;
}
u |= UINT64_C(1) << r; u |= UINT64_C(1) << r;
}
} }
if (u == 0) if (u == 0)