88fc9c9bad
The old code was only able to pass the value 0 for the inheritable and ambient capability set when a non-root user was specified. However, sometimes it is useful to run a program in its own container with a user specification and some capabilities set. This is needed when the capabilities cannot be provided by file capabilities (because the file system is mounted with MS_NOSUID for additional security). This commit introduces the option --ambient-capability and the config file option AmbientCapability=. Both are used in a similar way to the existing Capability= setting. It changes the inheritable and ambient set (which is 0 by default). The code also checks that the settings for the bounding set (as defined by Capability= and DropCapability=) and the setting for the ambient set (as defined by AmbientCapability=) are compatible. Otherwise, the operation would fail in any way. Due to the current use of -1 to indicate no support for ambient capability set the special value "all" cannot be supported. Also, the setting of ambient capability is restricted to running a single program in the container payload. |
||
---|---|---|
.. | ||
meson.build | ||
nspawn-cgroup.c | ||
nspawn-cgroup.h | ||
nspawn-creds.c | ||
nspawn-creds.h | ||
nspawn-def.h | ||
nspawn-expose-ports.c | ||
nspawn-expose-ports.h | ||
nspawn-gperf.gperf | ||
nspawn-mount.c | ||
nspawn-mount.h | ||
nspawn-network.c | ||
nspawn-network.h | ||
nspawn-oci.c | ||
nspawn-oci.h | ||
nspawn-patch-uid.c | ||
nspawn-patch-uid.h | ||
nspawn-register.c | ||
nspawn-register.h | ||
nspawn-seccomp.c | ||
nspawn-seccomp.h | ||
nspawn-settings.c | ||
nspawn-settings.h | ||
nspawn-setuid.c | ||
nspawn-setuid.h | ||
nspawn-stub-pid1.c | ||
nspawn-stub-pid1.h | ||
nspawn.c | ||
test-nspawn-tables.c | ||
test-patch-uid.c |