nsjail.o: nsjail.h common.h caps.h cmdline.h log.h net.h subproc.h util.h
caps.o: caps.h common.h log.h
cmdline.o: cmdline.h common.h caps.h config.h log.h mount.h util.h user.h
-config.o: common.h config.h log.h mount.h user.h util.h
+config.o: common.h caps.h config.h log.h mount.h user.h util.h
contain.o: contain.h common.h caps.h cgroup.h cpu.h log.h mount.h net.h pid.h
contain.o: user.h util.h uts.h
log.o: log.h common.h
#include <sys/mount.h>
#include <sys/personality.h>
+#include "caps.h"
#include "config.h"
#include "log.h"
#include "mount.h"
}
nsjconf->keep_caps = njc->keep_caps;
+ for (size_t i = 0; i < njc->n_cap; i++) {
+ struct ints_t *f = utilMalloc(sizeof(struct ints_t));
+ f->val = capsNameToVal(njc->cap[i]);
+ if (f->val == -1) {
+ return false;
+ }
+ TAILQ_INSERT_HEAD(&nsjconf->caps, f, pointers);
+ }
+
nsjconf->is_silent = njc->silent;
nsjconf->skip_setsid = njc->skip_setsid;
/* Should capabilities be preserved or dropped */
required bool keep_caps = 21 [ default = false ];
+ /* Which capabilities should be preserved if keep_caps == false.
+ Format: "CAP_SYS_PTRACE" */
+ repeated string cap = 63;
/* Should nsjail close FD=0,1,2 before executing the process */
required bool silent = 22 [ default = false ];
/* Should the child process have control over terminal?
envar: "PS1=[\\H:\\t:\\s-\\V:\\w]\\$ "
keep_caps: true
+cap: "CAP_NET_ADMIN"
+cap: "CAP_NET_RAW"
silent: false
skip_setsid: true
pass_fd: 100
projects / platform / upstream / nsjail.git / commitdiff