From f0ef6218406c1cc13c2bb50253f8d6b39f4bc037e89fa3c2e1d20ccb9d87eacf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Wed, 25 Jun 2014 14:28:44 +0000
Subject: [PATCH] Accepting request 238658 from
 home:cbosdonnat:branches:Virtualization

- lxc-keep-caps-feature.patch: allow to keep/drop additional
  capabilities for LXC containers. bnc#881465
- lxc-keep-caps-feature-conversion.patch: convert lxc.cap.drop to
  the new domain configuration.
- lxc-keep-caps-feature-doc.patch: documentation for the new feature.

OBS-URL: https://build.opensuse.org/request/show/238658
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=385
---
 libvirt.changes                        |   9 +
 libvirt.spec                           |   6 +
 lxc-keep-caps-feature-conversion.patch | 223 +++++++
 lxc-keep-caps-feature-doc.patch        |  71 ++
 lxc-keep-caps-feature.patch            | 863 +++++++++++++++++++++++++
 5 files changed, 1172 insertions(+)
 create mode 100644 lxc-keep-caps-feature-conversion.patch
 create mode 100644 lxc-keep-caps-feature-doc.patch
 create mode 100644 lxc-keep-caps-feature.patch

diff --git a/libvirt.changes b/libvirt.changes
index ebc91dc..e114576 100644
--- a/libvirt.changes
+++ b/libvirt.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jun 25 13:42:00 UTC 2014 - cbosdonnat@suse.com
+
+- lxc-keep-caps-feature.patch: allow to keep/drop additional
+  capabilities for LXC containers. bnc#881465
+- lxc-keep-caps-feature-conversion.patch: convert lxc.cap.drop to
+  the new domain configuration.
+- lxc-keep-caps-feature-doc.patch: documentation for the new feature.
+
 -------------------------------------------------------------------
 Mon Jun  2 10:48:21 MDT 2014 - jfehlig@suse.com
 
diff --git a/libvirt.spec b/libvirt.spec
index 6b38255..10b6e32 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -435,6 +435,9 @@ Patch102:       xen-pv-cdrom.patch
 Patch103:       add-nocow-to-vol-xml.patch
 # pending review upstream patches
 Patch150:       libxl-migration-support.patch
+Patch151:       lxc-keep-caps-feature.patch
+Patch152:       lxc-keep-caps-feature-conversion.patch
+Patch153:       lxc-keep-caps-feature-doc.patch
 # Our patches
 Patch200:       libvirtd-defaults.patch
 Patch201:       libvirtd-init-script.patch
@@ -951,6 +954,9 @@ namespaces.
 %patch102 -p1
 %patch103 -p1
 %patch150 -p1
+%patch151 -p1
+%patch152 -p1
+%patch153 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
diff --git a/lxc-keep-caps-feature-conversion.patch b/lxc-keep-caps-feature-conversion.patch
new file mode 100644
index 0000000..7516716
--- /dev/null
+++ b/lxc-keep-caps-feature-conversion.patch
@@ -0,0 +1,223 @@
+From f199dbab24896c31c90a3291c4779daccef949ed Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
+Date: Wed, 11 Jun 2014 16:43:45 +0200
+Subject: [PATCH 2/3] lxc domain from xml: convert lxc.cap.drop
+
+---
+ src/lxc/lxc_native.c                               | 25 ++++++++++++++++++++++
+ tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml    |  2 ++
+ tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml   |  2 ++
+ tests/lxcconf2xmldata/lxcconf2xml-cputune.xml      |  2 ++
+ tests/lxcconf2xmldata/lxcconf2xml-idmap.xml        |  2 ++
+ .../lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml |  4 ++++
+ tests/lxcconf2xmldata/lxcconf2xml-memtune.xml      |  2 ++
+ tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml  |  4 ++++
+ tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml    |  2 ++
+ tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml  |  4 ++++
+ tests/lxcconf2xmldata/lxcconf2xml-simple.xml       |  8 +++++++
+ tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml  |  4 ++++
+ 12 files changed, 61 insertions(+)
+
+diff --git a/src/lxc/lxc_native.c b/src/lxc/lxc_native.c
+index f4c4556..29ec188 100644
+--- a/src/lxc/lxc_native.c
++++ b/src/lxc/lxc_native.c
+@@ -838,6 +838,28 @@ lxcSetBlkioTune(virDomainDefPtr def, virConfPtr properties)
+     return 0;
+ }
+ 
++static void
++lxcSetCapDrop(virDomainDefPtr def, virConfPtr properties)
++{
++    virConfValuePtr value;
++    char **toDrop = NULL;
++    const char *capString;
++    size_t i;
++
++    if ((value = virConfGetValue(properties, "lxc.cap.drop")) && value->str)
++        toDrop = virStringSplit(value->str, " ", 0);
++
++    for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) {
++        capString = virDomainCapsFeatureTypeToString(i);
++        if (toDrop != NULL && virStringArrayHasString(toDrop, capString))
++            def->caps_features[i] = VIR_DOMAIN_FEATURE_STATE_OFF;
++    }
++
++    def->features[VIR_DOMAIN_FEATURE_CAPABILITIES] = VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW;
++
++    virStringFreeList(toDrop);
++}
++
+ virDomainDefPtr
+ lxcParseConfigString(const char *config)
+ {
+@@ -935,6 +957,9 @@ lxcParseConfigString(const char *config)
+     if (lxcSetBlkioTune(vmdef, properties) < 0)
+         goto error;
+ 
++    /* lxc.cap.drop */
++    lxcSetCapDrop(vmdef, properties);
++
+     goto cleanup;
+ 
+  error:
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml b/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml
+index 36b8e52..c9c0469 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml
