diff options
| author | Torsten Hilbrich <torsten.hilbrich@secunet.com> | 2020-12-04 11:27:12 +0100 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-12-07 19:56:59 +0100 |
| commit | 88fc9c9bad006a9fd05fbe4fe0107a2adccdae3c (patch) | |
| tree | 8f00d836042f838004d0e330ecab309124951244 /man/systemd.nspawn.xml | |
| parent | bf20d937501c796c0c01ffe6e09000b6ddf9ec03 (diff) | |
| download | systemd-88fc9c9bad006a9fd05fbe4fe0107a2adccdae3c.tar.gz | |
systemd-nspawn: Allow setting ambient capability set
The old code was only able to pass the value 0 for the inheritable
and ambient capability set when a non-root user was specified.
However, sometimes it is useful to run a program in its own container
with a user specification and some capabilities set. This is needed
when the capabilities cannot be provided by file capabilities (because
the file system is mounted with MS_NOSUID for additional security).
This commit introduces the option --ambient-capability and the config
file option AmbientCapability=. Both are used in a similar way to the
existing Capability= setting. It changes the inheritable and ambient
set (which is 0 by default). The code also checks that the settings
for the bounding set (as defined by Capability= and DropCapability=)
and the setting for the ambient set (as defined by AmbientCapability=)
are compatible. Otherwise, the operation would fail in any way.
Due to the current use of -1 to indicate no support for ambient
capability set the special value "all" cannot be supported.
Also, the setting of ambient capability is restricted to running a
single program in the container payload.
Diffstat (limited to 'man/systemd.nspawn.xml')
| -rw-r--r-- | man/systemd.nspawn.xml | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml index 0125b71e34..6ad0e1a101 100644 --- a/man/systemd.nspawn.xml +++ b/man/systemd.nspawn.xml @@ -190,7 +190,34 @@ <filename>/run/system/nspawn/</filename> (see above). On the other hand, <varname>DropCapability=</varname> takes effect in all cases. If the special value <literal>all</literal> is passed, all - capabilities are retained (or dropped).</para></listitem> + capabilities are retained (or dropped).</para> + <para>These settings change the bounding set of capabilities which + also limits the ambient capabilities as given with the + <varname>AmbientCapability=</varname>.</para></listitem> + </varlistentry> + + <varlistentry> + <term><varname>AmbientCapability=</varname></term> + <listitem><para>Takes a space-separated list of Linux process + capabilities (see + <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry> + for details). The <varname>AmbientCapability=</varname> setting + specifies capability which will be passed to to started program + in the inheritable and ambient capability sets. This will grant + these capabilities to this process. This setting correspond to + the <option>--ambient-capability=</option> command line switch. + </para> + + <para>The value <literal>all</literal> is not supported for this + setting.</para> + + <para>The setting of <varname>AmbientCapability=</varname> must + be covered by the bounding set settings which were established by + <varname>Capability=</varname> and <varname>DropCapability=</varname>. + </para> + + <para>Note that <varname>AmbientCapability=</varname> is a privileged + setting (see above).</para></listitem> </varlistentry> <varlistentry> |