[PATCH v3 3/5] util: add functions to keep capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This patch introduces virKeepCapabilities() function and implements
virCommandAllowCap() function.

Existing virClearCapabilities() is function to clear all capabilities.
Instead virKeepCapabilities() is function to keep arbitrary capabilities.


Signed-off-by: Taku Izumi <izumi.taku@xxxxxxxxxxxxxx>
Signed-off-by: Shota Hirae <m11g1401@xxxxxxxxxxxxxx>
---
 src/util/command.c |   45 ++++++++++++++++++++++++++++++++++++++-------
 src/util/command.h |    4 +---
 2 files changed, 39 insertions(+), 10 deletions(-)

Index: libvirt/src/util/command.c
===================================================================
--- libvirt.orig/src/util/command.c
+++ libvirt/src/util/command.c
@@ -103,6 +103,8 @@ struct _virCommand {
     pid_t pid;
     char *pidfile;
     bool reap;
+
+    unsigned long long capabilities;
 };
 
 /*
@@ -182,6 +184,33 @@ static int virClearCapabilities(void)
 
     return 0;
 }
+
+/**
+ * virKeepCapabilities:
+ *  @capabilities - capability flag to keep.
+ *                  In case of 0, this function is identical to
+ *                  virClearCapabilities()
+ *
+ */
+static int virKeepCapabilities(unsigned long long capabilities)
+{
+    int ret, i;
+
+    capng_clear(CAPNG_SELECT_BOTH);
+
+    for (i = 0; i <= CAP_LAST_CAP; i++) {
+        if (capabilities & (1ULL << i))
+            capng_update(CAPNG_ADD, CAPNG_BOUNDING_SET, i);
+    }
+
+    if (ret = capng_apply(CAPNG_SELECT_BOTH) < 0) {
+        virCommandError(VIR_ERR_INTERNAL_ERROR,
+                        _("cannot apply process capabilities %d"), ret);
+        return -1;
+    }
+
+    return 0;
+}
 # else
 static int virClearCapabilities(void)
 {
@@ -189,6 +218,11 @@ static int virClearCapabilities(void)
 //             "capabilities");
     return 0;
 }
+
+static int virKeepCapabilities(unsigned long long capabilities)
+{
+    return 0;
+}
 # endif
 
 /**
@@ -883,26 +917,23 @@ virCommandClearCaps(virCommandPtr cmd)
     cmd->flags |= VIR_EXEC_CLEAR_CAPS;
 }
 
-#if 0 /* XXX Enable if we have a need for capability management.  */
-
 /**
  * virCommandAllowCap:
  * @cmd: the command to modify
- * @capability: what to allow
+ * @capabilities: what to allow
  *
- * Re-allow a specific capability
+ * Allow specific capabilities
  */
 void
 virCommandAllowCap(virCommandPtr cmd,
-                   int capability ATTRIBUTE_UNUSED)
+                   unsigned long long capabilities)
 {
     if (!cmd || cmd->has_error)
         return;
 
-    /* XXX ? */
+    cmd->capabilities = capabilities;
 }
 
-#endif /* 0 */
 
 
 /**
Index: libvirt/src/util/command.h
===================================================================
--- libvirt.orig/src/util/command.h
+++ libvirt/src/util/command.h
@@ -60,10 +60,8 @@ void virCommandSetPidFile(virCommandPtr 
 
 void virCommandClearCaps(virCommandPtr cmd);
 
-# if 0
 void virCommandAllowCap(virCommandPtr cmd,
-                        int capability);
-# endif
+                        unsigned long long capabilities);
 
 void virCommandDaemonize(virCommandPtr cmd);
 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]