Capability can now be controled by value

Moe-hacker · Sep 8, 2024 · 448efa3 · 448efa3
1 parent f8c5c49
commit 448efa3
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/FAQ.md b/FAQ.md
@@ -1,5 +1,9 @@
 # About container environment:      
 For safety, ruri container is like default docker container, it will mask some directory in /sys and /proc, drop unneed capabilities, and you are not able to run command like mknod or mount by default.      
+# About capability:      
+ruri will set capability to the same as docker common container by default, you can use `-k [cap]` or `-d [cap]` to change the capability settings.      
+For example, use `-d cap_sys_admin` to drop CAP_SYS_ADMIN.      
+In fulture, maybe new caps will be added to the kernel, and their name might cannot be recognized if you are using old builds. You can use the value of cap (use `capsh  --explain=[cap]` to get the value) to drop it, for example, use `-d 114` to drop the cap 114 (I don't know what the cap should be, mabe can make superuser to be a homo).
 # About config:
 Since v3.0, ruri can use [k2v](https://github.com/Moe-hacker/libk2v), a new simple config format, to store the config of a container.          
 # About rurienv:

diff --git a/src/main.c b/src/main.c
@@ -338,7 +338,9 @@ static void parse_args(int argc, char **argv, struct CONTAINER *container)
 		else if (strcmp(argv[index], "-k") == 0 || strcmp(argv[index], "--keep") == 0) {
 			index++;
 			if (argv[index] != NULL) {
-				if (cap_from_name(argv[index], &cap) == 0) {
+				if (atoi(argv[index]) != 0) {
+					add_to_caplist(keep_caplist_extra, atoi(argv[index]));
+				} else if (cap_from_name(argv[index], &cap) == 0) {
 					add_to_caplist(keep_caplist_extra, cap);
 				} else {
 					error("{red}or: unknown capability `%s`\nQwQ{clear}\n", argv[index]);
@@ -351,7 +353,9 @@ static void parse_args(int argc, char **argv, struct CONTAINER *container)
 		else if (strcmp(argv[index], "-d") == 0 || strcmp(argv[index], "--drop") == 0) {
 			index++;
 			if (argv[index] != NULL) {
-				if (cap_from_name(argv[index], &cap) == 0) {
+				if (atoi(argv[index]) != 0) {
+					add_to_caplist(drop_caplist_extra, atoi(argv[index]));
+				} else if (cap_from_name(argv[index], &cap) == 0) {
 					add_to_caplist(drop_caplist_extra, cap);
 				} else {
 					error("{red}Error: unknown capability `%s`\nQwQ{clear}\n", argv[index]);