From 55cb777000f8d2ef00c64d807bf1bc88bc2f8ff9 Mon Sep 17 00:00:00 2001
From: Long Liu <long.liu@intel.com>
Date: Thu, 14 Feb 2019 14:38:29 +0800
Subject: [PATCH] ACRN: dm: Add new capabilities for runC container

The patch adds more Linux capabilities for runC container. In ACRN runC
we will map native root directory to the container, when we launch UOS from
container it need more Linux capabilities to operate dev node. So add the
capabilities in runC configuration file.

Tracked-On: #2020
Signed-off-by: Long Liu <long.liu@intel.com>
Reviewed-by: Yu Wang <yu1.wang@intel.com>
---
 devicemodel/samples/apl-mrb/runC.json | 185 +++++++++++++++++++++++++-
 1 file changed, 180 insertions(+), 5 deletions(-)

diff --git a/devicemodel/samples/apl-mrb/runC.json b/devicemodel/samples/apl-mrb/runC.json
index 75fd19434..5bb53270b 100644
--- a/devicemodel/samples/apl-mrb/runC.json
+++ b/devicemodel/samples/apl-mrb/runC.json
@@ -16,35 +16,210 @@
 		"cwd": "/",
 		"capabilities": {
 			"bounding": [
+				"CAP_AUDIT_WRITE",
+				"CAP_CHOWN",
+				"CAP_DAC_OVERRIDE",
+				"CAP_DAC_READ_SEARCH",
+				"CAP_FOWNER",
+				"CAP_FSETID",
+				"CAP_KILL",
+				"CAP_SETGID",
+				"CAP_SETUID",
+				"CAP_SETPCAP",
+				"CAP_LINUX_IMMUTABLE",
+				"CAP_NET_BIND_SERVICE",
+				"CAP_NET_BROADCAST",
+				"CAP_NET_ADMIN",
+				"CAP_NET_RAW",
+				"CAP_IPC_LOCK",
+				"CAP_IPC_OWNER",
+				"CAP_SYS_MODULE",
+				"CAP_SYS_RAWIO",
+				"CAP_SYS_CHROOT",
+				"CAP_SYS_PTRACE",
+				"CAP_SYS_PACCT",
 				"CAP_SYS_ADMIN",
+				"CAP_SYS_BOOT",
+				"CAP_SYS_NICE",
 				"CAP_SYS_RESOURCE",
+				"CAP_SYS_TIME",
+				"CAP_SYS_TTY_CONFIG",
+				"CAP_MKNOD",
+				"CAP_LEASE",
+				"CAP_AUDIT_WRITE",
+				"CAP_AUDIT_CONTROL",
+				"CAP_SETFCAP",
+				"CAP_MAC_OVERRIDE",
+				"CAP_MAC_ADMIN",
+				"CAP_SYSLOG",
 				"CAP_WAKE_ALARM",
-				"CAP_SYS_MODULE"
+				"CAP_BLOCK_SUSPEND",
+				"CAP_AUDIT_READ"
 
