allow lxc.cap.keep = none

doc/lxc.container.conf.sgml.in

@@ -1010,7 +1010,10 @@ proc proc proc nodev,noexec,nosuid 0 0
 	  <listitem>
 	    <para>
 	      Specify the capability to be kept in the container. All other
-	      capabilities will be dropped.
+	      capabilities will be dropped. When a special value of "none" is
+	      encountered, lxc will clear any keep capabilities specified up
+	      to this point. A value of "none" alone can be used to drop all
+	      capabilities.
 	    </para>
 	  </listitem>
 	</varlistentry>

src/lxc/conf.c

@@ -2198,6 +2198,9 @@ static int parse_cap(const char *cap)
 	char *ptr = NULL;
 	int i, capid = -1;
 
+	if (!strcmp(cap, "none"))
+		return -2;
+
 	for (i = 0; i < sizeof(caps_opt)/sizeof(caps_opt[0]); i++) {
 
 		if (strcmp(cap, caps_opt[i].name))
@@ -2291,6 +2294,9 @@ static int dropcaps_except(struct lxc_list *caps)
 
 		capid = parse_cap(keep_entry);
 
+		if (capid == -2)
+			continue;
+
 	        if (capid < 0) {
 			ERROR("unknown capability %s", keep_entry);
 			return -1;

src/lxc/confile.c

@@ -1479,6 +1479,9 @@ static int config_cap_keep(const char *key, const char *value,
                         break;
 		}
 
+		if (!strcmp(token, "none"))
+			lxc_clear_config_keepcaps(lxc_conf);
+
 		keeplist = malloc(sizeof(*keeplist));
 		if (!keeplist) {
 			SYSERROR("failed to allocate keepcap list");