jail: capabilities: apply in two phases

[project/procd.git] / jail / capabilities.h

diff --git a/jail/capabilities.h b/jail/capabilities.h
index cc5f54d4fdc88058a1dbbb9e427f6909c13152e2..d8c6b8d60b56e5285b54df2c45a2de9f9e87d1d9 100644 (file)
--- a/jail/capabilities.h
+++ b/jail/capabilities.h
@@ -14,6 +14,7 @@
 #define _JAIL_CAPABILITIES_H_
 
 #include <libubox/blobmsg.h>
+#include <linux/capability.h>
 
 struct jail_capset {
        uint64_t bounding;
@@ -24,9 +25,12 @@ struct jail_capset {
        uint8_t apply;
 };
 
-int drop_capabilities(const char *file);
-
 int parseOCIcapabilities(struct jail_capset *capset, struct blob_attr *msg);
-int applyOCIcapabilities(struct jail_capset capset);
+int parseOCIcapabilities_from_file(struct jail_capset *capset, const char *file);
+int applyOCIcapabilities(struct jail_capset capset, uint64_t retain);
+
+/* capget/capset syscall wrappers are provided by libc */
+extern int capget(cap_user_header_t header, cap_user_data_t data);
+extern int capset(cap_user_header_t header, const cap_user_data_t data);
 
 #endif