From 40bb25ecfda607f2a42659843a99c2c1447e31a3 Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68@huawei.com>
Date: Tue, 15 Jan 2019 05:39:39 -0500
Subject: [PATCH 032/131] Drop all caps when cap.keep=ISULAD_KEEP_NONE

Signed-off-by: LiFeng <lifeng68@huawei.com>
---
 src/lxc/conf.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 88763ee2..54b967b4 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2805,6 +2805,15 @@ static int dropcaps_except(struct lxc_list *caps)
 	lxc_list_for_each (iterator, caps) {
 		keep_entry = iterator->elem;
 
+		/* isulad: Do not keep any cap*/
+		if (strcmp(keep_entry, "ISULAD_KEEP_NONE") == 0) {
+			DEBUG("Do not keep any capability");
+			for(i = 0; i < numcaps; i++) {
+				caplist[i] = 0;
+			}
+			break;
+		}
+
 		capid = parse_cap(keep_entry);
 		if (capid == -2)
 			continue;
-- 
2.23.0