proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-06-06 10:18:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

drop capabilities in lxc-init (V2)

Browse Source 
capabilities are reseted just after the filesystem is mounted.
lxc_setup_fs() is moved up, before the process is forked.

Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This commit is contained in:
clg@linux.vnet.ibm.com 2010-05-27 12:17:40 +02:00 committed by Daniel Lezcano
parent 3c22086fe2
commit 0af683cf29
3 changed files with 37 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
configure.ac
View File

@ -72,6 +72,15 @@ AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h],
AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install libcap-devel.]), AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install libcap-devel.]),
[#include <sys/types.h> [#include <sys/types.h>
#include <sys/capability.h>]) #include <sys/capability.h>])
AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
AC_MSG_CHECKING([linux capabilities])
if test "x$caplib" = "xyes" ; then
CAP_LIBS="-lcap"
AC_MSG_RESULT([$CAP_LIBS])
else
AC_MSG_ERROR([not found])
fi
AC_SUBST([CAP_LIBS])
# Some systems lack PR_CAPBSET_DROP definition => HAVE_DECL_PR_CAPBSET_DROP # Some systems lack PR_CAPBSET_DROP definition => HAVE_DECL_PR_CAPBSET_DROP
AC_CHECK_DECLS([PR_CAPBSET_DROP], [], [], [#include <sys/prctl.h>]) AC_CHECK_DECLS([PR_CAPBSET_DROP], [], [], [#include <sys/prctl.h>])

1
src/lxc/Makefile.am
View File

@ -100,6 +100,7 @@ lxc_execute_SOURCES = lxc_execute.c
lxc_freeze_SOURCES = lxc_freeze.c lxc_freeze_SOURCES = lxc_freeze.c
lxc_info_SOURCES = lxc_info.c lxc_info_SOURCES = lxc_info.c
lxc_init_SOURCES = lxc_init.c lxc_init_SOURCES = lxc_init.c
lxc_init_LDADD = $(LDADD) @CAP_LIBS@
lxc_monitor_SOURCES = lxc_monitor.c lxc_monitor_SOURCES = lxc_monitor.c
lxc_restart_SOURCES = lxc_restart.c lxc_restart_SOURCES = lxc_restart.c
lxc_start_SOURCES = lxc_start.c lxc_start_SOURCES = lxc_start.c

31
src/lxc/lxc_init.c
View File

@ -30,6 +30,7 @@
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/wait.h> #include <sys/wait.h>
#include <sys/capability.h>
#define _GNU_SOURCE #define _GNU_SOURCE
#include <getopt.h> #include <getopt.h>
@ -48,6 +49,25 @@ static struct option options[] = {
static int was_interrupted = 0; static int was_interrupted = 0;
static int cap_reset(void)
{
cap_t cap = cap_init();
int ret = 0;
if (!cap) {
ERROR("cap_init() failed : %m");
return -1;
}
if (cap_set_proc(cap)) {
ERROR("cap_set_proc() failed : %m");
ret = -1;
}
cap_free(cap);
return ret;
}
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
@ -98,6 +118,12 @@ int main(int argc, char *argv[])
sigaction(i, &act, NULL); sigaction(i, &act, NULL);
} }
if (lxc_setup_fs())
exit(err);
if (cap_reset())
exit(err);
pid = fork(); pid = fork();
if (pid < 0) if (pid < 0)
@ -109,13 +135,10 @@ int main(int argc, char *argv[])
signal(i, SIG_DFL); signal(i, SIG_DFL);
sigprocmask(SIG_SETMASK, &omask, NULL); sigprocmask(SIG_SETMASK, &omask, NULL);
if (lxc_setup_fs())
exit(err);
NOTICE("about to exec '%s'", aargv[0]); NOTICE("about to exec '%s'", aargv[0]);
execvp(aargv[0], aargv); execvp(aargv[0], aargv);
ERROR("failed to exec: '%s' : %s", aargv[0], strerror(errno)); ERROR("failed to exec: '%s' : %m", aargv[0]);
exit(err); exit(err);
} }