This patch introduces XML schema for domains to retain arbitrary capabilities.
For example, by adding the following XML to domain configuration,
its domain can retain cap_sys_rawio capability.
<process>
<cap name='sys_rawio'/>
</process>
Signed-off-by: Taku Izumi <izumi.taku@xxxxxxxxxxxxxx>
Signed-off-by: Shota Hirae <m11g1401@xxxxxxxxxxxxxx>
---
docs/formatdomain.html.in | 48 ++++++++++++++++++++++++++++++++++++++
docs/schemas/domaincommon.rng | 52 ++++++++++++++++++++++++++++++++++++++++++
src/conf/domain_conf.c | 33 ++++++++++++++++++++++++++
src/conf/domain_conf.h | 2 +
4 files changed, 135 insertions(+)
Index: libvirt/docs/schemas/domaincommon.rng
===================================================================
--- libvirt.orig/docs/schemas/domaincommon.rng
+++ libvirt/docs/schemas/domaincommon.rng
@@ -35,6 +35,9 @@
<ref name="clock"/>
<ref name="resources"/>
<ref name="features"/>
+ <optional>
+ <ref name="process"/>
+ </optional>
<ref name="termination"/>
<optional>
<ref name="devices"/>
@@ -2344,6 +2347,55 @@
</optional>
</define>
<!--
+ Specification of process element
+ -->
+ <define name="process">
+ <element name="process">
+ <zeroOrMore>
+ <element name="cap">
+ <attribute name="name">
+ <choice>
+ <value>chown</value>
+ <value>dac_override</value>
+ <value>dac_read_search</value>
+ <value>fowner</value>
+ <value>fsetid</value>
+ <value>kill</value>
+ <value>setgid</value>
+ <value>setuid</value>
+ <value>setpcap</value>
+ <value>linux_immutable</value>
+ <value>net_bind_service</value>
+ <value>net_broadcast</value>
+ <value>net_admin</value>
+ <value>net_raw</value>
+ <value>ipc_lock</value>
+ <value>ipc_owner</value>
+ <value>sys_module</value>
+ <value>sys_rawio</value>
+ <value>sys_chroot</value>
+ <value>sys_ptrace</value>
+ <value>sys_pacct</value>
+ <value>sys_admin</value>
+ <value>sys_boot</value>
+ <value>sys_nice</value>
+ <value>sys_resource</value>
+ <value>sys_time</value>
+ <value>sys_tty_config</value>
+ <value>mknod</value>
+ <value>lease</value>
+ <value>audit_write</value>
+ <value>audit_control</value>
+ <value>setfcap</value>
+ <value>mac_override</value>
+ <value>mac_admin</value>
+ </choice>
+ </attribute>
+ </element>
+ </zeroOrMore>
+ </element>
+ </define>
+ <!--
CPU specification
-->
<define name="cpu">
Index: libvirt/src/conf/domain_conf.c
===================================================================
--- libvirt.orig/src/conf/domain_conf.c
+++ libvirt/src/conf/domain_conf.c
@@ -7253,6 +7253,23 @@ static virDomainDefPtr virDomainDefParse
VIR_FREE(nodes);
}
+ n = virXPathNodeSet("./process/cap", ctxt, &nodes);
+ if (n < 0)
+ goto error;
+ if (n) {
+ for (i = 0; i < n; i++) {
+ int val = virCapsProcessCapsTypeFromString(virXMLPropString(nodes[i], "name"));
+ if (val < 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unexpected process cap %s"),
+ virXMLPropString(nodes[i], "name"));
+ goto error;
+ }
+ def->capabilities |= (1ULL << val);
+ }
+ VIR_FREE(nodes);
+ }
+
if (virDomainLifecycleParseXML(ctxt, "string(./on_reboot[1])",
&def->onReboot, VIR_DOMAIN_LIFECYCLE_RESTART,
virDomainLifecycleTypeFromString) < 0)
@@ -11520,6 +11537,22 @@ virDomainDefFormatInternal(virDomainDefP
virBufferAddLit(buf, " </features>\n");
}
+ if (def->capabilities) {
+ virBufferAddLit(buf, " <process>\n");
+ for (n = 0; n < VIR_PROCESS_CAPABILITY_LAST; n++) {
+ if (def->capabilities & (1ULL << n)) {
+ const char *name = virCapsProcessCapsTypeToString(n);
+ if (!name) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unexpected process cap %d"), n);
+ goto cleanup;
+ }
+ virBufferAsprintf(buf, " <cap name='%s'/>\n", name);
+ }
+ }
+ virBufferAddLit(buf, " </process>\n");
+ }
+
virBufferAdjustIndent(buf, 2);
if (virCPUDefFormatBufFull(buf, def->cpu) < 0)
goto cleanup;
Index: libvirt/src/conf/domain_conf.h
===================================================================
--- libvirt.orig/src/conf/domain_conf.h
+++ libvirt/src/conf/domain_conf.h
@@ -1441,6 +1441,8 @@ struct _virDomainDef {
char *emulator;
int features;
+ unsigned long long capabilities;
+
virDomainClockDef clock;
int ngraphics;
Index: libvirt/docs/formatdomain.html.in
===================================================================
--- libvirt.orig/docs/formatdomain.html.in
+++ libvirt/docs/formatdomain.html.in
@@ -787,6 +787,54 @@
</dd>
</dl>
+ <h3><a name="elementsProcess">Process Capability</a></h3>
+
+ <p>
+ Process of Domain are allowed to retain capabilities specified
+ by cap element. What capabilities host supports can be found at
+ capability XML.
+ </p>
+
+<pre>
+ ...
+ <process>
+ <cap name="chown"/>
+ <cap name="dac_override"/>
+ <cap name="dac_read_search"/>
+ <cap name="fowner"/>
+ <cap name="fsetid"/>
+ <cap name="kill"/>
+ <cap name="setgid"/>
+ <cap name="setuid"/>
+ <cap name="setpcap"/>
+ <cap name="linux_immutable"/>
+ <cap name="net_bind_service"/>
+ <cap name="net_broadcast"/>
+ <cap name="net_admin"/>
+ <cap name="net_raw"/>
+ <cap name="ipc_lock"/>
+ <cap name="ipc_owner"/>
+ <cap name="sys_module"/>
+ <cap name="sys_rawio"/>
+ <cap name="sys_chroot"/>
+ <cap name="sys_ptrace"/>
+ <cap name="sys_pacct"/>
+ <cap name="sys_admin"/>
+ <cap name="sys_boot"/>
+ <cap name="sys_nice"/>
+ <cap name="sys_resource"/>
+ <cap name="sys_time"/>
+ <cap name="sys_tty_config"/>
+ <cap name="mknod"/>
+ <cap name="lease"/>
+ <cap name="audit_write"/>
+ <cap name="audit_control"/>
+ <cap name="setfcap"/>
+ <cap name="mac_override"/>
+ <cap name="mac_admin"/>
+ </process>
+ ...</pre>
+
<h3><a name="elementsTime">Time keeping</a></h3>
<p>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list