+@@ -25,6 +25,8 @@
+   </os>
+   <features>
+     <privnet/>
++    <capabilities policy='allow'>
++    </capabilities>
+   </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml b/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml
+index 932ab61..e7863fa 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml
+@@ -13,6 +13,8 @@
+   </os>
+   <features>
+     <privnet/>
++    <capabilities policy='allow'>
++    </capabilities>
+   </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml b/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml
+index 1bab1c6..50c5358 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml
+@@ -15,6 +15,8 @@
+   </os>
+   <features>
+     <privnet/>
++    <capabilities policy='allow'>
++    </capabilities>
+   </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml b/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml
+index 050ccd6..80a83ff 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml
+@@ -14,6 +14,8 @@
+   </idmap>
+   <features>
+     <privnet/>
++    <capabilities policy='allow'>
++    </capabilities>
+   </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml
+index 996c0f7..3105b8c 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml
+@@ -8,6 +8,10 @@
+     <type>exe</type>
+     <init>/sbin/init</init>
+   </os>
++  <features>
++    <capabilities policy='allow'>
++    </capabilities>
++  </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+   <on_reboot>restart</on_reboot>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml b/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml
+index b7c919e..7df1ef0 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml
+@@ -15,6 +15,8 @@
+   </os>
+   <features>
+     <privnet/>
++    <capabilities policy='allow'>
++    </capabilities>
+   </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml
+index 6d9e16d..e002b99 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml
+@@ -8,6 +8,10 @@
+     <type>exe</type>
+     <init>/sbin/init</init>
+   </os>
++  <features>
++    <capabilities policy='allow'>
++    </capabilities>
++  </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+   <on_reboot>restart</on_reboot>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml
+index 101324a..dc9d635 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml
+@@ -10,6 +10,8 @@
+   </os>
+   <features>
+     <privnet/>
++    <capabilities policy='allow'>
++    </capabilities>
+   </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml
+index 5fe1b03..cfaceb5 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml
+@@ -8,6 +8,10 @@
+     <type>exe</type>
+     <init>/sbin/init</init>
+   </os>
++  <features>
++    <capabilities policy='allow'>
++    </capabilities>
++  </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+   <on_reboot>restart</on_reboot>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-simple.xml b/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
+index b3c3659..549fc39 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
+@@ -8,6 +8,14 @@
+     <type arch='i686'>exe</type>
+     <init>/sbin/init</init>
+   </os>
++  <features>
++    <capabilities policy='allow'>
++      <mac_admin state='off'/>
++      <mac_override state='off'/>
++      <mknod state='off'/>
++      <sys_module state='off'/>
++    </capabilities>
++  </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+   <on_reboot>restart</on_reboot>
+diff --git a/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml
+index 45348ed..712be3e 100644
+--- a/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml
++++ b/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml
+@@ -8,6 +8,10 @@
+     <type>exe</type>
+     <init>/sbin/init</init>
+   </os>
++  <features>
++    <capabilities policy='allow'>
++    </capabilities>
++  </features>
+   <clock offset='utc'/>
+   <on_poweroff>destroy</on_poweroff>
+   <on_reboot>restart</on_reboot>
+-- 
+1.8.4.5
+
diff --git a/lxc-keep-caps-feature-doc.patch b/lxc-keep-caps-feature-doc.patch
new file mode 100644
index 0000000..44bfd82
--- /dev/null
+++ b/lxc-keep-caps-feature-doc.patch
@@ -0,0 +1,71 @@
+From b6f1f5a3be5b2643b255882effdca2e903d9d738 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
+Date: Wed, 11 Jun 2014 17:01:11 +0200
+Subject: [PATCH 3/3] lxc: update doc to mention features/capabilities/* domain
+ configuration
+
+---
+ docs/drvlxc.html.in | 47 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 47 insertions(+)
+
+diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
+index fc4bc20..403ce24 100644
+--- a/docs/drvlxc.html.in
++++ b/docs/drvlxc.html.in
+@@ -540,6 +540,53 @@ debootstrap, whatever) under /opt/vm-1-root:
+ &lt;/domain&gt;
+ </pre>
+ 
++<h2><a name="capabilities">Altering the available capabilities</a></h2>
++
++<p>
++By default the libvirt LXC driver drops some capabilities among which CAP_MKNOD.
++However <span class="since">since 1.2.6</span> libvirt can be told to keep or
++drop some capabilities using a domain configuration like the following:
++</p>
++<pre>
++...
++&lt;features&gt;
++  &lt;capabilities policy='default'&gt;
++    &lt;mknod state='on'/&gt;
++    &lt;sys_chroot state='off'/&gt;
++  &lt;/capabilities&gt;
++&lt;/features&gt;
++...
