Add setpcap capabilty to be able to drop the sys_boot capabilty.

From: Daniel Lezcano <dlezcano@fr.ibm.com>

Previously, we dropped the CAP_SYS_BOOT capabilty. Unfortunatly if we are
non root user, we are not able to do that. So I had the CAP_SETPCAP to
lxc-execute and lxc-start command line to remove this capabilty.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

lxc.spec.in

@@ -123,7 +123,10 @@ if [ $RES != 0 ]; then
     echo -e "\t* and reinstall the lxc package                    *"
     echo -e "\t****************************************************"
 else
-setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-execute && setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-start && setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-restart
+setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-execute && \
+setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-start && \
+setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-restart && \
+setcap cap_sys_admin=ep %{_bindir}/lxc-init 
 fi
 
 

src/lxc/Makefile.am

@@ -116,9 +116,10 @@ lxc_version_LDADD = liblxc.la
 
 install-exec-local:
 	-@export PATH=$$PATH:/sbin:/usr/sbin && \
-	 setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-execute && \
-	setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-start && \
+	 setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-execute && \
+	setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-start && \
 	setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-restart && \
+	setcap cap_sys_admin=ep $(bindir)/lxc-init && \
 	mkdir -p $(prefix)/var/lxc && \
 	chmod ugo+rw $(prefix)/var/lxc || \
 	(echo && echo && \