2:01 a.m.
This patch introduces XML schema for capability XML.
"process" and "cap" element are added.
The list of "cap" elements represents process capabilities host supports.
<capabilities>
<host>
...
<process>
<cap name='chown'/>
<cap name='dac_override'/>
...
</process>
</host>
...
</capabilities>
Signed-off-by: Taku Izumi <izumi.taku(a)jp.fujitsu.com>
---
docs/formatcaps.html.in | 36 +++++++++++++++++++++++++
docs/schemas/capability.rng | 50 +++++++++++++++++++++++++++++++++++
include/libvirt/libvirt.h.in | 45 +++++++++++++++++++++++++++++++
src/conf/capabilities.c | 61 +++++++++++++++++++++++++++++++++++++++++++
src/conf/capabilities.h | 5 +++
5 files changed, 197 insertions(+)
Index: libvirt/src/conf/capabilities.h
===================================================================
--- libvirt.orig/src/conf/capabilities.h
+++ libvirt/src/conf/capabilities.h
@@ -119,6 +119,10 @@ struct _virCapsHost {
virCapsHostSecModel secModel;
virCPUDefPtr cpu;
unsigned char host_uuid[VIR_UUID_BUFLEN];
+
+ unsigned long long processCaps; /* Bitmask of the Process capabilities
+ * see enum virCapsProcessCaps
+ */
};
typedef int (*virDomainDefNamespaceParse)(xmlDocPtr, xmlNodePtr,
@@ -263,5 +267,6 @@ virCapabilitiesDefaultGuestEmulator(virC
extern char *
virCapabilitiesFormatXML(virCapsPtr caps);
+VIR_ENUM_DECL(virCapsProcessCaps)
#endif /* __VIR_CAPABILITIES_H */
Index: libvirt/src/conf/capabilities.c
===================================================================
--- libvirt.orig/src/conf/capabilities.c
+++ libvirt/src/conf/capabilities.c
@@ -33,6 +33,9 @@
#include "cpu_conf.h"
#include "virterror_internal.h"
+#if HAVE_CAPNG
+# include <cap-ng.h>
+#endif
#define VIR_FROM_THIS VIR_FROM_CAPABILITIES
@@ -40,6 +43,48 @@ VIR_ENUM_DECL(virCapsHostPMTarget)
VIR_ENUM_IMPL(virCapsHostPMTarget, VIR_NODE_SUSPEND_TARGET_LAST,
"suspend_mem", "suspend_disk",
"suspend_hybrid");
+VIR_ENUM_IMPL(virCapsProcessCaps, VIR_PROCESS_CAPABILITY_LAST,
+ "chown",
+ "dac_override",
+ "dac_read_search",
+ "fowner",
+ "fsetid",
+ "kill",
+ "setgid",
+ "setuid",
+ "setpcap",
+ "linux_immutable",
+ "net_bind_service",
+ "net_broadcast",
+ "net_admin",
+ "net_raw",
+ "ipc_lock",
+ "ipc_owner",
+ "sys_module",
+ "sys_rawio",
+ "sys_chroot",
+ "sys_ptrace",
+ "sys_pacct",
+ "sys_admin",
+ "sys_boot",
+ "sys_nice",
+ "sys_resource",
+ "sys_time",
+ "sys_tty_config",
+ "mknod",
+ "lease",
+ "audit_write",
+ "audit_control",
+ "setfcap",
+ "mac_override",
+ "mac_admin")
+
+static void
+virCapabilitiesInitProcessCaps(virCapsPtr caps)
+{
+ caps->host.processCaps |= (1ULL << (CAP_LAST_CAP + 1)) - 1;
+}
+
/**
* virCapabilitiesNew:
* @arch: host machine architecture
@@ -63,6 +108,10 @@ virCapabilitiesNew(const char *arch,
caps->host.offlineMigrate = offlineMigrate;
caps->host.liveMigrate = liveMigrate;
+#ifdef HAVE_CAPNG
+ virCapabilitiesInitProcessCaps(caps);
+#endif
+
return caps;
no_memory:
@@ -754,6 +803,18 @@ virCapabilitiesFormatXML(virCapsPtr caps
virBufferAddLit(&xml, " </secmodel>\n");
}
+ if (caps->host.processCaps) {
+ virBufferAddLit(&xml, " <process>\n");
+ for (i = 0; i < VIR_PROCESS_CAPABILITY_LAST; i++) {
+ if (caps->host.processCaps & (1ULL << i)) {
+ const char *name = virCapsProcessCapsTypeToString(i);
+ if (name)
+ virBufferAsprintf(&xml, " <cap
name='%s'/>\n", name);
+ }
+ }
+ virBufferAddLit(&xml, " </process>\n");
+ }
+
virBufferAddLit(&xml, " </host>\n\n");
Index: libvirt/docs/schemas/capability.rng
===================================================================
--- libvirt.orig/docs/schemas/capability.rng
+++ libvirt/docs/schemas/capability.rng
@@ -46,6 +46,56 @@
<optional>
<ref name='secmodel'/>
</optional>
+ <optional>
+ <ref name='process'/>
+ </optional>
+ </element>
+ </define>
+
+ <define name='process'>
+ <element name='process'>
+ <zeroOrMore>
+ <element name='cap'>
+ <attribute name='name'>
+ <choice>
+ <value>chown</value>