++</pre>
++<p>
++The capabilities children elements are named after the capabilities as defined in
++<code>man 7 capabilities</code>. An <code>off</code> state tells libvirt to drop the
++capability, while an <code>on</code> state will force to keep the capability even though
++this one is dropped by default.
++</p>
++<p>
++The <code>policy</code> attribute can be one of <code>default</code>, <code>allow</code>
++or <code>deny</code>. It defines the default rules for capabilities: either keep the
++default behavior that is dropping a few selected capabilities, or keep all capabilities
++or drop all capabilities. The interest of <code>allow</code> and <code>deny</code> is that
++they guarantee that all capabilities will be kept (or removed) even if new ones are added
++later.
++</p>
++<p>
++The following example, drops all capabilities but CAP_MKNOD:
++</p>
++<pre>
++...
++&lt;features&gt;
++  &lt;capabilities policy='deny'&gt;
++    &lt;mknod state='on'/&gt;
++  &lt;/capabilities&gt;
++&lt;/features&gt;
++...
++</pre>
++<p>
++Note that allowing capabilities that are normally dropped by default can seriously
++affect the security of the container and the host.
++</p>
+ 
+ <h2><a name="usage">Container usage / management</a></h2>
+ 
+-- 
+1.8.4.5
+
diff --git a/lxc-keep-caps-feature.patch b/lxc-keep-caps-feature.patch
new file mode 100644
index 0000000..dff9c28
--- /dev/null
+++ b/lxc-keep-caps-feature.patch
@@ -0,0 +1,863 @@
+From 370ed9b2535b11acaa776fbb4fc6dcb8671c2c88 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
+Date: Wed, 11 Jun 2014 15:03:58 +0200
+Subject: [PATCH 1/3] lxc: allow to keep or drop capabilities
+
+Added <capabilities> in the <features> section of LXC domains
+configuration. This section can contain elements named after the
+capabilities like:
+
+  <mknod state="on"/>, keep CAP_MKNOD capability
+  <sys_chroot state="off"/> drop CAP_SYS_CHROOT capability
+
+Users can restrict or give more capabilities than the default using
+this mechanism.
+---
+ docs/schemas/domaincommon.rng                   | 207 ++++++++++++++++++++++++
+ src/conf/domain_conf.c                          | 126 ++++++++++++++-
+ src/conf/domain_conf.h                          |  56 +++++++
+ src/libvirt_private.syms                        |   3 +
+ src/lxc/lxc_cgroup.c                            |   8 +
+ src/lxc/lxc_container.c                         | 123 ++++++++++++--
+ src/util/vircgroup.c                            |  74 ++++++++-
+ src/util/vircgroup.h                            |   2 +
+ tests/domainschemadata/domain-caps-features.xml |  28 ++++
+ 9 files changed, 602 insertions(+), 25 deletions(-)
+ create mode 100644 tests/domainschemadata/domain-caps-features.xml
+
+Index: libvirt-1.2.5/docs/schemas/domaincommon.rng
+===================================================================
+--- libvirt-1.2.5.orig/docs/schemas/domaincommon.rng
++++ libvirt-1.2.5/docs/schemas/domaincommon.rng
+@@ -3744,6 +3744,9 @@
+               <empty/>
+             </element>
+           </optional>
++          <optional>
++            <ref name="capabilities"/>
++          </optional>
+         </interleave>
+       </element>
+     </optional>
+@@ -4290,6 +4293,200 @@
+     </element>
+   </define>
+ 
++  <!-- Optional capabilities features -->
++  <define name="capabilities">
++    <element name="capabilities">
++      <ref name="capabilitiespolicy"/>
++      <interleave>
++        <optional>
++          <element name="audit_control">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="audit_write">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="block_suspend">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="chown">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="dac_override">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="dac_read_search">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="fowner">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="fsetid">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="ipc_lock">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="ipc_owner">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="kill">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="lease">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="linux_immutable">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="mac_admin">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="mac_override">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="mknod">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="net_admin">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="net_bind_service">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="net_broadcast">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="net_raw">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="setgid">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="setfcap">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="setpcap">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="setuid">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_admin">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_boot">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_chroot">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_module">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_nice">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_pacct">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_ptrace">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_rawio">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_resource">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_time">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="sys_tty_config">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="syslog">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++        <optional>
++          <element name="wake_alarm">
++            <ref name="featurestate"/>
++          </element>
++        </optional>
++      </interleave>
