Accepting request 238754 from home:cbosdonnat:branches:Virtualization
Fixed for older kernels OBS-URL: https://build.opensuse.org/request/show/238754 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=387
This commit is contained in:
Cédric Bosdonnat
Git OBS Bridge
parent
f0ef621840
commit
260c505ef7
@ -565,11 +565,124 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
|
||||
===================================================================
|
||||
--- libvirt-1.2.5.orig/src/lxc/lxc_container.c
|
||||
+++ libvirt-1.2.5/src/lxc/lxc_container.c
|
||||
@@ -1732,25 +1732,115 @@ static int lxcContainerResolveSymlinks(v
|
||||
@@ -1739,25 +1739,232 @@ static int lxcContainerResolveSymlinks(v
|
||||
* host system, since they are not currently "containerized"
|
||||
*/
|
||||
#if WITH_CAPNG
|
||||
-static int lxcContainerDropCapabilities(bool keepReboot)
|
||||
+
|
||||
+# ifndef CAP_AUDIT_CONTROL
|
||||
+# define CAP_AUDIT_CONTROL -1
|
||||
+# endif
|
||||
+# ifndef CAP_AUDIT_WRITE
|
||||
+# define CAP_AUDIT_WRITE -1
|
||||
+# endif
|
||||
+# ifndef CAP_BLOCK_SUSPEND
|
||||
+# define CAP_BLOCK_SUSPEND -1
|
||||
+# endif
|
||||
+# ifndef CAP_CHOWN
|
||||
+# define CAP_CHOWN -1
|
||||
+# endif
|
||||
+# ifndef CAP_DAC_OVERRIDE
|
||||
+# define CAP_DAC_OVERRIDE -1
|
||||
+# endif
|
||||
+# ifndef CAP_DAC_READ_SEARCH
|
||||
+# define CAP_DAC_READ_SEARCH -1
|
||||
+# endif
|
||||
+# ifndef CAP_FOWNER
|
||||
+# define CAP_FOWNER -1
|
||||
+# endif
|
||||
+# ifndef CAP_FSETID
|
||||
+# define CAP_FSETID -1
|
||||
+# endif
|
||||
+# ifndef CAP_IPC_LOCK
|
||||
+# define CAP_IPC_LOCK -1
|
||||
+# endif
|
||||
+# ifndef CAP_IPC_OWNER
|
||||
+# define CAP_IPC_OWNER -1
|
||||
+# endif
|
||||
+# ifndef CAP_KILL
|
||||
+# define CAP_KILL -1
|
||||
+# endif
|
||||
+# ifndef CAP_LEASE
|
||||
+# define CAP_LEASE -1
|
||||
+# endif
|
||||
+# ifndef CAP_LINUX_IMMUTABLE
|
||||
+# define CAP_LINUX_IMMUTABLE -1
|
||||
+# endif
|
||||
+# ifndef CAP_MAC_ADMIN
|
||||
+# define CAP_MAC_ADMIN -1
|
||||
+# endif
|
||||
+# ifndef CAP_MAC_OVERRIDE
|
||||
+# define CAP_MAC_OVERRIDE -1
|
||||
+# endif
|
||||
+# ifndef CAP_MKNOD
|
||||
+# define CAP_MKNOD -1
|
||||
+# endif
|
||||
+# ifndef CAP_NET_ADMIN
|
||||
+# define CAP_NET_ADMIN -1
|
||||
+# endif
|
||||
+# ifndef CAP_NET_BIND_SERVICE
|
||||
+# define CAP_NET_BIND_SERVICE -1
|
||||
+# endif
|
||||
+# ifndef CAP_NET_BROADCAST
|
||||
+# define CAP_NET_BROADCAST -1
|
||||
+# endif
|
||||
+# ifndef CAP_NET_RAW
|
||||
+# define CAP_NET_RAW -1
|
||||
+# endif
|
||||
+# ifndef CAP_SETGID
|
||||
+# define CAP_SETGID -1
|
||||
+# endif
|
||||
+# ifndef CAP_SETFCAP
|
||||
+# define CAP_SETFCAP -1
|
||||
+# endif
|
||||
+# ifndef CAP_SETPCAP
|
||||
+# define CAP_SETPCAP -1
|
||||
+# endif
|
||||
+# ifndef CAP_SETUID
|
||||
+# define CAP_SETUID -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_ADMIN
|
||||
+# define CAP_SYS_ADMIN -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_BOOT
|
||||
+# define CAP_SYS_BOOT -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_CHROOT
|
||||
+# define CAP_SYS_CHROOT -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_MODULE
|
||||
+# define CAP_SYS_MODULE -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_NICE
|
||||
+# define CAP_SYS_NICE -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_PACCT
|
||||
+# define CAP_SYS_PACCT -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_PTRACE
|
||||
+# define CAP_SYS_PTRACE -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_RAWIO
|
||||
+# define CAP_SYS_RAWIO -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_RESOURCE
|
||||
+# define CAP_SYS_RESOURCE -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_TIME
|
||||
+# define CAP_SYS_TIME -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYS_TTY_CONFIG
|
||||
+# define CAP_SYS_TTY_CONFIG -1
|
||||
+# endif
|
||||
+# ifndef CAP_SYSLOG
|
||||
+# define CAP_SYSLOG -1
|
||||
+# endif
|
||||
+# ifndef CAP_WAKE_ALARM
|
||||
+# define CAP_WAKE_ALARM -1
|
||||
+# endif
|
||||
+
|
||||
+static int lxcContainerDropCapabilities(virDomainDefPtr def,
|
||||
+ bool keepReboot)
|
||||
{
|
||||
@ -640,6 +753,10 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
|
||||
+ bool toDrop = false;
|
||||
+ int state = def->caps_features[i];
|
||||
+
|
||||
+ /* Skip capabilities that aren't handled by our kernel */
|
||||
+ if (!cap_valid(capsMapping))
|
||||
+ continue;
|
||||
+
|
||||
+ switch ((virDomainCapabilitiesPolicy) policy) {
|
||||
+
|
||||
+ case VIR_DOMAIN_CAPABILITIES_POLICY_DENY:
|
||||
@ -695,7 +812,7 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
|
||||
}
|
||||
|
||||
if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
|
||||
@@ -1768,7 +1858,8 @@ static int lxcContainerDropCapabilities(
|
||||
@@ -1775,7 +1982,8 @@ static int lxcContainerDropCapabilities(
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
@ -705,7 +822,7 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
|
||||
{
|
||||
VIR_WARN("libcap-ng support not compiled in, unable to clear capabilities");
|
||||
return 0;
|
||||
@@ -1874,7 +1965,7 @@ static int lxcContainerChild(void *data)
|
||||
@@ -1881,7 +2089,7 @@ static int lxcContainerChild(void *data)
|
||||
}
|
||||
|
||||
/* drop a set of root capabilities */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user