diff options
| author | Torsten Hilbrich <torsten.hilbrich@secunet.com> | 2020-12-04 11:27:12 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-12-07 19:56:59 +0100 |
| commit | 88fc9c9bad006a9fd05fbe4fe0107a2adccdae3c (patch) | |
| tree | 8f00d836042f838004d0e330ecab309124951244 /man/systemd-nspawn.xml | |
| parent | bf20d937501c796c0c01ffe6e09000b6ddf9ec03 (diff) | |
| download | systemd-88fc9c9bad006a9fd05fbe4fe0107a2adccdae3c.tar.gz | |
systemd-nspawn: Allow setting ambient capability set
The old code was only able to pass the value 0 for the inheritable
and ambient capability set when a non-root user was specified.
However, sometimes it is useful to run a program in its own container
with a user specification and some capabilities set. This is needed
when the capabilities cannot be provided by file capabilities (because
the file system is mounted with MS_NOSUID for additional security).
This commit introduces the option --ambient-capability and the config
file option AmbientCapability=. Both are used in a similar way to the
existing Capability= setting. It changes the inheritable and ambient
set (which is 0 by default). The code also checks that the settings
for the bounding set (as defined by Capability= and DropCapability=)
and the setting for the ambient set (as defined by AmbientCapability=)
are compatible. Otherwise, the operation would fail in any way.
Due to the current use of -1 to indicate no support for ambient
capability set the special value "all" cannot be supported.
Also, the setting of ambient capability is restricted to running a
single program in the container payload.
Diffstat (limited to 'man/systemd-nspawn.xml')
| -rw-r--r-- | man/systemd-nspawn.xml | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 588924ee61..a720d401e7 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1002,7 +1002,11 @@ If the special value <literal>all</literal> is passed, all capabilities are retained.</para> <para>If the special value of <literal>help</literal> is passed, the program will print known - capability names and exit.</para></listitem> + capability names and exit.</para> + + <para>This option sets the bounding set of capabilities which + also limits the ambient capabilities as given with the + <option>--ambient-capability=</option>.</para></listitem> </varlistentry> <varlistentry> @@ -1014,7 +1018,32 @@ above).</para> <para>If the special value of <literal>help</literal> is passed, the program will print known - capability names and exit.</para></listitem> + capability names and exit.</para> + + <para>This option sets the bounding set of capabilities which + also limits the ambient capabilities as given with the + <option>--ambient-capability=</option>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--ambient-capability=</option></term> + + <listitem><para>Specify one or more additional capabilities to + pass in the inheritable and ambient set to the program started + within the container. The value <literal>all</literal> is not + supported for this setting.</para> + + <para>All capabilities specified here must be in the set + allowed with the <option>--capability=</option> and + <option>--drop-capability=</option> options. Otherwise, an + error message will be shown.</para> + + <para>This option cannot be combined with the boot mode of the + container (as requested via <option>--boot</option>).</para> + + <para>If the special value of <literal>help</literal> is + passed, the program will print known capability names and + exit.</para></listitem> </varlistentry> <varlistentry> |