Accept numeric values for capabilities to drop

lxc.cap.drop now also accepts numeric values for capabilities. This allows the user to specify capabilities LXC doesn't know about yet or capabilities that were not part of the kernel headers LXC was compiled against. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

Accept numeric values for capabilities to drop
d55bc1ad · Christian Seiler · Daniel Lezcano · 5170c716 · d55bc1ad
Commit d55bc1ad authored Feb 23, 2012 by Christian Seiler Committed by Daniel Lezcano Feb 23, 2012
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

conf.c src/lxc/conf.c +17 -0

No files found.
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -60,6 +60,7 @@
 #include "conf.h"
 #include "log.h"
 #include "lxc.h"	/* for lxc_cgroup_set() */
+#include "caps.h"       /* for lxc_caps_last_cap() */
 lxc_log_define(lxc_conf, lxc);
@@ -1123,6 +1124,7 @@ static int setup_caps(struct lxc_list *caps)
 {
 	struct lxc_list *iterator;
 	char *drop_entry;
+	char *ptr;
 	int i, capid;
 	lxc_list_for_each(iterator, caps) {
@@ -1141,6 +1143,21 @@ static int setup_caps(struct lxc_list *caps)
 		}
 		if (capid < 0) {
+			/* try to see if it's numeric, so the user may specify
+			* capabilities  that the running kernel knows about but
+			* we don't */
+			capid = strtol(drop_entry, &ptr, 10);
+			if (!ptr || *ptr != '\0' ||
+			capid == LONG_MIN || capid == LONG_MAX)
+				/* not a valid number */
+				capid = -1;
+			else if (capid > lxc_caps_last_cap())
+				/* we have a number but it's not a valid
+				* capability */
+				capid = -1;
+		}
+	        if (capid < 0) {
 			ERROR("unknown capability %s", drop_entry);
 			return -1;
 		}