From 260c505ef7612dd3bd82289cca0b8183f8d0873764f64a4aac9013be65c5318b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 26 Jun 2014 08:51:26 +0000
Subject: [PATCH] Accepting request 238754 from
 home:cbosdonnat:branches:Virtualization

Fixed for older kernels

OBS-URL: https://build.opensuse.org/request/show/238754
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=387
---
 lxc-keep-caps-feature.patch | 123 +++++++++++++++++++++++++++++++++++-
 1 file changed, 120 insertions(+), 3 deletions(-)

diff --git a/lxc-keep-caps-feature.patch b/lxc-keep-caps-feature.patch
index dff9c28..a561abf 100644
--- a/lxc-keep-caps-feature.patch
+++ b/lxc-keep-caps-feature.patch
@@ -565,11 +565,124 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
 ===================================================================
 --- libvirt-1.2.5.orig/src/lxc/lxc_container.c
 +++ libvirt-1.2.5/src/lxc/lxc_container.c
-@@ -1732,25 +1732,115 @@ static int lxcContainerResolveSymlinks(v
+@@ -1739,25 +1739,232 @@ static int lxcContainerResolveSymlinks(v
   * host system, since they are not currently "containerized"
   */
  #if WITH_CAPNG
 -static int lxcContainerDropCapabilities(bool keepReboot)
++
++# ifndef CAP_AUDIT_CONTROL
++#  define CAP_AUDIT_CONTROL -1
++# endif
++# ifndef CAP_AUDIT_WRITE
++#  define CAP_AUDIT_WRITE -1
++# endif
++# ifndef CAP_BLOCK_SUSPEND
++#  define CAP_BLOCK_SUSPEND -1
++# endif
++# ifndef CAP_CHOWN
++#  define CAP_CHOWN -1
++# endif
++# ifndef CAP_DAC_OVERRIDE
++#  define CAP_DAC_OVERRIDE -1
++# endif
++# ifndef CAP_DAC_READ_SEARCH
++#  define CAP_DAC_READ_SEARCH -1
++# endif
++# ifndef CAP_FOWNER
++#  define CAP_FOWNER -1
++# endif
++# ifndef CAP_FSETID
++#  define CAP_FSETID -1
++# endif
++# ifndef CAP_IPC_LOCK
++#  define CAP_IPC_LOCK -1
++# endif
++# ifndef CAP_IPC_OWNER
++#  define CAP_IPC_OWNER -1
++# endif
++# ifndef CAP_KILL
++#  define CAP_KILL -1
++# endif
++# ifndef CAP_LEASE
++#  define CAP_LEASE -1
++# endif
++# ifndef CAP_LINUX_IMMUTABLE
++#  define CAP_LINUX_IMMUTABLE -1
++# endif
++# ifndef CAP_MAC_ADMIN
++#  define CAP_MAC_ADMIN -1
++# endif
++# ifndef CAP_MAC_OVERRIDE
++#  define CAP_MAC_OVERRIDE -1
++# endif
++# ifndef CAP_MKNOD
++#  define CAP_MKNOD -1
++# endif
++# ifndef CAP_NET_ADMIN
++#  define CAP_NET_ADMIN -1
++# endif
++# ifndef CAP_NET_BIND_SERVICE
++#  define CAP_NET_BIND_SERVICE -1
++# endif
++# ifndef CAP_NET_BROADCAST
++#  define CAP_NET_BROADCAST -1
++# endif
++# ifndef CAP_NET_RAW
++#  define CAP_NET_RAW -1
++# endif
++# ifndef CAP_SETGID
++#  define CAP_SETGID -1
++# endif
++# ifndef CAP_SETFCAP
++#  define CAP_SETFCAP -1
++# endif
++# ifndef CAP_SETPCAP
++#  define CAP_SETPCAP -1
++# endif
++# ifndef CAP_SETUID
++#  define CAP_SETUID -1
++# endif
++# ifndef CAP_SYS_ADMIN
++#  define CAP_SYS_ADMIN -1
++# endif
++# ifndef CAP_SYS_BOOT
++#  define CAP_SYS_BOOT -1
++# endif
++# ifndef CAP_SYS_CHROOT
++#  define CAP_SYS_CHROOT -1
++# endif
++# ifndef CAP_SYS_MODULE
++#  define CAP_SYS_MODULE -1
++# endif
++# ifndef CAP_SYS_NICE
++#  define CAP_SYS_NICE -1
++# endif
++# ifndef CAP_SYS_PACCT
++#  define CAP_SYS_PACCT -1
++# endif
++# ifndef CAP_SYS_PTRACE
++#  define CAP_SYS_PTRACE -1
++# endif
++# ifndef CAP_SYS_RAWIO
++#  define CAP_SYS_RAWIO -1
++# endif
++# ifndef CAP_SYS_RESOURCE
++#  define CAP_SYS_RESOURCE -1
++# endif
++# ifndef CAP_SYS_TIME
++#  define CAP_SYS_TIME -1
++# endif
++# ifndef CAP_SYS_TTY_CONFIG
++#  define CAP_SYS_TTY_CONFIG -1
++# endif
++# ifndef CAP_SYSLOG
++#  define CAP_SYSLOG -1
++# endif
++# ifndef CAP_WAKE_ALARM
++#  define CAP_WAKE_ALARM -1
++# endif
++
 +static int lxcContainerDropCapabilities(virDomainDefPtr def,
 +                                        bool keepReboot)
  {
@@ -640,6 +753,10 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
 +        bool toDrop = false;
 +        int state = def->caps_features[i];
 +
++        /* Skip capabilities that aren't handled by our kernel */
++        if (!cap_valid(capsMapping))
++            continue;
++
 +        switch ((virDomainCapabilitiesPolicy) policy) {
 +
 +        case VIR_DOMAIN_CAPABILITIES_POLICY_DENY:
@@ -695,7 +812,7 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
      }
  
      if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
-@@ -1768,7 +1858,8 @@ static int lxcContainerDropCapabilities(
+@@ -1775,7 +1982,8 @@ static int lxcContainerDropCapabilities(
      return 0;
  }
  #else
@@ -705,7 +822,7 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
  {
      VIR_WARN("libcap-ng support not compiled in, unable to clear capabilities");
      return 0;
-@@ -1874,7 +1965,7 @@ static int lxcContainerChild(void *data)
+@@ -1881,7 +2089,7 @@ static int lxcContainerChild(void *data)
      }
  
      /* drop a set of root capabilities */