++    </element>
++  </define>
++
+   <define name="featurestate">
+     <attribute name="state">
+       <choice>
+@@ -4298,6 +4495,16 @@
+       </choice>
+     </attribute>
+   </define>
++
++  <define name="capabilitiespolicy">
++    <attribute name="policy">
++      <choice>
++        <value>default</value> 
++        <value>allow</value>
++        <value>deny</value>
++      </choice>
++    </attribute>
++  </define>
+ 
+   <!--
+        Optional hypervisor extensions in their own namespace:
+Index: libvirt-1.2.5/src/conf/domain_conf.c
+===================================================================
+--- libvirt-1.2.5.orig/src/conf/domain_conf.c
++++ libvirt-1.2.5/src/conf/domain_conf.c
+@@ -147,18 +147,63 @@ VIR_ENUM_IMPL(virDomainFeature, VIR_DOMA
+               "viridian",
+               "privnet",
+               "hyperv",
+-              "pvspinlock")
++              "pvspinlock",
++              "capabilities")
+ 
+ VIR_ENUM_IMPL(virDomainFeatureState, VIR_DOMAIN_FEATURE_STATE_LAST,
+               "default",
+               "on",
+               "off")
+ 
++VIR_ENUM_IMPL(virDomainCapabilitiesPolicy, VIR_DOMAIN_CAPABILITIES_POLICY_LAST,
++              "default",
++              "allow",
++              "deny")
++
+ VIR_ENUM_IMPL(virDomainHyperv, VIR_DOMAIN_HYPERV_LAST,
+               "relaxed",
+               "vapic",
+               "spinlocks")
+ 
++VIR_ENUM_IMPL(virDomainCapsFeature, VIR_DOMAIN_CAPS_FEATURE_LAST,
++              "audit_control",
++              "audit_write",
++              "block_suspend",
++              "chown",
++              "dac_override",
++              "dac_read_search",
++              "fowner",
++              "fsetid",
++              "ipc_lock",
++              "ipc_owner",
++              "kill",
++              "lease",
++              "linux_immutable",
++              "mac_admin",
++              "mac_override",
++              "mknod",
++              "net_admin",
++              "net_bind_service",
++              "net_broadcast",
++              "net_raw",
++              "setgid",
++              "setfcap",
++              "setpcap",
++              "setuid",
++              "sys_admin",
++              "sys_boot",
++              "sys_chroot",
++              "sys_module",
++              "sys_nice",
++              "sys_pacct",
++              "sys_ptrace",
++              "sys_rawio",
++              "sys_resource",
++              "sys_time",
++              "sys_tty_config",
++              "syslog",
++              "wake_alarm")
++
+ VIR_ENUM_IMPL(virDomainLifecycle, VIR_DOMAIN_LIFECYCLE_LAST,
+               "destroy",
+               "restart",
+@@ -11835,6 +11880,22 @@ virDomainDefParseXML(xmlDocPtr xml,
+             def->features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
+             break;
+ 
++        case VIR_DOMAIN_FEATURE_CAPABILITIES:
++            node = ctxt->node;
++            ctxt->node = nodes[i];
++            if ((tmp = virXPathString("string(./@policy)", ctxt))) {
++                if ((def->features[val] = virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) {
++                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
++                                   _("unknown state attribute '%s' of feature '%s'"),
++                                   tmp, virDomainFeatureTypeToString(val));
++                    goto error;
++                }
++                VIR_FREE(tmp);
++            } else {
++                def->features[val] = VIR_DOMAIN_FEATURE_STATE_DEFAULT;
++            }
++            ctxt->node = node;
++            break;
+         case VIR_DOMAIN_FEATURE_PVSPINLOCK:
+             node = ctxt->node;
+             ctxt->node = nodes[i];
+@@ -11943,6 +12004,37 @@ virDomainDefParseXML(xmlDocPtr xml,
+         ctxt->node = node;
+     }
+ 
++    if ((n = virXPathNodeSet("./features/capabilities/*", ctxt, &nodes)) < 0)
++        goto error;
++
++    for (i = 0; i < n; i++) {
++        int val = virDomainCapsFeatureTypeFromString((const char *)nodes[i]->name);
++        if (val < 0) {
++            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
++                           _("unexpected capability feature '%s'"), nodes[i]->name);
++            goto error;
++        }
++
++        if (val >= 0 && val < VIR_DOMAIN_CAPS_FEATURE_LAST) {
++            node = ctxt->node;
++            ctxt->node = nodes[i];
++
++            if ((tmp = virXPathString("string(./@state)", ctxt))) {
++                if ((def->caps_features[val] = virDomainFeatureStateTypeFromString(tmp)) == -1) {
++                    virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
++                                   _("unknown state attribute '%s' of feature capability '%s'"),
++                                   tmp, virDomainFeatureTypeToString(val));
++                    goto error;
++                }
++                VIR_FREE(tmp);
++            } else {
++                def->caps_features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
++            }
++            ctxt->node = node;
++        }
++    }
++    VIR_FREE(nodes);
++
+     if (virDomainEventActionParseXML(ctxt, "on_reboot",
+                                      "string(./on_reboot[1])",
+                                      &def->onReboot,
+@@ -17125,6 +17217,19 @@ verify(((VIR_DOMAIN_XML_INTERNAL_STATUS
+          VIR_DOMAIN_XML_INTERNAL_CLOCK_ADJUST)
+         & DUMPXML_FLAGS) == 0);
+ 
++static bool
++virDomainDefHasCapabilitiesFeatures(virDomainDefPtr def)
++{
++    size_t i;
++
++    for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) {
++        if (def->caps_features[i] != VIR_DOMAIN_FEATURE_STATE_DEFAULT)
++            return true;
++    }
++
++    return false;
++}
++
+ /* This internal version can accept VIR_DOMAIN_XML_INTERNAL_*,
+  * whereas the public version cannot.  Also, it appends to an existing
+  * buffer (possibly with auto-indent), rather than flattening to string.
