mrrl-containers

commit 9ca670744b963cf990271e4906b4de654ec046d6
parent 9ab2ba9514003ea3a70ca8d389b353ffb3f376f7
Author: ccx <ccx@te2000.cz>
Date:   Sun, 19 May 2024 21:22:42 +0000

Make Linux ambient capability set configurable.

Add CAP_NET_ADMIN to network daemons containers.

Diffstat:
M
service_scripts/generic/run
 | 
3
++-
M
zsh-functions/confz_containers_init
 | 
12
++++++++++++
M
zsh-functions/confz_site_containers_init
 | 
3
++-

3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -5,6 +5,7 @@ s6-envdir env
 multisubstitute {
 	importas -i -u CONTAINER_NAME CONTAINER_NAME
 	importas -i -u CONTAINER_USER CONTAINER_USER
+	importas -D "" -u CONTAINER_CAPS CONTAINER_CAPS
 }
 backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER }
 backtick -D "true" PREPARE_CHROOT { if { test -x data/prepare_chroot } realpath data/prepare_chroot }
@@ -65,7 +66,7 @@ ns_run_unshared data/root {
 }
 
 # This runs with changed / so use absolute paths before dropping privs
-/mnt/ns/bin/applyuidgid-caps -U ""
+/mnt/ns/bin/applyuidgid-caps -U $CONTAINER_CAPS
 /mnt/ns/bin/busybox env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
 /mnt/ns/bin/foreground {
 	cat /proc/self/mountinfo
diff --git a/zsh-functions/confz_containers_init b/zsh-functions/confz_containers_init
@@ -436,6 +436,12 @@ confz_container_service_ephemeral_check() {
 		content=$container
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_MNT_DIRS \
 		content="$mnt_dirs"
+	if (($+vars[linux_caps])); then
+		require fs_contentnl filename=$svc_dir/env/CONTAINER_CAPS \
+			content=$vars[linux_caps]
+	else
+		require fs_r filename=$svc_dir/env/CONTAINER_CAPS
+	fi
 }
 
 confz_container_service_generic_check() {
@@ -531,6 +537,12 @@ confz_container_service_generic_check() {
 		content=$container
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_MNT_DIRS \
 		content="$mnt_dirs"
+	if (($+vars[linux_caps])); then
+		require fs_contentnl filename=$svc_dir/env/CONTAINER_CAPS \
+			content=$vars[linux_caps]
+	else
+		require fs_r filename=$svc_dir/env/CONTAINER_CAPS
+	fi
 }
 
 confz_container_service_alsa_check() {
diff --git a/zsh-functions/confz_site_containers_init b/zsh-functions/confz_site_containers_init
@@ -66,7 +66,7 @@ confz_site_containers_usersvc_simple_check() {
 
 	require container_service_$vars[container_type] \
 		:image_name :container_name :containers_dir :svscan_dir :user \
-		\?mnt_dirs_extra \?fstab_extra \?prepare_chroot \
+		\?mnt_dirs_extra \?fstab_extra \?prepare_chroot \?linux_caps \
 		pid1_el=${(F)pid1_el_lines}
 
 	#local chome=$userdir/$vars[container_name]/home/$vars[user]
@@ -246,6 +246,7 @@ confz_site_container_services_check() {
 	local name
 	for name in wpa_supplicant dhcpcd unbound tinc; do
 		require site_containers_user_single :containers_dir :svscan_dir \
+			linux_caps='^CAP_NET_ADMIN'
 			user=$name container_name=$name image_name=alpine-$name
 	done
 }