From 51201235db9dad9fe1823d9de46ed90f5e160fd0 Mon Sep 17 00:00:00 2001
From: Etienne CHAMPETIER <champetier.etienne@gmail.com>
Date: Wed, 26 Aug 2015 23:26:45 +0000
Subject: jail: add capabilities support

If there is one or more capabilities in cap.keep,
drop all capabilities not in cap.keep.
Always drop all capabalities in cap.drop

exemple json syntax:
{
"cap.keep": [
        "cap_net_raw"
],
"cap.drop": []
}

Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
---
 make_capabilities_h.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100755 make_capabilities_h.sh

(limited to 'make_capabilities_h.sh')

diff --git a/make_capabilities_h.sh b/make_capabilities_h.sh
new file mode 100755
index 0000000..635e740
--- /dev/null
+++ b/make_capabilities_h.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+CC=$1
+[ -n "$TARGET_CC_NOCACHE" ] && CC=$TARGET_CC_NOCACHE
+
+echo "#include <linux/capability.h>"
+echo "static const char *capabilities_names[] = {"
+echo "#include <linux/capability.h>" | ${CC} -E -dM - | grep '#define CAP' | grep -vE '(CAP_TO|CAP_LAST_CAP)' | \
+	awk '{print $3" "$2}' | sort -n | awk '{print "   ["$1"]\t= \""tolower($2)"\","}'
+echo "};"
-- 
cgit v1.2.3