lxc domain from xml: convert lxc.cap.drop

26d67015 · Cédric Bosdonnat · Gao feng · 47e5b5ae · 26d67015 · 26d67015
12 changed file
--- a/src/lxc/lxc_native.c
+++ b/src/lxc/lxc_native.c
@@ -853,6 +853,28 @@ lxcSetBlkioTune(virDomainDefPtr def, virConfPtr properties)
    return 0;
 }

+static void
+lxcSetCapDrop(virDomainDefPtr def, virConfPtr properties)
+{
+    virConfValuePtr value;
+    char **toDrop = NULL;
+    const char *capString;
+    size_t i;
+
+    if ((value = virConfGetValue(properties, "lxc.cap.drop")) && value->str)
+        toDrop = virStringSplit(value->str, " ", 0);
+
+    for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) {
+        capString = virDomainCapsFeatureTypeToString(i);
+        if (toDrop != NULL && virStringArrayHasString(toDrop, capString))
+            def->caps_features[i] = VIR_DOMAIN_FEATURE_STATE_OFF;
+    }
+
+    def->features[VIR_DOMAIN_FEATURE_CAPABILITIES] = VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW;
+
+    virStringFreeList(toDrop);
+}
+
 virDomainDefPtr
 lxcParseConfigString(const char *config)
 {
@@ -950,6 +972,9 @@ lxcParseConfigString(const char *config)
    if (lxcSetBlkioTune(vmdef, properties) < 0)
        goto error;

+    /* lxc.cap.drop */
+    lxcSetCapDrop(vmdef, properties);
+
    goto cleanup;

 error:

--- a/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml
@@ -25,6 +25,8 @@
  </os>
  <features>
    <privnet/>
+    <capabilities policy='allow'>
+    </capabilities>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>

--- a/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml
@@ -13,6 +13,8 @@
  </os>
  <features>
    <privnet/>
+    <capabilities policy='allow'>
+    </capabilities>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>

--- a/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml
@@ -15,6 +15,8 @@
  </os>
  <features>
    <privnet/>
+    <capabilities policy='allow'>
+    </capabilities>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>

--- a/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml
@@ -14,6 +14,8 @@
  </idmap>
  <features>
    <privnet/>
+    <capabilities policy='allow'>
+    </capabilities>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>

--- a/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml
@@ -8,6 +8,10 @@
    <type>exe</type>
    <init>/sbin/init</init>
  </os>
+  <features>
+    <capabilities policy='allow'>
+    </capabilities>
+  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>

--- a/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml
@@ -15,6 +15,8 @@
  </os>
  <features>
    <privnet/>
+    <capabilities policy='allow'>
+    </capabilities>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>

--- a/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml
@@ -8,6 +8,10 @@
    <type>exe</type>
    <init>/sbin/init</init>
  </os>
+  <features>
+    <capabilities policy='allow'>
+    </capabilities>
+  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>

--- a/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml
@@ -10,6 +10,8 @@
  </os>
  <features>
    <privnet/>
+    <capabilities policy='allow'>
+    </capabilities>
  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>

--- a/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml
@@ -8,6 +8,10 @@
    <type>exe</type>
    <init>/sbin/init</init>
  </os>
+  <features>
+    <capabilities policy='allow'>
+    </capabilities>
+  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>

--- a/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-simple.xml
@@ -8,6 +8,14 @@
    <type arch='i686'>exe</type>
    <init>/sbin/init</init>
  </os>
+  <features>
+    <capabilities policy='allow'>
+      <mac_admin state='off'/>
+      <mac_override state='off'/>
+      <mknod state='off'/>
+      <sys_module state='off'/>
+    </capabilities>
+  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>

--- a/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml
+++ b/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml
@@ -8,6 +8,10 @@
    <type>exe</type>
    <init>/sbin/init</init>
  </os>
+  <features>
+    <capabilities policy='allow'>
+    </capabilities>
+  </features>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>