 			],
 			"effective": [
+				"CAP_AUDIT_WRITE",
+				"CAP_CHOWN",
+				"CAP_DAC_OVERRIDE",
+				"CAP_DAC_READ_SEARCH",
+				"CAP_FOWNER",
+				"CAP_FSETID",
+				"CAP_KILL",
+				"CAP_SETGID",
+				"CAP_SETUID",
+				"CAP_SETPCAP",
+				"CAP_LINUX_IMMUTABLE",
+				"CAP_NET_BIND_SERVICE",
+				"CAP_NET_BROADCAST",
+				"CAP_NET_ADMIN",
+				"CAP_NET_RAW",
+				"CAP_IPC_LOCK",
+				"CAP_IPC_OWNER",
+				"CAP_SYS_MODULE",
+				"CAP_SYS_RAWIO",
+				"CAP_SYS_CHROOT",
+				"CAP_SYS_PTRACE",
+				"CAP_SYS_PACCT",
 				"CAP_SYS_ADMIN",
+				"CAP_SYS_BOOT",
+				"CAP_SYS_NICE",
 				"CAP_SYS_RESOURCE",
+				"CAP_SYS_TIME",
+				"CAP_SYS_TTY_CONFIG",
+				"CAP_MKNOD",
+				"CAP_LEASE",
+				"CAP_AUDIT_WRITE",
+				"CAP_AUDIT_CONTROL",
+				"CAP_SETFCAP",
+				"CAP_MAC_OVERRIDE",
+				"CAP_MAC_ADMIN",
+				"CAP_SYSLOG",
 				"CAP_WAKE_ALARM",
-				"CAP_SYS_MODULE"
+				"CAP_BLOCK_SUSPEND",
+				"CAP_AUDIT_READ"
 			],
 			"inheritable": [
+				"CAP_AUDIT_WRITE",
+				"CAP_CHOWN",
+				"CAP_DAC_OVERRIDE",
+				"CAP_DAC_READ_SEARCH",
+				"CAP_FOWNER",
+				"CAP_FSETID",
+				"CAP_KILL",
+				"CAP_SETGID",
+				"CAP_SETUID",
+				"CAP_SETPCAP",
+				"CAP_LINUX_IMMUTABLE",
+				"CAP_NET_BIND_SERVICE",
+				"CAP_NET_BROADCAST",
+				"CAP_NET_ADMIN",
+				"CAP_NET_RAW",
+				"CAP_IPC_LOCK",
+				"CAP_IPC_OWNER",
+				"CAP_SYS_MODULE",
+				"CAP_SYS_RAWIO",
+				"CAP_SYS_CHROOT",
+				"CAP_SYS_PTRACE",
+				"CAP_SYS_PACCT",
 				"CAP_SYS_ADMIN",
+				"CAP_SYS_BOOT",
+				"CAP_SYS_NICE",
 				"CAP_SYS_RESOURCE",
+				"CAP_SYS_TIME",
+				"CAP_SYS_TTY_CONFIG",
+				"CAP_MKNOD",
+				"CAP_LEASE",
+				"CAP_AUDIT_WRITE",
+				"CAP_AUDIT_CONTROL",
+				"CAP_SETFCAP",
+				"CAP_MAC_OVERRIDE",
+				"CAP_MAC_ADMIN",
+				"CAP_SYSLOG",
 				"CAP_WAKE_ALARM",
-				"CAP_SYS_MODULE"
+				"CAP_BLOCK_SUSPEND",
+				"CAP_AUDIT_READ"
 			],
 			"permitted": [
+				"CAP_AUDIT_WRITE",
+				"CAP_CHOWN",
+				"CAP_DAC_OVERRIDE",
+				"CAP_DAC_READ_SEARCH",
+				"CAP_FOWNER",
+				"CAP_FSETID",
+				"CAP_KILL",
+				"CAP_SETGID",
+				"CAP_SETUID",
+				"CAP_SETPCAP",
+				"CAP_LINUX_IMMUTABLE",
+				"CAP_NET_BIND_SERVICE",
+				"CAP_NET_BROADCAST",
+				"CAP_NET_ADMIN",
+				"CAP_NET_RAW",
+				"CAP_IPC_LOCK",
+				"CAP_IPC_OWNER",
+				"CAP_SYS_MODULE",
+				"CAP_SYS_RAWIO",
+				"CAP_SYS_CHROOT",
+				"CAP_SYS_PTRACE",
+				"CAP_SYS_PACCT",
 				"CAP_SYS_ADMIN",
+				"CAP_SYS_BOOT",
+				"CAP_SYS_NICE",
 				"CAP_SYS_RESOURCE",
+				"CAP_SYS_TIME",
+				"CAP_SYS_TTY_CONFIG",
+				"CAP_MKNOD",
+				"CAP_LEASE",
+				"CAP_AUDIT_WRITE",
+				"CAP_AUDIT_CONTROL",
+				"CAP_SETFCAP",
+				"CAP_MAC_OVERRIDE",
+				"CAP_MAC_ADMIN",
+				"CAP_SYSLOG",
 				"CAP_WAKE_ALARM",
-				"CAP_SYS_MODULE"
+				"CAP_BLOCK_SUSPEND",
+				"CAP_AUDIT_READ"
 			],
 			"ambient": [
+				"CAP_AUDIT_WRITE",
+				"CAP_CHOWN",
+				"CAP_DAC_OVERRIDE",
+				"CAP_DAC_READ_SEARCH",
+				"CAP_FOWNER",
+				"CAP_FSETID",
+				"CAP_KILL",
+				"CAP_SETGID",
+				"CAP_SETUID",
+				"CAP_SETPCAP",
+				"CAP_LINUX_IMMUTABLE",
+				"CAP_NET_BIND_SERVICE",
+				"CAP_NET_BROADCAST",
+				"CAP_NET_ADMIN",
+				"CAP_NET_RAW",
+				"CAP_IPC_LOCK",
+				"CAP_IPC_OWNER",
+				"CAP_SYS_MODULE",
+				"CAP_SYS_RAWIO",
+				"CAP_SYS_CHROOT",
+				"CAP_SYS_PTRACE",
+				"CAP_SYS_PACCT",
 				"CAP_SYS_ADMIN",
+				"CAP_SYS_BOOT",
+				"CAP_SYS_NICE",
 				"CAP_SYS_RESOURCE",
+				"CAP_SYS_TIME",
+				"CAP_SYS_TTY_CONFIG",
+				"CAP_MKNOD",
+				"CAP_LEASE",
+				"CAP_AUDIT_WRITE",
+				"CAP_AUDIT_CONTROL",
+				"CAP_SETFCAP",
+				"CAP_MAC_OVERRIDE",
+				"CAP_MAC_ADMIN",
+				"CAP_SYSLOG",
 				"CAP_WAKE_ALARM",
-				"CAP_SYS_MODULE"
+				"CAP_BLOCK_SUSPEND",
+				"CAP_AUDIT_READ"
 			]
 		}
 	},