+@@ -17655,6 +17760,25 @@ virDomainDefFormatInternal(virDomainDefP
+                 virBufferAddLit(buf, "</hyperv>\n");
+                 break;
+ 
++            case VIR_DOMAIN_FEATURE_CAPABILITIES:
++                if (def->features[i] == VIR_DOMAIN_CAPABILITIES_POLICY_DEFAULT &&
++                        !virDomainDefHasCapabilitiesFeatures(def))
++                    break;
++
++                virBufferAsprintf(buf, "<capabilities policy='%s'>\n",
++                                  virDomainCapabilitiesPolicyTypeToString(def->features[i]));
++                virBufferAdjustIndent(buf, 2);
++                for (j = 0; j < VIR_DOMAIN_CAPS_FEATURE_LAST; j++) {
++                    if (def->caps_features[j] != VIR_DOMAIN_FEATURE_STATE_DEFAULT)
++                        virBufferAsprintf(buf, "<%s state='%s'/>\n",
++                                          virDomainCapsFeatureTypeToString(j),
++                                          virDomainFeatureStateTypeToString(
++                                              def->caps_features[j]));
++                }
++                virBufferAdjustIndent(buf, -2);
++                virBufferAddLit(buf, "</capabilities>\n");
++                break;
++
+             case VIR_DOMAIN_FEATURE_LAST:
+                 break;
+             }
+Index: libvirt-1.2.5/src/conf/domain_conf.h
+===================================================================
+--- libvirt-1.2.5.orig/src/conf/domain_conf.h
++++ libvirt-1.2.5/src/conf/domain_conf.h
+@@ -1526,6 +1526,7 @@ enum virDomainFeature {
+     VIR_DOMAIN_FEATURE_PRIVNET,
+     VIR_DOMAIN_FEATURE_HYPERV,
+     VIR_DOMAIN_FEATURE_PVSPINLOCK,
++    VIR_DOMAIN_FEATURE_CAPABILITIES,
+ 
+     VIR_DOMAIN_FEATURE_LAST
+ };
+@@ -1546,6 +1547,56 @@ enum virDomainHyperv {
+     VIR_DOMAIN_HYPERV_LAST
+ };
+ 
++typedef enum {
++     VIR_DOMAIN_CAPABILITIES_POLICY_DEFAULT = 0,
++     VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW,
++     VIR_DOMAIN_CAPABILITIES_POLICY_DENY,
++ 
++     VIR_DOMAIN_CAPABILITIES_POLICY_LAST
++ } virDomainCapabilitiesPolicy;
++ 
++ /* The capabilities are ordered alphabetically to help check for new ones */
++ typedef enum {
++     VIR_DOMAIN_CAPS_FEATURE_AUDIT_CONTROL = 0,
++     VIR_DOMAIN_CAPS_FEATURE_AUDIT_WRITE,
++     VIR_DOMAIN_CAPS_FEATURE_BLOCK_SUSPEND,
++     VIR_DOMAIN_CAPS_FEATURE_CHOWN,
++     VIR_DOMAIN_CAPS_FEATURE_DAC_OVERRIDE,
++     VIR_DOMAIN_CAPS_FEATURE_DAC_READ_SEARCH,
++     VIR_DOMAIN_CAPS_FEATURE_FOWNER,
++     VIR_DOMAIN_CAPS_FEATURE_FSETID,
++     VIR_DOMAIN_CAPS_FEATURE_IPC_LOCK,
++     VIR_DOMAIN_CAPS_FEATURE_IPC_OWNER,
++     VIR_DOMAIN_CAPS_FEATURE_KILL,
++     VIR_DOMAIN_CAPS_FEATURE_LEASE,
++     VIR_DOMAIN_CAPS_FEATURE_LINUX_IMMUTABLE,
++     VIR_DOMAIN_CAPS_FEATURE_MAC_ADMIN,
++     VIR_DOMAIN_CAPS_FEATURE_MAC_OVERRIDE,
++     VIR_DOMAIN_CAPS_FEATURE_MKNOD,
++     VIR_DOMAIN_CAPS_FEATURE_NET_ADMIN,
++     VIR_DOMAIN_CAPS_FEATURE_NET_BIND_SERVICE,
++     VIR_DOMAIN_CAPS_FEATURE_NET_BROADCAST,
++     VIR_DOMAIN_CAPS_FEATURE_NET_RAW,
++     VIR_DOMAIN_CAPS_FEATURE_SETGID,
++     VIR_DOMAIN_CAPS_FEATURE_SETFCAP,
++     VIR_DOMAIN_CAPS_FEATURE_SETPCAP,
++     VIR_DOMAIN_CAPS_FEATURE_SETUID,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_ADMIN,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_BOOT,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_CHROOT,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_MODULE,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_NICE,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_PACCT,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_PTRACE,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_RAWIO,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_RESOURCE,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_TIME,
++     VIR_DOMAIN_CAPS_FEATURE_SYS_TTY_CONFIG,
++     VIR_DOMAIN_CAPS_FEATURE_SYSLOG,
++     VIR_DOMAIN_CAPS_FEATURE_WAKE_ALARM,
++     VIR_DOMAIN_CAPS_FEATURE_LAST
++ } virDomainCapsFeature;
++
+ enum virDomainLifecycleAction {
+     VIR_DOMAIN_LIFECYCLE_DESTROY,
+     VIR_DOMAIN_LIFECYCLE_RESTART,
+@@ -1915,6 +1966,9 @@ struct _virDomainDef {
+     int hyperv_features[VIR_DOMAIN_HYPERV_LAST];
+     unsigned int hyperv_spinlocks;
+ 
++    /* This options are of type virDomainFeatureState: ON = keep, OFF = drop */
++    int caps_features[VIR_DOMAIN_CAPS_FEATURE_LAST];
++
+     virDomainClockDef clock;
+ 
+     size_t ngraphics;
+@@ -2534,6 +2588,8 @@ VIR_ENUM_DECL(virDomainBoot)
+ VIR_ENUM_DECL(virDomainBootMenu)
+ VIR_ENUM_DECL(virDomainFeature)
+ VIR_ENUM_DECL(virDomainFeatureState)
++VIR_ENUM_DECL(virDomainCapabilitiesPolicy)
