instance: actually wire up capabilities filename

author Daniel Golle <daniel@makrotopia.org>

Mon, 19 Oct 2020 16:50:19 +0000 (17:50 +0100)

committer Daniel Golle <daniel@makrotopia.org>

Mon, 19 Oct 2020 17:35:33 +0000 (18:35 +0100)
author Daniel Golle <daniel@makrotopia.org>
Mon, 19 Oct 2020 16:50:19 +0000 (17:50 +0100)
committer Daniel Golle <daniel@makrotopia.org>
Mon, 19 Oct 2020 17:35:33 +0000 (18:35 +0100)
diff --git a/service/instance.c b/service/instance.c

index 218bdec513c176fad988f30ec6117c18eaaf6207..a57fe30b1045c3e34ebacbc56715a3cb2c95796c 100644 (file)
--- a/service/instance.c
+++ b/service/instance.c
@@ -59,6 +59,7 @@ enum {
         INSTANCE_ATTR_JAIL,
         INSTANCE_ATTR_TRACE,
         INSTANCE_ATTR_SECCOMP,
+       INSTANCE_ATTR_CAPABILITIES,
         INSTANCE_ATTR_PIDFILE,
         INSTANCE_ATTR_RELOADSIG,
         INSTANCE_ATTR_TERMTIMEOUT,
@@ -91,6 +92,7 @@ static const struct blobmsg_policy instance_attr[__INSTANCE_ATTR_MAX] = {
         [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE },
         [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL },
         [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING },
+       [INSTANCE_ATTR_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_STRING },
         [INSTANCE_ATTR_PIDFILE] = { "pidfile", BLOBMSG_TYPE_STRING },
         [INSTANCE_ATTR_RELOADSIG] = { "reload_signal", BLOBMSG_TYPE_INT32 },
         [INSTANCE_ATTR_TERMTIMEOUT] = { "term_timeout", BLOBMSG_TYPE_INT32 },
@@ -256,6 +258,11 @@ jail_run(struct service_instance *in, char **argv)
                 argv[argc++] = in->group;
         }
  
+       if (in->capabilities) {
+               argv[argc++] = "-C";
+               argv[argc++] = in->capabilities;
+       }
+
         if (in->no_new_privs)
                 argv[argc++] = "-c";
  
@@ -888,6 +895,9 @@ instance_config_changed(struct service_instance *in, struct service_instance *in
         if (string_changed(in->seccomp, in_new->seccomp))
                 return true;
  
+       if (string_changed(in->capabilities, in_new->capabilities))
+               return true;
+
         if (!blobmsg_list_equal(&in->limits, &in_new->limits))
                 return true;
  
@@ -1119,6 +1129,9 @@ instance_jail_parse(struct service_instance *in, struct blob_attr *attr)
         if (in->seccomp)
                 jail->argc += 2;
  
+       if (in->capabilities)
+               jail->argc += 2;
+
         if (in->user)
                 jail->argc += 2;
  
@@ -1248,6 +1261,9 @@ instance_config_parse(struct service_instance *in)
         if (!in->trace && tb[INSTANCE_ATTR_SECCOMP])
                 in->seccomp = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]));
  
+       if (tb[INSTANCE_ATTR_CAPABILITIES])
+               in->capabilities = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_CAPABILITIES]));
+
         if (tb[INSTANCE_ATTR_EXTROOT])
                 in->extroot = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_EXTROOT]));
  
@@ -1422,6 +1438,7 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr
  
         instance_config_move_strdup(&in->pidfile, in_src->pidfile);
         instance_config_move_strdup(&in->seccomp, in_src->seccomp);
+       instance_config_move_strdup(&in->capabilities, in_src->capabilities);
         instance_config_move_strdup(&in->bundle, in_src->bundle);
         instance_config_move_strdup(&in->extroot, in_src->extroot);
         instance_config_move_strdup(&in->overlaydir, in_src->overlaydir);
@@ -1474,6 +1491,7 @@ instance_free(struct service_instance *in)
         free(in->jail.name);
         free(in->jail.hostname);
         free(in->seccomp);
+       free(in->capabilities);
         free(in->pidfile);
         free(in);
  }
@@ -1593,6 +1611,9 @@ void instance_dump(struct blob_buf *b, struct service_instance *in, int verbose)
         if (in->seccomp)
                 blobmsg_add_string(b, "seccomp", in->seccomp);
  
+       if (in->capabilities)
+               blobmsg_add_string(b, "capabilities", in->capabilities);
+
         if (in->pidfile)
                 blobmsg_add_string(b, "pidfile", in->pidfile);
  
diff --git a/service/instance.h b/service/instance.h

index 6f38d4f5c08102ce021a7f328869609f4ed3a484..09fbb5d0c65133438dbff487ede04366d6321e4b 100644 (file)
--- a/service/instance.h
+++ b/service/instance.h
@@ -80,6 +80,7 @@ struct service_instance {
         bool no_new_privs;
         struct jail jail;
         char *seccomp;
+       char *capabilities;
         char *pidfile;
         char *extroot;
         char *overlaydir;
author	Daniel Golle <daniel@makrotopia.org>
	Mon, 19 Oct 2020 16:50:19 +0000 (17:50 +0100)
committer	Daniel Golle <daniel@makrotopia.org>
	Mon, 19 Oct 2020 17:35:33 +0000 (18:35 +0100)
service/instance.c		patch \| blob \| history
service/instance.h		patch \| blob \| history