X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=setns.c;h=aa907b03a323f460af10e1df74a66a17d5d7b0c9;hb=c2b9fa70310e6fd5e55f70d69868254ee1881c9c;hp=36aa360bbb803efb6010559cfe710043684f5d06;hpb=91f7d4ab476dc6fb2fa5cfeb9a20c6484cc24700;p=lxc-userspace.git

diff --git a/setns.c b/setns.c
index 36aa360..aa907b0 100644
--- a/setns.c
+++ b/setns.c
@@ -4,6 +4,22 @@
 #include <asm/unistd.h>
 #include <sys/mount.h>
 #include <errno.h>
+#include <sys/prctl.h>
+#include <linux/capability.h>
+
+static PyObject *
+drop_caps(PyObject *self, PyObject *args)
+{
+	unsigned int to_drop[128] = {CAP_NET_ADMIN,CAP_SYS_ADMIN,CAP_SYS_BOOT,CAP_MKNOD,CAP_MAC_ADMIN,CAP_SYS_MODULE};
+	unsigned int i;
+	for (i = 0;i<6;i++) {
+		if (prctl(PR_CAPBSET_DROP, to_drop[i], 0, 0, 0) == -1) {
+			perror("prctl");
+			return Py_BuildValue("i", 2);
+		}
+	}
+	return Py_BuildValue("i", 0);
+}
 
 static PyObject *
 proc_mount(PyObject *self, PyObject *args)
@@ -78,6 +94,7 @@ static PyMethodDef SetnsMethods[] =
          {"proc_mount", proc_mount, METH_VARARGS, "Mount a volume via the mount system call."},
          {"proc_umount", proc_umount, METH_VARARGS, "Umount a volume via the umount system call."},
          {"chcontext", chcontext, METH_VARARGS, "Switch into an lxc container."},
+         {"drop_caps", drop_caps, METH_VARARGS, "Drop dangerous capabilities."},
          {"chfscontext", chfscontext, METH_VARARGS, "Switch into an lxc container."},
               {NULL, NULL, 0, NULL}
 };