++VIR_ENUM_DECL(virDomainCapsFeature)
+ VIR_ENUM_DECL(virDomainLifecycle)
+ VIR_ENUM_DECL(virDomainLifecycleCrash)
+ VIR_ENUM_DECL(virDomainPMState)
+Index: libvirt-1.2.5/src/libvirt_private.syms
+===================================================================
+--- libvirt-1.2.5.orig/src/libvirt_private.syms
++++ libvirt-1.2.5/src/libvirt_private.syms
+@@ -129,6 +129,8 @@ virDomainBlockedReasonTypeFromString;
+ virDomainBlockedReasonTypeToString;
+ virDomainBootMenuTypeFromString;
+ virDomainBootMenuTypeToString;
++virDomainCapabilitiesPolicyTypeToString;
++virDomainCapsFeatureTypeToString;
+ virDomainChrConsoleTargetTypeFromString;
+ virDomainChrConsoleTargetTypeToString;
+ virDomainChrDefForeach;
+@@ -1013,6 +1015,7 @@ virBufferVasprintf;
+ # util/vircgroup.h
+ virCgroupAddTask;
+ virCgroupAddTaskController;
++virCgroupAllowAllDevices;
+ virCgroupAllowDevice;
+ virCgroupAllowDeviceMajor;
+ virCgroupAllowDevicePath;
+Index: libvirt-1.2.5/src/lxc/lxc_cgroup.c
+===================================================================
+--- libvirt-1.2.5.orig/src/lxc/lxc_cgroup.c
++++ libvirt-1.2.5/src/lxc/lxc_cgroup.c
+@@ -367,6 +367,14 @@ static int virLXCCgroupSetupDeviceACL(vi
+     if (virCgroupDenyAllDevices(cgroup) < 0)
+         goto cleanup;
+ 
++    /* white list mknod if CAP_MKNOD has to be kept */
++    int capMknod = def->caps_features[VIR_DOMAIN_CAPS_FEATURE_MKNOD];
++    if (capMknod == VIR_DOMAIN_FEATURE_STATE_ON) {
++        if (virCgroupAllowAllDevices(cgroup,
++                                    VIR_CGROUP_DEVICE_MKNOD) < 0)
++            goto cleanup;
++    }
++
+     for (i = 0; devices[i].type != 0; i++) {
+         virLXCCgroupDevicePolicyPtr dev = &devices[i];
+         if (virCgroupAllowDevice(cgroup,
+Index: libvirt-1.2.5/src/lxc/lxc_container.c
+===================================================================
+--- libvirt-1.2.5.orig/src/lxc/lxc_container.c
++++ libvirt-1.2.5/src/lxc/lxc_container.c
+@@ -1732,25 +1732,115 @@ static int lxcContainerResolveSymlinks(v
+  * host system, since they are not currently "containerized"
+  */
+ #if WITH_CAPNG
+-static int lxcContainerDropCapabilities(bool keepReboot)
++static int lxcContainerDropCapabilities(virDomainDefPtr def,
++                                        bool keepReboot)
+ {
+     int ret;
++    size_t i;
++    int policy = def->features[VIR_DOMAIN_FEATURE_CAPABILITIES];
++
++    /* Maps virDomainCapsFeature to CAPS_* */
++    static unsigned int capsMapping[] = {CAP_AUDIT_CONTROL,
++                                         CAP_AUDIT_WRITE,
++                                         CAP_BLOCK_SUSPEND,
++                                         CAP_CHOWN,
++                                         CAP_DAC_OVERRIDE,
++                                         CAP_DAC_READ_SEARCH,
++                                         CAP_FOWNER,
++                                         CAP_FSETID,
++                                         CAP_IPC_LOCK,
++                                         CAP_IPC_OWNER,
++                                         CAP_KILL,
++                                         CAP_LEASE,
++                                         CAP_LINUX_IMMUTABLE,
++                                         CAP_MAC_ADMIN,
++                                         CAP_MAC_OVERRIDE,
++                                         CAP_MKNOD,
++                                         CAP_NET_ADMIN,
++                                         CAP_NET_BIND_SERVICE,
++                                         CAP_NET_BROADCAST,
++                                         CAP_NET_RAW,
++                                         CAP_SETGID,
++                                         CAP_SETFCAP,
++                                         CAP_SETPCAP,
++                                         CAP_SETUID,
++                                         CAP_SYS_ADMIN,
++                                         CAP_SYS_BOOT,
++                                         CAP_SYS_CHROOT,
++                                         CAP_SYS_MODULE,
++                                         CAP_SYS_NICE,
++                                         CAP_SYS_PACCT,
++                                         CAP_SYS_PTRACE,
++                                         CAP_SYS_RAWIO,
++                                         CAP_SYS_RESOURCE,
++                                         CAP_SYS_TIME,
++                                         CAP_SYS_TTY_CONFIG,
++                                         CAP_SYSLOG,
++                                         CAP_WAKE_ALARM};
+ 
+     capng_get_caps_process();
+ 
