From 0780e343896f3d8300e0b4adf3bcd65d1b679f48 Mon Sep 17 00:00:00 2001
From: dlezcano <dlezcano>
Date: Thu, 13 Nov 2008 16:53:23 +0000
Subject: [PATCH] Add setpcap capabilty to be able to drop the sys_boot
 capabilty.

From: Daniel Lezcano <dlezcano@fr.ibm.com>

Previously, we dropped the CAP_SYS_BOOT capabilty. Unfortunatly if we are
non root user, we are not able to do that. So I had the CAP_SETPCAP to
lxc-execute and lxc-start command line to remove this capabilty.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
 lxc.spec.in         | 5 ++++-
 src/lxc/Makefile.am | 5 +++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/lxc.spec.in b/lxc.spec.in
index 49cce65af..96dfcfba9 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -123,7 +123,10 @@ if [ $RES != 0 ]; then
     echo -e "\t* and reinstall the lxc package                    *"
     echo -e "\t****************************************************"
 else
-setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-execute && setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-start && setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-restart
+setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-execute && \
+setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-start && \
+setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-restart && \
+setcap cap_sys_admin=ep %{_bindir}/lxc-init 
 fi
 
 
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index e965db45a..c099c250c 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -116,9 +116,10 @@ lxc_version_LDADD = liblxc.la
 
 install-exec-local:
 	-@export PATH=$$PATH:/sbin:/usr/sbin && \
-	 setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-execute && \
-	setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-start && \
+	 setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-execute && \
+	setcap cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-start && \
 	setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-restart && \
+	setcap cap_sys_admin=ep $(bindir)/lxc-init && \
 	mkdir -p $(prefix)/var/lxc && \
 	chmod ugo+rw $(prefix)/var/lxc || \
 	(echo && echo && \