diff options
-rw-r--r-- | man/systemd.nspawn.xml | 3 | ||||
-rw-r--r-- | src/nspawn/nspawn-settings.c | 16 |
2 files changed, 12 insertions, 7 deletions
diff --git a/man/systemd.nspawn.xml b/man/systemd.nspawn.xml index 8f5590c73a..11df4623b4 100644 --- a/man/systemd.nspawn.xml +++ b/man/systemd.nspawn.xml @@ -189,7 +189,8 @@ <filename>/etc/systemd/nspawn/</filename> and <filename>/run/system/nspawn/</filename> (see above). On the other hand, <varname>DropCapability=</varname> takes effect in - all cases.</para></listitem> + all cases. If the special value <literal>all</literal> is passed, all + capabilities are retained (or dropped).</para></listitem> </varlistentry> <varlistentry> diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c index 3a99736813..5fb5b49bbc 100644 --- a/src/nspawn/nspawn-settings.c +++ b/src/nspawn/nspawn-settings.c @@ -275,13 +275,17 @@ int config_parse_capability( if (r == 0) break; - r = capability_from_name(word); - if (r < 0) { - log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word); - continue; - } + if (streq(word, "all")) + u = (uint64_t) -1; + else { + r = capability_from_name(word); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word); + continue; + } - u |= UINT64_C(1) << r; + u |= UINT64_C(1) << r; + } } if (u == 0) |