+-    if ((ret = capng_updatev(CAPNG_DROP,
+-                             CAPNG_EFFECTIVE | CAPNG_PERMITTED |
+-                             CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
+-                             CAP_SYS_MODULE, /* No kernel module loading */
+-                             CAP_SYS_TIME, /* No changing the clock */
+-                             CAP_MKNOD, /* No creating device nodes */
+-                             CAP_AUDIT_CONTROL, /* No messing with auditing status */
+-                             CAP_MAC_ADMIN, /* No messing with LSM config */
+-                             keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */
+-                             -1)) < 0) {
+-        virReportError(VIR_ERR_INTERNAL_ERROR,
+-                       _("Failed to remove capabilities: %d"), ret);
+-        return -1;
++    /* Make sure we drop everything if required by the user */
++    if (policy == VIR_DOMAIN_CAPABILITIES_POLICY_DENY)
++        capng_clear(CAPNG_SELECT_BOTH);
++
++    /* Apply all single capabilities changes */
++    for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) {
++        bool toDrop = false;
++        int state = def->caps_features[i];
++
++        switch ((virDomainCapabilitiesPolicy) policy) {
++
++        case VIR_DOMAIN_CAPABILITIES_POLICY_DENY:
++            if (state == VIR_DOMAIN_FEATURE_STATE_ON &&
++                    (ret = capng_update(CAPNG_ADD,
++                                        CAPNG_EFFECTIVE | CAPNG_PERMITTED |
++                                        CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
++                                        capsMapping[i])) < 0) {
++                virReportError(VIR_ERR_INTERNAL_ERROR,
++                               _("Failed to add capability %s: %d"),
++                               virDomainCapsFeatureTypeToString(i), ret);
++                return -1;
++            }
++            break;
++
++        case VIR_DOMAIN_CAPABILITIES_POLICY_DEFAULT:
++            switch ((virDomainCapsFeature) i) {
++            case VIR_DOMAIN_CAPS_FEATURE_SYS_BOOT: /* No use of reboot */
++                toDrop = !keepReboot && (state != VIR_DOMAIN_FEATURE_STATE_ON);
++                break;
++            case VIR_DOMAIN_CAPS_FEATURE_SYS_MODULE: /* No kernel module loading */
++            case VIR_DOMAIN_CAPS_FEATURE_SYS_TIME: /* No changing the clock */
++            case VIR_DOMAIN_CAPS_FEATURE_MKNOD: /* No creating device nodes */
++            case VIR_DOMAIN_CAPS_FEATURE_AUDIT_CONTROL: /* No messing with auditing status */
++            case VIR_DOMAIN_CAPS_FEATURE_MAC_ADMIN: /* No messing with LSM config */
++                toDrop = (state != VIR_DOMAIN_FEATURE_STATE_ON);
++                break;
++            default: /* User specified capabilities to drop */
++                toDrop = (state == VIR_DOMAIN_FEATURE_STATE_OFF);
++            }
++            /* Fallthrough */
++
++        case VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW:
++            if (policy == VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW)
++                toDrop = state == VIR_DOMAIN_FEATURE_STATE_OFF;
++
++            if (toDrop && (ret = capng_update(CAPNG_DROP,
++                                              CAPNG_EFFECTIVE | CAPNG_PERMITTED |
++                                              CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
++                                              capsMapping[i])) < 0) {
++                virReportError(VIR_ERR_INTERNAL_ERROR,
++                               _("Failed to remove capability %s: %d"),
++                               virDomainCapsFeatureTypeToString(i), ret);
++                return -1;
++            }
++            break;
++
++        default:
++            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
++                           _("Unsupported capabilities policy: %s"),
++                           virDomainCapabilitiesPolicyTypeToString(policy));
++        }
+     }
+ 
+     if ((ret = capng_apply(CAPNG_SELECT_BOTH)) < 0) {
+@@ -1768,7 +1858,8 @@ static int lxcContainerDropCapabilities(
+     return 0;
+ }
+ #else
+-static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
++static int lxcContainerDropCapabilities(virDomainDefPtr def ATTRIBUTE_UNUSED,
++                                        bool keepReboot ATTRIBUTE_UNUSED)
+ {
+     VIR_WARN("libcap-ng support not compiled in, unable to clear capabilities");
+     return 0;
+@@ -1874,7 +1965,7 @@ static int lxcContainerChild(void *data)
+     }
+ 
+     /* drop a set of root capabilities */
+-    if (lxcContainerDropCapabilities(!!hasReboot) < 0)
