[lxc-devel] [PATCH 1/2] allow lxc.cap.keep = none

[Dwight Engen]

Commit 1fb86a7c introduced a way to drop capabilities without having to
specify them all explicitly. Unfortunately, there is no way to drop them
all, as just specifying an empty keep list, ie:

    lxc.cap.keep =

clears the keep list, causing no capabilities to be dropped.

This change allows a special value "none" to be given, which will drop
all capabilities. If "none" and some other valid capability are both
specified, the "none" is ignored and the valid capability is kept.

Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
---
 doc/lxc.container.conf.sgml.in | 3 ++-
 src/lxc/conf.c                 | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 30fe4a8..63e3f26 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1010,7 +1010,8 @@ proc proc proc nodev,noexec,nosuid 0 0
 	  <listitem>
 	    <para>
 	      Specify the capability to be kept in the container. All other
-	      capabilities will be dropped.
+	      capabilities will be dropped. A special value of "none" means
+	      lxc will drop all capabilities.
 	    </para>
 	  </listitem>
 	</varlistentry>
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 4b52550..ad09036 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap)
 	char *ptr = NULL;
 	int i, capid = -1;
 
+	if (!strcmp(cap, "none"))
+		return -2;
+
 	for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
 
 		if (strcmp(cap, caps_opt[i].name))
@@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list *caps)
 
 		capid = parse_cap(keep_entry);
 
+		if (capid == -2)
+			continue;
+
 	        if (capid < 0) {
 			ERROR("unknown capability %s", keep_entry);
 			return -1;
-- 
1.9.3