Re: [PATCHv4 1/2] lxc: allow to keep or drop capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/18/2014 10:02 AM, Cédric Bosdonnat wrote:
> Added <capabilities> in the <features> section of LXC domains
> configuration. This section can contain elements named after the
> capabilities like:
> 
>   <mknod state="on"/>, keep CAP_MKNOD capability
>   <sys_chroot state="off"/> drop CAP_SYS_CHROOT capability
> 
> Users can restrict or give more capabilities than the default using
> this mechanism.
> ---
>  docs/drvlxc.html.in                             |  47 +++++
>  docs/schemas/domaincommon.rng                   | 207 ++++++++++++++++++++
>  src/conf/domain_conf.c                          | 126 ++++++++++++-
>  src/conf/domain_conf.h                          |  56 ++++++
>  src/libvirt_private.syms                        |   3 +
>  src/lxc/lxc_cgroup.c                            |   8 +
>  src/lxc/lxc_container.c                         | 241 ++++++++++++++++++++++--
>  src/util/vircgroup.c                            |  57 +++++-
>  src/util/vircgroup.h                            |   2 +
>  tests/domainschemadata/domain-caps-features.xml |  28 +++
>  10 files changed, 755 insertions(+), 20 deletions(-)
>  create mode 100644 tests/domainschemadata/domain-caps-features.xml
> 

> @@ -11847,6 +11892,22 @@ virDomainDefParseXML(xmlDocPtr xml,
>              def->features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
>              break;
>  
> +        case VIR_DOMAIN_FEATURE_CAPABILITIES:
> +            node = ctxt->node;
> +            ctxt->node = nodes[i];
> +            if ((tmp = virXPathString("string(./@policy)", ctxt))) {
> +                if ((def->features[val] = virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) {

def->features is described as being of type 'enum virTristateSwitch' (was
virDomainFeatureState before I pushed the enum cleanup), but you're treating
it as 'virDomainCapabilitesPolicy' here.

Could you either
1) switch this to virTristateSwitch, using policy='on' / policy='off' instead
of allow/deny
2) document that a different enum is used for this feature in domain_conf.h
3) put the policy in a separate variable

Thanks,

Jan

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]