From 370ed9b2535b11acaa776fbb4fc6dcb8671c2c88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Date: Wed, 11 Jun 2014 15:03:58 +0200 Subject: [PATCH 1/3] lxc: allow to keep or drop capabilities Added in the section of LXC domains configuration. This section can contain elements named after the capabilities like: , keep CAP_MKNOD capability drop CAP_SYS_CHROOT capability Users can restrict or give more capabilities than the default using this mechanism. --- docs/schemas/domaincommon.rng | 207 ++++++++++++++++++++++++ src/conf/domain_conf.c | 126 ++++++++++++++- src/conf/domain_conf.h | 56 +++++++ src/libvirt_private.syms | 3 + src/lxc/lxc_cgroup.c | 8 + src/lxc/lxc_container.c | 123 ++++++++++++-- src/util/vircgroup.c | 74 ++++++++- src/util/vircgroup.h | 2 + tests/domainschemadata/domain-caps-features.xml | 28 ++++ 9 files changed, 602 insertions(+), 25 deletions(-) create mode 100644 tests/domainschemadata/domain-caps-features.xml Index: libvirt-1.2.6/docs/schemas/domaincommon.rng =================================================================== --- libvirt-1.2.6.orig/docs/schemas/domaincommon.rng +++ libvirt-1.2.6/docs/schemas/domaincommon.rng @@ -3744,6 +3744,9 @@ + + + @@ -4311,6 +4314,200 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -4319,6 +4516,16 @@ + + + + + default + allow + deny + + +