Adding capability and drop-capability config option.

Signed-off-by: Daniel Baumann <daniel.baumann@open-infrastructure.net>

4 files changed, 47 insertions, 3 deletions

diff --git a/lib/container/create b/lib/container/create
index cfee91a..3411832 100755
--- a/lib/container/create
+++ b/lib/container/create
@@ -25,7 +25,7 @@ MACHINES="/var/lib/machines"
 
 Parameters ()
 {
-	LONG_OPTIONS="name:,cnt.autostart:,bind:,script:"
+	LONG_OPTIONS="name:,cnt.autostart:,bind:,capability:,drop-capability:script:"
 	OPTIONS="n:,b:,c:,d:,s:"
 
 	PARAMETERS="$(getopt --longoptions ${LONG_OPTIONS} --name=${COMMAND} --options ${OPTIONS} --shell sh -- ${@})"
@@ -56,6 +56,16 @@ Parameters ()
 				shift 2
 				;;
 
+			-c|--capability)
+				CAPABILITY="${2}"
+				shift 2
+				;;
+
+			-d|--drop-capability)
+				DROP_CAPABILITY="${2}"
+				shift 2
+				;;
+
 			-s|--script)
 				SCRIPT="${2}"
 				shift 2
@@ -76,7 +86,7 @@ Parameters ()
 
 Usage ()
 {
-	echo "Usage: container ${COMMAND} -n|--name NAME [--cnt.autostart=true|false|FQDN] [-b|--bind DIRECTORY:DIRECTORY[:OPTIONS]] [-s|--script SCRIPT] [-- SCRIPT_OPTIONS]" >&2
+	echo "Usage: container ${COMMAND} -n|--name NAME [--cnt.autostart=true|false|FQDN] [-b|--bind DIRECTORY:DIRECTORY[:OPTIONS]] [-c|--capability CAPABILITY[,CAPABILITY]] [-d|--drop-capability DROP_CAPABILITY[,DROP_CAPABILITY]] [-s|--script SCRIPT] [-- SCRIPT_OPTIONS]" >&2
 	exit 1
 }
 
@@ -121,7 +131,9 @@ sed	-e "s|@CNT_AUTOSTART@|${CNT_AUTOSTART}|g" \
 	-e "s|@NAME@|${NAME}|g" \
 	-e "s|@BIND@|${BIND}|g" \
 	-e "s|@BOOT@|yes|g" \
+	-e "s|@CAPABILITY@|${CAPABILITY}|g" \
 	-e "s|@DIRECTORY@|${MACHINES}/${NAME}|g" \
+	-e "s|@DROP_CAPABILITY@|${DROP_CAPABILITY}|g" \
 	-e "s|@MACHINE@|${NAME}|g" \
 	-e "s|@NETWORK_VETH@|yes|g" \
 	-e "s|@NETWORK_BRIDGE@|br0|g" \
diff --git a/lib/container/start b/lib/container/start
index dc84f94..0588db5 100755
--- a/lib/container/start
+++ b/lib/container/start
@@ -156,9 +156,33 @@ then
 			;;
 	esac
 
+	CAPABILITY="$(awk -F= '/^capability=/ { print $2 }' ${CONFIG}/${NAME}.conf)"
+
+	case "${CAPABILITY}" in
+		"")
+			CAPABILITY=""
+			;;
+
+		*)
+			CAPABILITY="--capability=${CAPABILITY}"
+			;;
+	esac
+
 	DIRECTORY="$(awk -F= '/^directory=/ { print $2 }' ${CONFIG}/${NAME}.conf || echo ${MACHINES}/${NAMES})"
 	DIRECTORY="--directory ${DIRECTORY}"
 
+	DROP_CAPABILITY="$(awk -F= '/^drop-capability=/ { print $2 }' ${CONFIG}/${NAME}.conf)"
+
+	case "${DROP_CAPABILITY}" in
+		"")
+			DROP_CAPABILITY=""
+			;;
+
+		*)
+			DROP_CAPABILITY="--drop-capability=${DROP_CAPABILITY}"
+			;;
+	esac
+
 	MACHINE="--machine=${NAME}"
 
 	NETWORK_BRIDGE="$(awk -F= '/^network-bridge=/ { print $2 }' ${CONFIG}/${NAME}.conf)"
@@ -211,4 +235,4 @@ then
 fi
 
 # Run
-${SETARCH} systemd-nspawn ${BIND} ${BOOT} ${DIRECTORY} ${MACHINE} ${NETWORK_BRIDGE} ${NETWORK_VETH} ${LINK_JOURNAL} ${REGISTER}
+${SETARCH} systemd-nspawn ${BIND} ${BOOT} ${CAPABILITY} ${DIRECTORY} ${DROP_CAPABILITY} ${MACHINE} ${NETWORK_BRIDGE} ${NETWORK_VETH} ${LINK_JOURNAL} ${REGISTER}
diff --git a/share/config/container.conf.in b/share/config/container.conf.in
index 5b52c7d..6d91860 100644
--- a/share/config/container.conf.in
+++ b/share/config/container.conf.in
@@ -4,7 +4,9 @@
 cnt.autostart=@CNT_AUTOSTART@
 bind=@BIND@
 boot=@BOOT@
+capability=@CAPABILITY@
 directory=@DIRECTORY@
+drop-capability=@DROP_CAPABILITY@
 machine=@MACHINE@
 network-veth=@NETWORK_VETH@
 network-bridge=@NETWORK_BRIDGE@
diff --git a/share/man/container-create.1.txt b/share/man/container-create.1.txt
index 8d9bd06..5277f22 100644
--- a/share/man/container-create.1.txt
+++ b/share/man/container-create.1.txt
@@ -44,6 +44,12 @@ The following container-create options are available:
 *-n, --name='NAME'*::
 	Specify container name.
 
+*-c, --capability='CAPABILITY'*::
+	Specify capabilities to grant, see capabilities(7).
+
+*-d, --drop-capability='DROP_CAPABILITY'*::
+	Specify capabilities to drop, see capabilities(7).
+
 *-s, --script='SCRIPT'*::
 	Specify container creation script, defaults to debootstrap.