[libvirt] [PATCH v2 3/5] util: add functions to keep capabilities

Taku Izumi izumi.taku at jp.fujitsu.com
Thu Dec 22 07:05:44 UTC 2011


This patch introduces virKeepCapabilities() function and implements
virCommandAllowCap() function.

Existing virClearCapabilities() is function to clear all capabilities.
Instead virKeepCapabilities() is function to keep arbitrary capabilities.


Signed-off-by: Taku Izumi <izumi.taku at jp.fujitsu.com>
Signed-off-by: Shota Hirae <m11g1401 at hibikino.ne.jp>
---
 src/util/command.c |   45 ++++++++++++++++++++++++++++++++++++++-------
 src/util/command.h |    4 +---
 2 files changed, 39 insertions(+), 10 deletions(-)

Index: libvirt/src/util/command.c
===================================================================
--- libvirt.orig/src/util/command.c
+++ libvirt/src/util/command.c
@@ -102,6 +102,8 @@ struct _virCommand {
     pid_t pid;
     char *pidfile;
     bool reap;
+
+    unsigned long long capabilities;
 };
 
 #ifndef WIN32
@@ -121,6 +123,33 @@ static int virClearCapabilities(void)
 
     return 0;
 }
+
+/**
+ * virKeepCapabilities:
+ *  @capabilities - capability flag to keep.
+ *                  In case of 0, this function is identical to
+ *                  virKeepCapabilities()
+ *
+ */
+static int virKeepCapabilities(unsigned long long capabilities)
+{
+    int ret, i;
+
+    capng_clear(CAPNG_SELECT_BOTH);
+
+    for (i = 0; i <= CAP_LAST_CAP; i++) {
+        if (capabilities & (1ULL << i))
+            capng_update(CAPNG_ADD, CAPNG_BOUNDING_SET, i);
+    }
+
+    if (ret = capng_apply(CAPNG_SELECT_BOTH) < 0) {
+        virCommandError(VIR_ERR_INTERNAL_ERROR,
+                        _("cannot apply process capabilities %d"), ret);
+        return -1;
+    }
+
+    return 0;
+}
 # else
 static int virClearCapabilities(void)
 {
@@ -128,6 +157,11 @@ static int virClearCapabilities(void)
 //             "capabilities");
     return 0;
 }
+
+static int virKeepCapabilities(unsigned long long capabilities)
+{
+    return 0;
+}
 # endif
 
 
@@ -821,26 +855,23 @@ virCommandClearCaps(virCommandPtr cmd)
     cmd->flags |= VIR_EXEC_CLEAR_CAPS;
 }
 
-#if 0 /* XXX Enable if we have a need for capability management.  */
-
 /**
  * virCommandAllowCap:
  * @cmd: the command to modify
- * @capability: what to allow
+ * @capabilities: what to allow
  *
- * Re-allow a specific capability
+ * Allow a specific capability
  */
 void
 virCommandAllowCap(virCommandPtr cmd,
-                   int capability ATTRIBUTE_UNUSED)
+                   unsigned long long capabilities)
 {
     if (!cmd || cmd->has_error)
         return;
 
-    /* XXX ? */
+    cmd->capabilities = capabilities;
 }
 
-#endif /* 0 */
 
 
 /**
Index: libvirt/src/util/command.h
===================================================================
--- libvirt.orig/src/util/command.h
+++ libvirt/src/util/command.h
@@ -60,10 +60,8 @@ void virCommandSetPidFile(virCommandPtr 
 
 void virCommandClearCaps(virCommandPtr cmd);
 
-# if 0
 void virCommandAllowCap(virCommandPtr cmd,
-                        int capability);
-# endif
+                        unsigned long long capabilities);
 
 void virCommandDaemonize(virCommandPtr cmd);
 




More information about the libvir-list mailing list