Accepting request 238754 from home:cbosdonnat:branches:Virtualization
Fixed for older kernels OBS-URL: https://build.opensuse.org/request/show/238754 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=387
This commit is contained in:
parent
f0ef621840
commit
260c505ef7
@ -565,11 +565,124 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- libvirt-1.2.5.orig/src/lxc/lxc_container.c
|
--- libvirt-1.2.5.orig/src/lxc/lxc_container.c
|
||||||
+++ libvirt-1.2.5/src/lxc/lxc_container.c
|
+++ libvirt-1.2.5/src/lxc/lxc_container.c
|
||||||
@@ -1732,25 +1732,115 @@ static int lxcContainerResolveSymlinks(v
|
@@ -1739,25 +1739,232 @@ static int lxcContainerResolveSymlinks(v
|
||||||
* host system, since they are not currently "containerized"
|
* host system, since they are not currently "containerized"
|
||||||
*/
|
*/
|
||||||
#if WITH_CAPNG
|
#if WITH_CAPNG
|
||||||
-static int lxcContainerDropCapabilities(bool keepReboot)
|
-static int lxcContainerDropCapabilities(bool keepReboot)
|
||||||
|
+
|
||||||
|
+# ifndef CAP_AUDIT_CONTROL
|
||||||
|
+# define CAP_AUDIT_CONTROL -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_AUDIT_WRITE
|
||||||
|
+# define CAP_AUDIT_WRITE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_BLOCK_SUSPEND
|
||||||
|
+# define CAP_BLOCK_SUSPEND -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_CHOWN
|
||||||
|
+# define CAP_CHOWN -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_DAC_OVERRIDE
|
||||||
|
+# define CAP_DAC_OVERRIDE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_DAC_READ_SEARCH
|
||||||
|
+# define CAP_DAC_READ_SEARCH -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_FOWNER
|
||||||
|
+# define CAP_FOWNER -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_FSETID
|
||||||
|
+# define CAP_FSETID -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_IPC_LOCK
|
||||||
|
+# define CAP_IPC_LOCK -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_IPC_OWNER
|
||||||
|
+# define CAP_IPC_OWNER -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_KILL
|
||||||
|
+# define CAP_KILL -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_LEASE
|
||||||
|
+# define CAP_LEASE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_LINUX_IMMUTABLE
|
||||||
|
+# define CAP_LINUX_IMMUTABLE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_MAC_ADMIN
|
||||||
|
+# define CAP_MAC_ADMIN -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_MAC_OVERRIDE
|
||||||
|
+# define CAP_MAC_OVERRIDE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_MKNOD
|
||||||
|
+# define CAP_MKNOD -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_NET_ADMIN
|
||||||
|
+# define CAP_NET_ADMIN -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_NET_BIND_SERVICE
|
||||||
|
+# define CAP_NET_BIND_SERVICE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_NET_BROADCAST
|
||||||
|
+# define CAP_NET_BROADCAST -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_NET_RAW
|
||||||
|
+# define CAP_NET_RAW -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SETGID
|
||||||
|
+# define CAP_SETGID -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SETFCAP
|
||||||
|
+# define CAP_SETFCAP -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SETPCAP
|
||||||
|
+# define CAP_SETPCAP -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SETUID
|
||||||
|
+# define CAP_SETUID -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_ADMIN
|
||||||
|
+# define CAP_SYS_ADMIN -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_BOOT
|
||||||
|
+# define CAP_SYS_BOOT -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_CHROOT
|
||||||
|
+# define CAP_SYS_CHROOT -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_MODULE
|
||||||
|
+# define CAP_SYS_MODULE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_NICE
|
||||||
|
+# define CAP_SYS_NICE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_PACCT
|
||||||
|
+# define CAP_SYS_PACCT -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_PTRACE
|
||||||
|
+# define CAP_SYS_PTRACE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_RAWIO
|
||||||
|
+# define CAP_SYS_RAWIO -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_RESOURCE
|
||||||
|
+# define CAP_SYS_RESOURCE -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_TIME
|
||||||
|
+# define CAP_SYS_TIME -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYS_TTY_CONFIG
|
||||||
|
+# define CAP_SYS_TTY_CONFIG -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_SYSLOG
|
||||||
|
+# define CAP_SYSLOG -1
|
||||||
|
+# endif
|
||||||
|
+# ifndef CAP_WAKE_ALARM
|
||||||
|
+# define CAP_WAKE_ALARM -1
|
||||||
|
+# endif
|
||||||
|
+
|
||||||
+static int lxcContainerDropCapabilities(virDomainDefPtr def,
|
+static int lxcContainerDropCapabilities(virDomainDefPtr def,
|
||||||
+ bool keepReboot)
|
+ bool keepReboot)
|
||||||
{
|
{
|
||||||
@ -640,6 +753,10 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
|
|||||||
+ bool toDrop = false;
|
+ bool toDrop = false;
|
||||||
+ int state = def->caps_features[i];
|
+ int state = def->caps_features[i];
|
||||||
+
|
+
|
||||||
|
+ /* Skip capabilities that aren't handled by our kernel */
|
||||||
|
+ if (!cap_valid(capsMapping))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
+ switch ((virDomainCapabilitiesPolicy) policy) {
|
+ switch ((virDomainCapabilitiesPolicy) policy) {
|
||||||
+
|
+
|
||||||
+ case VIR_DOMAIN_CAPABILITIES_POLICY_DENY:
|
+ case VIR_DOMAIN_CAPABILITIES_POLICY_DENY:
|
||||||
@ -695,7 +812,7 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
|
if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
|
||||||
@@ -1768,7 +1858,8 @@ static int lxcContainerDropCapabilities(
|
@@ -1775,7 +1982,8 @@ static int lxcContainerDropCapabilities(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
@ -705,7 +822,7 @@ Index: libvirt-1.2.5/src/lxc/lxc_container.c
|
|||||||
{
|
{
|
||||||
VIR_WARN("libcap-ng support not compiled in, unable to clear capabilities");
|
VIR_WARN("libcap-ng support not compiled in, unable to clear capabilities");
|
||||||
return 0;
|
return 0;
|
||||||
@@ -1874,7 +1965,7 @@ static int lxcContainerChild(void *data)
|
@@ -1881,7 +2089,7 @@ static int lxcContainerChild(void *data)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* drop a set of root capabilities */
|
/* drop a set of root capabilities */
|
||||||
|
Loading…
Reference in New Issue
Block a user