proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-15 06:43:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

chmod container dir to 0770

Browse Source 
This prevents u2 from going into /home/u1/.local/share/lxc/u1/rootfs
and running setuid-root applications to get write access to u1's
container rootfs.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
This commit is contained in:
Serge Hallyn 2014-08-14 18:29:55 +00:00 committed by Stéphane Graber
parent 9e43c35232
commit c86da6a3ac
1 changed files with 26 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/lxc/lxccontainer.c
View File

@ -733,6 +733,27 @@ static bool lxcapi_stop(struct lxc_container *c)
return ret == 0; return ret == 0;
} }
static int do_create_container_dir(const char *path, struct lxc_conf *conf)
{
int ret = -1;
char *p = alloca(strlen(path)+1);
ret = mkdir(path, 0770);
if (ret) {
if (errno == EEXIST)
ret = 0;
else {
SYSERROR("failed to create container path %s", path);
return -1;
}
}
strcpy(p, path);
if (!lxc_list_empty(&conf->id_map) && chown_mapped_root(p, conf) != 0) {
ERROR("Failed to chown container dir");
ret = -1;
}
return ret;
}
/* /*
* create the standard expected container dir * create the standard expected container dir
*/ */
@ -750,13 +771,7 @@ static bool create_container_dir(struct lxc_container *c)
free(s); free(s);
return false; return false;
} }
ret = mkdir(s, 0755); ret = do_create_container_dir(s, c->lxc_conf);
if (ret) {
if (errno == EEXIST)
ret = 0;
else
SYSERROR("failed to create container path for %s", c->name);
}
free(s); free(s);
return ret == 0; return ret == 0;
} }
@ -2703,17 +2718,15 @@ sudo lxc-clone -o o1 -n n1 -s -L|-fssize fssize -v|--vgname vgname \
only rootfs gets converted (copied/snapshotted) on clone. only rootfs gets converted (copied/snapshotted) on clone.
*/ */
static int create_file_dirname(char *path) static int create_file_dirname(char *path, struct lxc_conf *conf)
{ {
char *p = strrchr(path, '/'); char *p = strrchr(path, '/');
int ret; int ret = -1;
if (!p) if (!p)
return -1; return -1;
*p = '\0'; *p = '\0';
ret = mkdir(path, 0755); ret = do_create_container_dir(path, conf);
if (ret && errno != EEXIST)
SYSERROR("creating container path %s", path);
*p = '/'; *p = '/';
return ret; return ret;
} }
@ -2757,7 +2770,7 @@ static struct lxc_container *lxcapi_clone(struct lxc_container *c, const char *n
goto out; goto out;
} }
ret = create_file_dirname(newpath); ret = create_file_dirname(newpath, c->lxc_conf);
if (ret < 0 && errno != EEXIST) { if (ret < 0 && errno != EEXIST) {
ERROR("Error creating container dir for %s", newpath); ERROR("Error creating container dir for %s", newpath);
goto out; goto out;