[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH v3 3/5] util: add functions to keep capabilities



This patch introduces virKeepCapabilities() function and implements
virCommandAllowCap() function.

Existing virClearCapabilities() is function to clear all capabilities.
Instead virKeepCapabilities() is function to keep arbitrary capabilities.


Signed-off-by: Taku Izumi <izumi taku jp fujitsu com>
Signed-off-by: Shota Hirae <m11g1401 hibikino ne jp>
---
 src/util/command.c |   45 ++++++++++++++++++++++++++++++++++++++-------
 src/util/command.h |    4 +---
 2 files changed, 39 insertions(+), 10 deletions(-)

Index: libvirt/src/util/command.c
===================================================================
--- libvirt.orig/src/util/command.c
+++ libvirt/src/util/command.c
@@ -103,6 +103,8 @@ struct _virCommand {
     pid_t pid;
     char *pidfile;
     bool reap;
+
+    unsigned long long capabilities;
 };
 
 /*
@@ -182,6 +184,33 @@ static int virClearCapabilities(void)
 
     return 0;
 }
+
+/**
+ * virKeepCapabilities:
+ *  @capabilities - capability flag to keep.
+ *                  In case of 0, this function is identical to
+ *                  virClearCapabilities()
+ *
+ */
+static int virKeepCapabilities(unsigned long long capabilities)
+{
+    int ret, i;
+
+    capng_clear(CAPNG_SELECT_BOTH);
+
+    for (i = 0; i <= CAP_LAST_CAP; i++) {
+        if (capabilities & (1ULL << i))
+            capng_update(CAPNG_ADD, CAPNG_BOUNDING_SET, i);
+    }
+
+    if (ret = capng_apply(CAPNG_SELECT_BOTH) < 0) {
+        virCommandError(VIR_ERR_INTERNAL_ERROR,
+                        _("cannot apply process capabilities %d"), ret);
+        return -1;
+    }
+
+    return 0;
+}
 # else
 static int virClearCapabilities(void)
 {
@@ -189,6 +218,11 @@ static int virClearCapabilities(void)
 //             "capabilities");
     return 0;
 }
+
+static int virKeepCapabilities(unsigned long long capabilities)
+{
+    return 0;
+}
 # endif
 
 /**
@@ -883,26 +917,23 @@ virCommandClearCaps(virCommandPtr cmd)
     cmd->flags |= VIR_EXEC_CLEAR_CAPS;
 }
 
-#if 0 /* XXX Enable if we have a need for capability management.  */
-
 /**
  * virCommandAllowCap:
  * @cmd: the command to modify
- * @capability: what to allow
+ * @capabilities: what to allow
  *
- * Re-allow a specific capability
+ * Allow specific capabilities
  */
 void
 virCommandAllowCap(virCommandPtr cmd,
-                   int capability ATTRIBUTE_UNUSED)
+                   unsigned long long capabilities)
 {
     if (!cmd || cmd->has_error)
         return;
 
-    /* XXX ? */
+    cmd->capabilities = capabilities;
 }
 
-#endif /* 0 */
 
 
 /**
Index: libvirt/src/util/command.h
===================================================================
--- libvirt.orig/src/util/command.h
+++ libvirt/src/util/command.h
@@ -60,10 +60,8 @@ void virCommandSetPidFile(virCommandPtr 
 
 void virCommandClearCaps(virCommandPtr cmd);
 
-# if 0
 void virCommandAllowCap(virCommandPtr cmd,
-                        int capability);
-# endif
+                        unsigned long long capabilities);
 
 void virCommandDaemonize(virCommandPtr cmd);
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]