confile: rework lxc_fill_elevated_privileges()

Cc: Maximilian Blenk <Maximilian.Blenk@bmw.de> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2025-08-03 19:41:49 +00:00 · 2021-08-24 09:54:27 +02:00 · 2021-08-24 09:54:27 +02:00 · d253a09f9b
commit d253a09f9b
parent d34bbcb71a
3 changed files with 20 additions and 15 deletions
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@ -3256,10 +3256,10 @@ int lxc_config_parse_arch(const char *arch, signed long *persona)
 	return ret_errno(EINVAL);
 }

-int lxc_fill_elevated_privileges(char *flaglist, int *flags)
+int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags)
 {
+	unsigned int flags_tmp = 0;
 	char *token;
-	int i, aflag;
 	struct {
 		const char *token;
 		int flag;
@ -3271,28 +3271,33 @@ int lxc_fill_elevated_privileges(char *flaglist, int *flags)
 	};

 	if (!flaglist) {
-		/* For the sake of backward compatibility, drop all privileges
-		*  if none is specified.
+		/*
+		 * For the sake of backward compatibility, keep all privileges
+		 * if no specific privileges are specified.
 		 */
-		for (i = 0; all_privs[i].token; i++)
-			*flags |= all_privs[i].flag;
+		for (unsigned int i = 0; all_privs[i].token; i++)
+			flags_tmp |= all_privs[i].flag;

+		*flags = flags_tmp;
 		return 0;
 	}

 	lxc_iterate_parts(token, flaglist, "|") {
-		aflag = -1;
+		bool valid_token = false;

-		for (i = 0; all_privs[i].token; i++)
-			if (strequal(all_privs[i].token, token))
-				aflag = all_privs[i].flag;
+		for (unsigned int i = 0; all_privs[i].token; i++) {
+			if (!strequal(all_privs[i].token, token))
+				continue;

-		if (aflag < 0)
-			return ret_errno(EINVAL);
+			valid_token = true;
+			flags_tmp |= all_privs[i].flag;
+		}

-		*flags |= aflag;
+		if (!valid_token)
+			return syserror_set(-EINVAL, "Invalid elevated privilege \"%s\" requested", token);
 	}

+	*flags = flags_tmp;
 	return 0;
 }

--- a/src/lxc/confile.h
+++ b/src/lxc/confile.h
@ -89,7 +89,7 @@ __hidden extern void lxc_config_define_free(struct lxc_list *defines);
 */
 __hidden extern int lxc_config_parse_arch(const char *arch, signed long *persona);

-__hidden extern int lxc_fill_elevated_privileges(char *flaglist, int *flags);
+__hidden extern int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags);

 __hidden extern int lxc_clear_config_item(struct lxc_conf *c, const char *key);

--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@ -52,7 +52,7 @@ static int add_to_simple_array(char ***array, ssize_t *capacity, char *value);
 static bool stdfd_is_pty(void);
 static int lxc_attach_create_log_file(const char *log_file);

-static int elevated_privileges;
+static unsigned int elevated_privileges;
 static signed long new_personality = -1;
 static int namespace_flags = -1;
 static int remount_sys_proc;