From 788d144ec50fc7a4181de5ffb1627769c88be55f Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Mon, 19 Oct 2020 17:50:19 +0100 Subject: instance: actually wire up capabilities filename Signed-off-by: Daniel Golle --- service/instance.c | 21 +++++++++++++++++++++ service/instance.h | 1 + 2 files changed, 22 insertions(+) (limited to 'service') diff --git a/service/instance.c b/service/instance.c index 218bdec..a57fe30 100644 --- a/service/instance.c +++ b/service/instance.c @@ -59,6 +59,7 @@ enum { INSTANCE_ATTR_JAIL, INSTANCE_ATTR_TRACE, INSTANCE_ATTR_SECCOMP, + INSTANCE_ATTR_CAPABILITIES, INSTANCE_ATTR_PIDFILE, INSTANCE_ATTR_RELOADSIG, INSTANCE_ATTR_TERMTIMEOUT, @@ -91,6 +92,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = { [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE }, [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL }, [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING }, + [INSTANCE_ATTR_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_STRING }, [INSTANCE_ATTR_PIDFILE] = { "pidfile", BLOBMSG_TYPE_STRING }, [INSTANCE_ATTR_RELOADSIG] = { "reload_signal", BLOBMSG_TYPE_INT32 }, [INSTANCE_ATTR_TERMTIMEOUT] = { "term_timeout", BLOBMSG_TYPE_INT32 }, @@ -256,6 +258,11 @@ jail_run(struct service_instance *in, char **argv) argv[argc++] = in->group; } + if (in->capabilities) { + argv[argc++] = "-C"; + argv[argc++] = in->capabilities; + } + if (in->no_new_privs) argv[argc++] = "-c"; @@ -888,6 +895,9 @@ instance_config_changed(struct service_instance *in, struct service_instance *in if (string_changed(in->seccomp, in_new->seccomp)) return true; + if (string_changed(in->capabilities, in_new->capabilities)) + return true; + if (!blobmsg_list_equal(&in->limits, &in_new->limits)) return true; @@ -1119,6 +1129,9 @@ instance_jail_parse(struct service_instance *in, struct blob_attr *attr) if (in->seccomp) jail->argc += 2; + if (in->capabilities) + jail->argc += 2; + if (in->user) jail->argc += 2; @@ -1248,6 +1261,9 @@ instance_config_parse(struct service_instance *in) if (!in->trace && tb[INSTANCE_ATTR_SECCOMP]) in->seccomp = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP])); + if (tb[INSTANCE_ATTR_CAPABILITIES]) + in->capabilities = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_CAPABILITIES])); + if (tb[INSTANCE_ATTR_EXTROOT]) in->extroot = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_EXTROOT])); @@ -1422,6 +1438,7 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr instance_config_move_strdup(&in->pidfile, in_src->pidfile); instance_config_move_strdup(&in->seccomp, in_src->seccomp); + instance_config_move_strdup(&in->capabilities, in_src->capabilities); instance_config_move_strdup(&in->bundle, in_src->bundle); instance_config_move_strdup(&in->extroot, in_src->extroot); instance_config_move_strdup(&in->overlaydir, in_src->overlaydir); @@ -1474,6 +1491,7 @@ instance_free(struct service_instance *in) free(in->jail.name); free(in->jail.hostname); free(in->seccomp); + free(in->capabilities); free(in->pidfile); free(in); } @@ -1593,6 +1611,9 @@ void instance_dump(struct blob_buf *b, struct service_instance *in, int verbose) if (in->seccomp) blobmsg_add_string(b, "seccomp", in->seccomp); + if (in->capabilities) + blobmsg_add_string(b, "capabilities", in->capabilities); + if (in->pidfile) blobmsg_add_string(b, "pidfile", in->pidfile); diff --git a/service/instance.h b/service/instance.h index 6f38d4f..09fbb5d 100644 --- a/service/instance.h +++ b/service/instance.h @@ -80,6 +80,7 @@ struct service_instance { bool no_new_privs; struct jail jail; char *seccomp; + char *capabilities; char *pidfile; char *extroot; char *overlaydir; -- cgit v1.2.1