++    if (lxcContainerDropCapabilities(vmDef, !!hasReboot) < 0)
+         goto cleanup;
+ 
+     if (lxcContainerSendContinue(argv->handshakefd) < 0) {
+Index: libvirt-1.2.5/src/util/vircgroup.c
+===================================================================
+--- libvirt-1.2.5.orig/src/util/vircgroup.c
++++ libvirt-1.2.5/src/util/vircgroup.c
+@@ -2622,6 +2622,62 @@ virCgroupDenyAllDevices(virCgroupPtr gro
+                                 "a");
+ }
+ 
++static int
++virCgroupAllowDevices(virCgroupPtr group, char type, const char *device, int perms)
++{
++    int ret = -1;
++    char *devstr = NULL;
++
++    if (virAsprintf(&devstr, "%c %s %s%s%s", type, device,
++                    perms & VIR_CGROUP_DEVICE_READ ? "r" : "",
++                    perms & VIR_CGROUP_DEVICE_WRITE ? "w" : "",
++                    perms & VIR_CGROUP_DEVICE_MKNOD ? "m" : "") < 0)
++        goto cleanup;
++
++    if (virCgroupSetValueStr(group,
++                             VIR_CGROUP_CONTROLLER_DEVICES,
++                             "devices.allow",
++                             devstr) < 0)
++        goto cleanup;
++
++    ret = 0;
++
++ cleanup:
++    VIR_FREE(devstr);
++    return ret;
++}
++
++/**
++ * virCgroupAllowAllDevices:
++ *
++ * Allows the permissiong for all devices by setting lines similar
++ * to these ones (obviously the 'm' permission is an example):
++ *
++ * 'b *:* m'
++ * 'c *:* m'
++ *
++ * @group: The cgroup to allow devices for
++ * @perms: Bitwise or of VIR_CGROUP_DEVICE permission bits to allow
++ *
++ * Returns: 0 on success
++ */
++int
++virCgroupAllowAllDevices(virCgroupPtr group, int perms)
++{
++    int ret = -1;
++
++    if (virCgroupAllowDevices(group, 'b', "*:*", perms) < 0)
++        goto cleanup;
++
++    if (virCgroupAllowDevices(group, 'c', "*:*", perms) < 0)
++        goto cleanup;
++
++    ret = 0;
++
++ cleanup:
++    return ret;
++}
++
+ 
+ /**
+  * virCgroupAllowDevice:
+@@ -2641,16 +2697,10 @@ virCgroupAllowDevice(virCgroupPtr group,
+     int ret = -1;
+     char *devstr = NULL;
+ 
+-    if (virAsprintf(&devstr, "%c %i:%i %s%s%s", type, major, minor,
+-                    perms & VIR_CGROUP_DEVICE_READ ? "r" : "",
+-                    perms & VIR_CGROUP_DEVICE_WRITE ? "w" : "",
+-                    perms & VIR_CGROUP_DEVICE_MKNOD ? "m" : "") < 0)
++    if (virAsprintf(&devstr, "%i:%i", major, minor) < 0)
+         goto cleanup;
+ 
+-    if (virCgroupSetValueStr(group,
+-                             VIR_CGROUP_CONTROLLER_DEVICES,
+-                             "devices.allow",
+-                             devstr) < 0)
++    if (virCgroupAllowDevices(group, type, devstr, perms) < 0)
+         goto cleanup;
+ 
+     ret = 0;
+@@ -4202,6 +4252,14 @@ virCgroupGetCpusetCpus(virCgroupPtr grou
+     return -1;
+ }
+ 
++int
++virCgroupAllowAllDevices(virCgroupPtr groupi ATTRIBUTE_UNUSED,
++                         int perms ATTRIBUTE_UNUSED)
++{
++    virReportSystemError(ENOSYS, "%s",
++                         _("Control groups not supported on this platform"));
++    return -1;
++}
+ 
+ int
+ virCgroupDenyAllDevices(virCgroupPtr group ATTRIBUTE_UNUSED)
+Index: libvirt-1.2.5/src/util/vircgroup.h
+===================================================================
+--- libvirt-1.2.5.orig/src/util/vircgroup.h
++++ libvirt-1.2.5/src/util/vircgroup.h
+@@ -175,6 +175,8 @@ enum {
+ 
+ int virCgroupDenyAllDevices(virCgroupPtr group);
+ 
++int virCgroupAllowAllDevices(virCgroupPtr group, int perms);
++
+ int virCgroupAllowDevice(virCgroupPtr group,
+                          char type,
+                          int major,
+Index: libvirt-1.2.5/tests/domainschemadata/domain-caps-features.xml
+===================================================================
+--- /dev/null
++++ libvirt-1.2.5/tests/domainschemadata/domain-caps-features.xml
+@@ -0,0 +1,28 @@
++<domain type='lxc'>
++    <name>demo</name>
++    <uuid>8369f1ac-7e46-e869-4ca5-759d51478066</uuid>
++    <os>
++        <type>exe</type>
++        <init>/sh</init>
++    </os>
++    <features>
++        <capabilities policy="deny">
++            <mknod state="on"/>
++        </capabilities>
++    </features>
++    <resource>
++      <partition>/virtualmachines</partition>
++    </resource>
++    <memory unit='KiB'>500000</memory>
++    <devices>
++        <filesystem type='mount'>
++            <source dir='/root/container'/>
++            <target dir='/'/>
++        </filesystem>
++        <filesystem type='mount'>
++            <source dir='/home'/>
++            <target dir='/home'/>
++        </filesystem>
++        <console type='pty'/>
++    </devices>
++</domain>