conf: add new capabilities CAP_{BLOCK_SUSPEND,PERFMON,BPF,CAP_CHECKPOINT_RESTORE}

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index bc0d01463c82bee0f29a0a71505679ec1045b486..30870aa5b34847015534a834134c5006418844f5 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -181,44 +181,47 @@ static struct mount_opt propagation_opt[] = {
 
 static struct caps_opt caps_opt[] = {
 #if HAVE_LIBCAP
-       { "chown",            CAP_CHOWN            },
-       { "dac_override",     CAP_DAC_OVERRIDE     },
-       { "dac_read_search",  CAP_DAC_READ_SEARCH  },
-       { "fowner",           CAP_FOWNER           },
-       { "fsetid",           CAP_FSETID           },
-       { "kill",             CAP_KILL             },
-       { "setgid",           CAP_SETGID           },
-       { "setuid",           CAP_SETUID           },
-       { "setpcap",          CAP_SETPCAP          },
-       { "linux_immutable",  CAP_LINUX_IMMUTABLE  },
-       { "net_bind_service", CAP_NET_BIND_SERVICE },
-       { "net_broadcast",    CAP_NET_BROADCAST    },
-       { "net_admin",        CAP_NET_ADMIN        },
-       { "net_raw",          CAP_NET_RAW          },
-       { "ipc_lock",         CAP_IPC_LOCK         },
-       { "ipc_owner",        CAP_IPC_OWNER        },
-       { "sys_module",       CAP_SYS_MODULE       },
-       { "sys_rawio",        CAP_SYS_RAWIO        },
-       { "sys_chroot",       CAP_SYS_CHROOT       },
-       { "sys_ptrace",       CAP_SYS_PTRACE       },
-       { "sys_pacct",        CAP_SYS_PACCT        },
-       { "sys_admin",        CAP_SYS_ADMIN        },
-       { "sys_boot",         CAP_SYS_BOOT         },
-       { "sys_nice",         CAP_SYS_NICE         },
-       { "sys_resource",     CAP_SYS_RESOURCE     },
-       { "sys_time",         CAP_SYS_TIME         },
-       { "sys_tty_config",   CAP_SYS_TTY_CONFIG   },
-       { "mknod",            CAP_MKNOD            },
-       { "lease",            CAP_LEASE            },
-       { "audit_read",       CAP_AUDIT_READ       },
-       { "audit_write",      CAP_AUDIT_WRITE      },
-       { "audit_control",    CAP_AUDIT_CONTROL    },
-       { "setfcap",          CAP_SETFCAP          },
-       { "mac_override",     CAP_MAC_OVERRIDE     },
-       { "mac_admin",        CAP_MAC_ADMIN        },
-       { "syslog",           CAP_SYSLOG           },
-       { "wake_alarm",       CAP_WAKE_ALARM       },
-       { "block_suspend",    CAP_BLOCK_SUSPEND    },
+       { "chown",              CAP_CHOWN              },
+       { "dac_override",       CAP_DAC_OVERRIDE       },
+       { "dac_read_search",    CAP_DAC_READ_SEARCH    },
+       { "fowner",             CAP_FOWNER             },
+       { "fsetid",             CAP_FSETID             },
+       { "kill",               CAP_KILL               },
+       { "setgid",             CAP_SETGID             },
+       { "setuid",             CAP_SETUID             },
+       { "setpcap",            CAP_SETPCAP            },
+       { "linux_immutable",    CAP_LINUX_IMMUTABLE    },
+       { "net_bind_service",   CAP_NET_BIND_SERVICE   },
+       { "net_broadcast",      CAP_NET_BROADCAST      },
+       { "net_admin",          CAP_NET_ADMIN          },
+       { "net_raw",            CAP_NET_RAW            },
+       { "ipc_lock",           CAP_IPC_LOCK           },
+       { "ipc_owner",          CAP_IPC_OWNER          },
+       { "sys_module",         CAP_SYS_MODULE         },
+       { "sys_rawio",          CAP_SYS_RAWIO          },
+       { "sys_chroot",         CAP_SYS_CHROOT         },
+       { "sys_ptrace",         CAP_SYS_PTRACE         },
+       { "sys_pacct",          CAP_SYS_PACCT          },
+       { "sys_admin",          CAP_SYS_ADMIN          },
+       { "sys_boot",           CAP_SYS_BOOT           },
+       { "sys_nice",           CAP_SYS_NICE           },
+       { "sys_resource",       CAP_SYS_RESOURCE       },
+       { "sys_time",           CAP_SYS_TIME           },
+       { "sys_tty_config",     CAP_SYS_TTY_CONFIG     },
+       { "mknod",              CAP_MKNOD              },
+       { "lease",              CAP_LEASE              },
+       { "audit_write",        CAP_AUDIT_WRITE        },
+       { "audit_control",      CAP_AUDIT_CONTROL      },
+       { "setfcap",            CAP_SETFCAP            },
+       { "mac_override",       CAP_MAC_OVERRIDE       },
+       { "mac_admin",          CAP_MAC_ADMIN          },
+       { "syslog",             CAP_SYSLOG             },
+       { "wake_alarm",         CAP_WAKE_ALARM         },
+       { "block_suspend",      CAP_BLOCK_SUSPEND      },
+       { "audit_read",         CAP_AUDIT_READ         },
+       { "perfmon",            CAP_PERFMON            },
+       { "bpf",                CAP_BPF                },
+       { "checkpoint_restore", CAP_CHECKPOINT_RESTORE },
 #endif
 };
 

diff --git a/src/lxc/macro.h b/src/lxc/macro.h
index 4882b1781ec9b7562ca5ba0ef192473138004465..24d80fe16e833c4e6188b788197527455d3bed72 100644 (file)
--- a/src/lxc/macro.h
+++ b/src/lxc/macro.h
@@ -85,6 +85,18 @@
 #define CAP_AUDIT_READ 37
 #endif
 
+#ifndef CAP_PERFMON
+#define CAP_PERFMON 38
+#endif
+
+#ifndef CAP_BPF
+#define CAP_BPF 39
+#endif
+
+#ifndef CAP_CHECKPOINT_RESTORE
+#define CAP_CHECKPOINT_RESTORE 40
+#endif
+
 /* prctl */
 #ifndef PR_CAPBSET_READ
 #define PR_CAPBSET_READ 23