[lxc-devel] [PATCH v2] allow lxc.cap.keep = none

[Dwight Engen]

Commit 1fb86a7c introduced a way to drop capabilities without having to
specify them all explicitly. Unfortunately, there is no way to drop them
all, as just specifying an empty keep list, ie:

    lxc.cap.keep =

clears the keep list, causing no capabilities to be dropped.

This change allows a special value "none" to be given, which will clear
all keep capabilities parsed up to this point. If the last parsed value
is none, all capabilities will be dropped.

Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
---
v2: implement as 'last wins' so none can be specified after caps, or
    vice versa as well

 doc/lxc.container.conf.sgml.in | 5 ++++-
 src/lxc/conf.c                 | 6 ++++++
 src/lxc/confile.c              | 3 +++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 30fe4a8..2050d7c 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1010,7 +1010,10 @@ proc proc proc nodev,noexec,nosuid 0 0
 	  <listitem>
 	    <para>
 	      Specify the capability to be kept in the container. All other
-	      capabilities will be dropped.
+	      capabilities will be dropped. When a special value of "none" is
+	      encountered, lxc will clear any keep capabilities specified up
+	      to this point. A value of "none" alone can be used to drop all
+	      capabilities.
 	    </para>
 	  </listitem>
 	</varlistentry>
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 50fff27..c8b573a 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap)
 	char *ptr = NULL;
 	int i, capid = -1;
 
+	if (!strcmp(cap, "none"))
+		return -2;
+
 	for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
 
 		if (strcmp(cap, caps_opt[i].name))
@@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list *caps)
 
 		capid = parse_cap(keep_entry);
 
+		if (capid == -2)
+			continue;
+
 	        if (capid < 0) {
 			ERROR("unknown capability %s", keep_entry);
 			return -1;
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 952b714..2455325 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1498,6 +1498,9 @@ static int config_cap_keep(const char *key, const char *value,
                         break;
 		}
 
+		if (!strcmp(token, "none"))
+			lxc_clear_config_keepcaps(lxc_conf);
+
 		keeplist = malloc(sizeof(*keeplist));
 		if (!keeplist) {
 			SYSERROR("failed to allocate keepcap list");
-- 
1.9.3