[OpenWrt-Devel] [PATCH procd 4/9] instance, ujail: wire capabilities (-C) support

Mon, 30 Nov 2015 15:13:50 -0800 

Signed-off-by: Etienne CHAMPETIER <[email protected]>
---
 service/instance.c | 22 ++++++++++++++++++++++
 service/instance.h |  1 +
 2 files changed, 23 insertions(+)

diff --git a/service/instance.c b/service/instance.c
index c478d4b..0f4e711 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -52,6 +52,7 @@ enum {
        INSTANCE_ATTR_JAIL,
        INSTANCE_ATTR_TRACE,
        INSTANCE_ATTR_SECCOMP,
+       INSTANCE_ATTR_CAPABILITIES,
        __INSTANCE_ATTR_MAX
 };
 
@@ -73,6 +74,7 @@ static const struct blobmsg_policy 
instance_attr[__INSTANCE_ATTR_MAX] = {
        [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE },
        [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL },
        [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING },
+       [INSTANCE_ATTR_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_STRING },
 };
 
 enum {
@@ -186,6 +188,11 @@ jail_run(struct service_instance *in, char **argv)
                argv[argc++] = in->seccomp;
        }
 
+       if (in->capabilities) {
+               argv[argc++] = "-C";
+               argv[argc++] = in->capabilities;
+       }
+
        if (jail->procfs)
                argv[argc++] = "-p";
 
@@ -666,6 +673,9 @@ instance_jail_parse(struct service_instance *in, struct 
blob_attr *attr)
        if (in->seccomp)
                jail->argc += 2;
 
+       if (in->capabilities)
+               jail->argc += 2;
+
        return 1;
 }
 
@@ -752,6 +762,15 @@ instance_config_parse(struct service_instance *in)
                else
                        in->seccomp = seccomp;
        }
+       if (!in->trace && tb[INSTANCE_ATTR_CAPABILITIES]) {
+               char *capabilities = 
blobmsg_get_string(tb[INSTANCE_ATTR_CAPABILITIES]);
+               struct stat s;
+
+               if (stat(capabilities, &s))
+                       ERROR("%s: not dropping capabilities as %s is 
missing\n", in->name, capabilities);
+               else
+                       in->capabilities = capabilities;
+       }
        if (!in->trace && tb[INSTANCE_ATTR_JAIL])
                in->has_jail = instance_jail_parse(in, tb[INSTANCE_ATTR_JAIL]);
 
@@ -935,6 +954,9 @@ void instance_dump(struct blob_buf *b, struct 
service_instance *in, int verbose)
        if (in->seccomp)
                blobmsg_add_string(b, "seccomp", in->seccomp);
 
+       if (in->capabilities)
+               blobmsg_add_string(b, "capabilities", in->capabilities);
+
        if (in->has_jail) {
                void *r = blobmsg_open_table(b, "jail");
                if (in->jail.name)
diff --git a/service/instance.h b/service/instance.h
index 5a76841..19f780d 100644
--- a/service/instance.h
+++ b/service/instance.h
@@ -53,6 +53,7 @@ struct service_instance {
        bool has_jail;
        struct jail jail;
        char *seccomp;
+       char *capabilities;
 
        uint32_t respawn_timeout;
        uint32_t respawn_threshold;
-- 
1.9.1
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Reply via email to