+ <value>dac_override</value>
+ <value>dac_read_search</value>
+ <value>fowner</value>
+ <value>fsetid</value>
+ <value>kill</value>
+ <value>setgid</value>
+ <value>setuid</value>
+ <value>setpcap</value>
+ <value>linux_immutable</value>
+ <value>net_bind_service</value>
+ <value>net_broadcast</value>
+ <value>net_admin</value>
+ <value>net_raw</value>
+ <value>ipc_lock</value>
+ <value>ipc_owner</value>
+ <value>sys_module</value>
+ <value>sys_rawio</value>
+ <value>sys_chroot</value>
+ <value>sys_ptrace</value>
+ <value>sys_pacct</value>
+ <value>sys_admin</value>
+ <value>sys_boot</value>
+ <value>sys_nice</value>
+ <value>sys_resource</value>
+ <value>sys_time</value>
+ <value>sys_tty_config</value>
+ <value>mknod</value>
+ <value>lease</value>
+ <value>audit_write</value>
+ <value>audit_control</value>
+ <value>setfcap</value>
+ <value>mac_override</value>
+ <value>mac_admin</value>
+ </choice>
+ </attribute>
+ </element>
+ </zeroOrMore>
</element>
</define>
Index: libvirt/include/libvirt/libvirt.h.in
===================================================================
--- libvirt.orig/include/libvirt/libvirt.h.in
+++ libvirt/include/libvirt/libvirt.h.in
@@ -3606,6 +3606,51 @@ int virConnectSetKeepAlive(virConnectPtr
int interval,
unsigned int count);
+
+/*
+ * virProcessCapabilityType
+ *
+ * A process capability Type
+ */
+typedef enum {
+ VIR_PROCESS_CAPABILITY_CHOWN,
+ VIR_PROCESS_CAPABILITY_DAC_OVERRIDE,
+ VIR_PROCESS_CAPABILITY_DAC_READ_SEARCH,
+ VIR_PROCESS_CAPABILITY_FOWNER,
+ VIR_PROCESS_CAPABILITY_FSETID,
+ VIR_PROCESS_CAPABILITY_KILL,
+ VIR_PROCESS_CAPABILITY_SETGID,
+ VIR_PROCESS_CAPABILITY_SETUID,
+ VIR_PROCESS_CAPABILITY_SETPCAP,
+ VIR_PROCESS_CAPABILITY_LINUX_IMMUTABLE,
+ VIR_PROCESS_CAPABILITY_NET_BIND_SERVICE,
+ VIR_PROCESS_CAPABILITY_NET_BROADCAST,
+ VIR_PROCESS_CAPABILITY_NET_ADMIN,
+ VIR_PROCESS_CAPABILITY_NET_RAW,
+ VIR_PROCESS_CAPABILITY_IPC_LOCK,
+ VIR_PROCESS_CAPABILITY_IPC_OWNER,
+ VIR_PROCESS_CAPABILITY_SYS_MODULE,
+ VIR_PROCESS_CAPABILITY_SYS_RAWIO,
+ VIR_PROCESS_CAPABILITY_SYS_CHROOT,
+ VIR_PROCESS_CAPABILITY_SYS_PTRACE,
+ VIR_PROCESS_CAPABILITY_SYS_PACCT,
+ VIR_PROCESS_CAPABILITY_SYS_ADMIN,
+ VIR_PROCESS_CAPABILITY_SYS_BOOT,
+ VIR_PROCESS_CAPABILITY_SYS_NICE,
+ VIR_PROCESS_CAPABILITY_SYS_RESOURCE,
+ VIR_PROCESS_CAPABILITY_SYS_TIME,
+ VIR_PROCESS_CAPABILITY_SYS_TTY_CONFIG,
+ VIR_PROCESS_CAPABILITY_MKNOD,
+ VIR_PROCESS_CAPABILITY_LEASE,
+ VIR_PROCESS_CAPABILITY_AUDIT_WRITE,
+ VIR_PROCESS_CAPABILITY_AUDIT_CONTROL,
+ VIR_PROCESS_CAPABILITY_SETFCAP,
+ VIR_PROCESS_CAPABILITY_MAC_OVERRIDE,
+ VIR_PROCESS_CAPABILITY_MAC_ADMIN,
+
+ VIR_PROCESS_CAPABILITY_LAST
+} virProcessCapabilityType;
+
#ifdef __cplusplus
}
#endif
Index: libvirt/docs/formatcaps.html.in
===================================================================
--- libvirt.orig/docs/formatcaps.html.in
+++ libvirt/docs/formatcaps.html.in
@@ -33,6 +33,42 @@ BIOS you will see</p>
<suspend_disk/>
<suspend_hybrid/>
<power_management/>
+ <process>
+ <cap name="chown">
+ <cap name="dac_override">
+ <cap name="dac_read_search">
+ <cap name="fowner">
+ <cap name="fsetid">
+ <cap name="kill">
+ <cap name="setgid">
+ <cap name="setuid">
+ <cap name="setpcap">
+ <cap name="linux_immutable">
+ <cap name="net_bind_service">
+ <cap name="net_broadcast">
+ <cap name="net_admin">
+ <cap name="net_raw">
+ <cap name="ipc_lock">
+ <cap name="ipc_owner">
+ <cap name="sys_module">
+ <cap name="sys_rawio">
+ <cap name="sys_chroot">
+ <cap name="sys_ptrace">
+ <cap name="sys_pacct">
+ <cap name="sys_admin">
+ <cap name="sys_boot">
+ <cap name="sys_nice">
+ <cap name="sys_resource">
+ <cap name="sys_time">
+ <cap name="sys_tty_config">
+ <cap name="mknod">
+ <cap name="lease">
+ <cap name="audit_write">
+ <cap name="audit_control">
+ <cap name="setfcap">
+ <cap name="mac_override">
+ <cap name="mac_admin">
+ </process>
</host></span>
<!-- xen-3.0-x86_64 -->