proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-09 07:35:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1202 from brauner/2016-09-21/lxc_attach_no_new_priv_fix

Browse Source 
tools: fix lxc-attach regression with -s USER
This commit is contained in:
Stéphane Graber 2016-09-21 15:33:45 -04:00 committed by GitHub
commit 9c395c35de
2 changed files with 12 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/lxc/attach.c
View File

@ -665,16 +665,16 @@ static int attach_child_main(void* data);
/* define default options if no options are supplied by the user */ /* define default options if no options are supplied by the user */
static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT; static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;
static bool fetch_seccomp(struct lxc_proc_context_info *i, static bool fetch_seccomp(struct lxc_container *c,
lxc_attach_options_t *options) lxc_attach_options_t *options)
{ {
struct lxc_container *c;
char *path; char *path;
if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM)) if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM)) {
free(c->lxc_conf->seccomp);
c->lxc_conf->seccomp = NULL;
return true; return true;
}
c = i->container;
/* Remove current setting. */ /* Remove current setting. */
if (!c->set_config_item(c, "lxc.seccomp", "")) { if (!c->set_config_item(c, "lxc.seccomp", "")) {
@ -684,6 +684,7 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
/* Fetch the current profile path over the cmd interface */ /* Fetch the current profile path over the cmd interface */
path = c->get_running_config_item(c, "lxc.seccomp"); path = c->get_running_config_item(c, "lxc.seccomp");
if (!path) { if (!path) {
INFO("Failed to get running config item for lxc.seccomp.");
return true; return true;
} }
@ -704,14 +705,11 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
return true; return true;
} }
static bool no_new_privs(struct lxc_proc_context_info *ctx, static bool no_new_privs(struct lxc_container *c,
lxc_attach_options_t *options) lxc_attach_options_t *options)
{ {
struct lxc_container *c;
char *val; char *val;
c = ctx->container;
/* Remove current setting. */ /* Remove current setting. */
if (!c->set_config_item(c, "lxc.no_new_privs", "")) { if (!c->set_config_item(c, "lxc.no_new_privs", "")) {
return false; return false;
@ -784,10 +782,10 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
if (!init_ctx->container) if (!init_ctx->container)
return -1; return -1;
if (!fetch_seccomp(init_ctx, options)) if (!fetch_seccomp(init_ctx->container, options))
WARN("Failed to get seccomp policy"); WARN("Failed to get seccomp policy");
if (!no_new_privs(init_ctx, options)) if (!no_new_privs(init_ctx->container, options))
WARN("Could not determine whether PR_SET_NO_NEW_PRIVS is set."); WARN("Could not determine whether PR_SET_NO_NEW_PRIVS is set.");
cwd = getcwd(NULL, 0); cwd = getcwd(NULL, 0);
@ -1211,9 +1209,9 @@ static int attach_child_main(void* data)
rexit(-1); rexit(-1);
} }
} }
if (init_ctx->container && init_ctx->container->lxc_conf && if (init_ctx->container && init_ctx->container->lxc_conf &&
lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) { init_ctx->container->lxc_conf->seccomp &&
(lxc_seccomp_load(init_ctx->container->lxc_conf) != 0)) {
ERROR("Loading seccomp policy"); ERROR("Loading seccomp policy");
rexit(-1); rexit(-1);
} }

2
src/lxc/seccomp.c
View File

@ -748,7 +748,7 @@ int lxc_seccomp_load(struct lxc_conf *conf)
#endif #endif
); );
if (ret < 0) { if (ret < 0) {
ERROR("Error loading the seccomp policy."); ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
return -1; return -1;
} }
return 0; return 0;