Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCI runtime support for nspawn #9762

Merged
merged 10 commits into from Mar 21, 2019
Merged

OCI runtime support for nspawn #9762

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9a2c591
capability: keep CAP_SETPCAP while dropping bounding caps
poettering Mar 6, 2019
c8a79aa
capability: add a way to get a uint64_t with all caps set
poettering Mar 6, 2019
248dd94
capability: deal with libcap being older than kernel
poettering Mar 8, 2019
5211445
capability: let's protect against the kernel eventually doing more th…
poettering Mar 8, 2019
61b4443
nspawn: refactor setuid code a bit
poettering Mar 6, 2019
5ef4cb7
nspawn: (void)ify more stuff
poettering Mar 5, 2019
de40a30
nspawn: add support for executing OCI runtime bundles with nspawn
poettering Apr 25, 2018
bd4b15f
nspawn: use right constant for shifting for uint64_t caps
poettering Mar 8, 2019
3d6c367
man: document the various new options nspawn learnt
poettering Jul 31, 2018
a3fc6b5
nspawn: mask out CAP_NET_ADMIN again if settings file turns off priva…
poettering Mar 15, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 10 additions & 5 deletions src/basic/capability-util.c
View file
Open in desktop
Expand Up @@ -47,6 +47,13 @@ unsigned long cap_last_cap(void) {
if (r >= 0) {
r = safe_atolu(content, &p);
if (r >= 0) {

if (p > 63) /* Safety for the future: if one day the kernel learns more than 64 caps,
* then we are in trouble (since we, as much userspace and kernel space
* store capability masks in uint64_t types. Let's hence protect
* ourselves against that and always cap at 63 for now. */
poettering marked this conversation as resolved.
Show resolved Hide resolved
p = 63;

saved = p;
valid = true;
return p;
Expand All @@ -58,17 +65,15 @@ unsigned long cap_last_cap(void) {

if (prctl(PR_CAPBSET_READ, p) < 0) {

/* Hmm, look downwards, until we find one that
* works */
/* Hmm, look downwards, until we find one that works */
for (p--; p > 0; p --)
if (prctl(PR_CAPBSET_READ, p) >= 0)
break;

} else {

/* Hmm, look upwards, until we find one that doesn't
* work */
for (;; p++)
/* Hmm, look upwards, until we find one that doesn't work */
for (; p < 63; p++)
if (prctl(PR_CAPBSET_READ, p+1) < 0)
break;
}
Expand Down