proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-15 10:12:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

attach: improve error logging for drop_capabilities()

Browse Source 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit is contained in:
Christian Brauner 2021-10-14 11:52:06 +02:00
parent 09f2a3ef8a
commit 401b1364b3
No known key found for this signature in database
GPG Key ID: 8EB056D53EECB12D
2 changed files with 17 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/lxc/attach.c
View File

@ -780,7 +780,7 @@ static int drop_capabilities(struct attach_context *ctx)
ret = lxc_caps_last_cap(&last_cap); ret = lxc_caps_last_cap(&last_cap);
if (ret) if (ret)
return ret; return syserror_ret(ret, "%d - Failed to drop capabilities", ret);
for (__u32 cap = 0; cap <= last_cap; cap++) { for (__u32 cap = 0; cap <= last_cap; cap++) {
if (ctx->capability_mask & (1LL << cap)) if (ctx->capability_mask & (1LL << cap))
@ -788,7 +788,7 @@ static int drop_capabilities(struct attach_context *ctx)
if (prctl(PR_CAPBSET_DROP, prctl_arg(cap), prctl_arg(0), if (prctl(PR_CAPBSET_DROP, prctl_arg(cap), prctl_arg(0),
prctl_arg(0), prctl_arg(0))) prctl_arg(0), prctl_arg(0)))
return log_error_errno(-1, errno, "Failed to drop capability %d", cap); return syserror("Failed to drop capability %d", cap);
TRACE("Dropped capability %d", cap); TRACE("Dropped capability %d", cap);
} }

19
src/lxc/caps.c
View File

@ -211,6 +211,11 @@ static int __caps_last_cap(__u32 *cap)
{ {
__do_close int fd = -EBADF; __do_close int fd = -EBADF;
if (!cap)
return ret_errno(EINVAL);
*cap = 0;
/* /*
* Try to get the maximum capability over the kernel interface * Try to get the maximum capability over the kernel interface
* introduced in v3.2. * introduced in v3.2.
@ -222,16 +227,16 @@ static int __caps_last_cap(__u32 *cap)
0); 0);
if (fd >= 0) { if (fd >= 0) {
ssize_t ret; ssize_t ret;
unsigned res; unsigned int res;
char buf[INTTYPE_TO_STRLEN(__u32)] = {0}; char buf[INTTYPE_TO_STRLEN(unsigned int)] = {0};
ret = lxc_read_nointr(fd, buf, STRARRAYLEN(buf)); ret = lxc_read_nointr(fd, buf, STRARRAYLEN(buf));
if (ret <= 0) if (ret <= 0)
return ret_errno(EINVAL); return syserror_set(EINVAL, "Failed to read \"/proc/sys/kernel/cap_last_cap\"");
ret = lxc_safe_uint(buf, &res); ret = lxc_safe_uint(lxc_trim_whitespace_in_place(buf), &res);
if (ret < 0) if (ret < 0)
return ret; return syserror("Failed to parse unsigned integer %s", buf);
*cap = (__u32)res; *cap = (__u32)res;
} else { } else {
@ -244,6 +249,7 @@ static int __caps_last_cap(__u32 *cap)
while (prctl(PR_CAPBSET_READ, prctl_arg(cur_cap)) >= 0) while (prctl(PR_CAPBSET_READ, prctl_arg(cur_cap)) >= 0)
cur_cap++; cur_cap++;
if (cur_cap)
*cap = cur_cap - 1; *cap = cur_cap - 1;
} }
@ -255,6 +261,9 @@ int lxc_caps_last_cap(__u32 *cap)
static int ret = -1; static int ret = -1;
static __u32 last_cap = 0; static __u32 last_cap = 0;
if (!cap)
return ret_errno(EINVAL);
if (ret < 0) { if (ret < 0) {
ret = __caps_last_cap(&last_cap); ret = __caps_last_cap(&last_cap);
if (ret) if (ret)