[libvirt] [PATCHv3 3/3] lxc: update doc to mention features/capabilities/* domain configuration

[Cédric Bosdonnat]

---
 docs/drvlxc.html.in | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
index fc4bc20..403ce24 100644
--- a/docs/drvlxc.html.in
+++ b/docs/drvlxc.html.in
@@ -540,6 +540,53 @@ debootstrap, whatever) under /opt/vm-1-root:
 </domain>
 </pre>
 
+<h2><a name="capabilities">Altering the available capabilities</a></h2>
+
+<p>
+By default the libvirt LXC driver drops some capabilities among which CAP_MKNOD.
+However <span class="since">since 1.2.6</span> libvirt can be told to keep or
+drop some capabilities using a domain configuration like the following:
+</p>
+<pre>
+...
+<features>
+  <capabilities policy='default'>
+    <mknod state='on'/>
+    <sys_chroot state='off'/>
+  </capabilities>
+</features>
+...
+</pre>
+<p>
+The capabilities children elements are named after the capabilities as defined in
+<code>man 7 capabilities</code>. An <code>off</code> state tells libvirt to drop the
+capability, while an <code>on</code> state will force to keep the capability even though
+this one is dropped by default.
+</p>
+<p>
+The <code>policy</code> attribute can be one of <code>default</code>, <code>allow</code>
+or <code>deny</code>. It defines the default rules for capabilities: either keep the
+default behavior that is dropping a few selected capabilities, or keep all capabilities
+or drop all capabilities. The interest of <code>allow</code> and <code>deny</code> is that
+they guarantee that all capabilities will be kept (or removed) even if new ones are added
+later.
+</p>
+<p>
+The following example, drops all capabilities but CAP_MKNOD:
+</p>
+<pre>
+...
+<features>
+  <capabilities policy='deny'>
+    <mknod state='on'/>
+  </capabilities>
+</features>
+...
+</pre>
+<p>
+Note that allowing capabilities that are normally dropped by default can seriously
+affect the security of the container and the host.
+</p>
 
 <h2><a name="usage">Container usage / management</a></h2>
 
-- 
1.8.4.5