Hi,
nice to see cpas being added. please expalin a bit about the file that
needs to be created for it to work
John
On 01/12/2015 00:09, Etienne CHAMPETIER wrote:
> Signed-off-by: Etienne CHAMPETIER <[email protected]>
> ---
> service/instance.c | 22 ++++++++++++++++++++++
> service/instance.h | 1 +
> 2 files changed, 23 insertions(+)
>
> diff --git a/service/instance.c b/service/instance.c
> index c478d4b..0f4e711 100644
> --- a/service/instance.c
> +++ b/service/instance.c
> @@ -52,6 +52,7 @@ enum {
> INSTANCE_ATTR_JAIL,
> INSTANCE_ATTR_TRACE,
> INSTANCE_ATTR_SECCOMP,
> + INSTANCE_ATTR_CAPABILITIES,
> __INSTANCE_ATTR_MAX
> };
>
> @@ -73,6 +74,7 @@ static const struct blobmsg_policy
> instance_attr[__INSTANCE_ATTR_MAX] = {
> [INSTANCE_ATTR_JAIL] = { "jail", BLOBMSG_TYPE_TABLE },
> [INSTANCE_ATTR_TRACE] = { "trace", BLOBMSG_TYPE_BOOL },
> [INSTANCE_ATTR_SECCOMP] = { "seccomp", BLOBMSG_TYPE_STRING },
> + [INSTANCE_ATTR_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_STRING },
> };
>
> enum {
> @@ -186,6 +188,11 @@ jail_run(struct service_instance *in, char **argv)
> argv[argc++] = in->seccomp;
> }
>
> + if (in->capabilities) {
> + argv[argc++] = "-C";
> + argv[argc++] = in->capabilities;
> + }
> +
> if (jail->procfs)
> argv[argc++] = "-p";
>
> @@ -666,6 +673,9 @@ instance_jail_parse(struct service_instance *in, struct
> blob_attr *attr)
> if (in->seccomp)
> jail->argc += 2;
>
> + if (in->capabilities)
> + jail->argc += 2;
> +
> return 1;
> }
>
> @@ -752,6 +762,15 @@ instance_config_parse(struct service_instance *in)
> else
> in->seccomp = seccomp;
> }
> + if (!in->trace && tb[INSTANCE_ATTR_CAPABILITIES]) {
> + char *capabilities =
> blobmsg_get_string(tb[INSTANCE_ATTR_CAPABILITIES]);
> + struct stat s;
> +
> + if (stat(capabilities, &s))
> + ERROR("%s: not dropping capabilities as %s is
> missing\n", in->name, capabilities);
> + else
> + in->capabilities = capabilities;
> + }
> if (!in->trace && tb[INSTANCE_ATTR_JAIL])
> in->has_jail = instance_jail_parse(in, tb[INSTANCE_ATTR_JAIL]);
>
> @@ -935,6 +954,9 @@ void instance_dump(struct blob_buf *b, struct
> service_instance *in, int verbose)
> if (in->seccomp)
> blobmsg_add_string(b, "seccomp", in->seccomp);
>
> + if (in->capabilities)
> + blobmsg_add_string(b, "capabilities", in->capabilities);
> +
> if (in->has_jail) {
> void *r = blobmsg_open_table(b, "jail");
> if (in->jail.name)
> diff --git a/service/instance.h b/service/instance.h
> index 5a76841..19f780d 100644
> --- a/service/instance.h
> +++ b/service/instance.h
> @@ -53,6 +53,7 @@ struct service_instance {
> bool has_jail;
> struct jail jail;
> char *seccomp;
> + char *capabilities;
>
> uint32_t respawn_timeout;
> uint32_t respawn_threshold;
>
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
