jail: add capabilities support

If there is one or more capabilities in cap.keep,
drop all capabilities not in cap.keep.
Always drop all capabalities in cap.drop

exemple json syntax:
{
"cap.keep": [
        "cap_net_raw"
],
"cap.drop": []
}

Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>

1 files changed, 13 insertions, 5 deletions

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 805e2ed..cc1e4a5 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -67,7 +67,14 @@ ADD_CUSTOM_COMMAND(
 	COMMAND ./make_syscall_h.sh ${CMAKE_C_COMPILER} > ./syscall-names.h
 	DEPENDS ./make_syscall_h.sh
 )
-ADD_CUSTOM_TARGET(headers DEPENDS syscall-names.h)
+ADD_CUSTOM_TARGET(syscall-names-h DEPENDS syscall-names.h)
+
+ADD_CUSTOM_COMMAND(
+	OUTPUT capabilities-names.h
+	COMMAND ./make_capabilities_h.sh ${CMAKE_C_COMPILER} > ./capabilities-names.h
+	DEPENDS ./make_capabilities_h.sh
+)
+ADD_CUSTOM_TARGET(capabilities-names-h DEPENDS capabilities-names.h)
 
 IF(SECCOMP_SUPPORT)
 ADD_LIBRARY(preload-seccomp SHARED jail/preload.c jail/seccomp.c)
@@ -75,15 +82,16 @@ TARGET_LINK_LIBRARIES(preload-seccomp dl ubox blobmsg_json)
 INSTALL(TARGETS preload-seccomp
 	LIBRARY DESTINATION lib
 )
-ADD_DEPENDENCIES(preload-seccomp headers)
+ADD_DEPENDENCIES(preload-seccomp syscall-names-h)
 endif()
 
 IF(JAIL_SUPPORT)
-ADD_EXECUTABLE(ujail jail/jail.c jail/elf.c)
-TARGET_LINK_LIBRARIES(ujail ubox)
+ADD_EXECUTABLE(ujail jail/jail.c jail/elf.c jail/capabilities.c)
+TARGET_LINK_LIBRARIES(ujail ubox blobmsg_json)
 INSTALL(TARGETS ujail
 	RUNTIME DESTINATION sbin
 )
+ADD_DEPENDENCIES(ujail capabilities-names-h)
 endif()
 
 IF(UTRACE_SUPPORT)
@@ -92,7 +100,7 @@ TARGET_LINK_LIBRARIES(utrace ubox ${json} blobmsg_json)
 INSTALL(TARGETS utrace
 	RUNTIME DESTINATION sbin
 )
-ADD_DEPENDENCIES(utrace headers)
+ADD_DEPENDENCIES(utrace syscall-names-h)
 
 ADD_LIBRARY(preload-trace SHARED trace/preload.c)
 TARGET_LINK_LIBRARIES(preload-trace dl)