proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-08 10:21:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #3949 from brauner/2021-08-24.attach

Browse Source 
tools: lxc-attach fixes
This commit is contained in:
Stéphane Graber 2021-08-24 23:56:17 -04:00 committed by GitHub
commit e91d7f22f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 54 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/lxc/attach.c
View File

@ -165,8 +165,7 @@ static inline bool sync_wait_fd(int fd, int *fd_recv)
static bool attach_lsm(lxc_attach_options_t *options) static bool attach_lsm(lxc_attach_options_t *options)
{ {
return (options->namespaces & CLONE_NEWNS) && return (options->attach_flags & (LXC_ATTACH_LSM | LXC_ATTACH_LSM_LABEL));
(options->attach_flags & (LXC_ATTACH_LSM | LXC_ATTACH_LSM_LABEL));
} }
static struct attach_context *alloc_attach_context(void) static struct attach_context *alloc_attach_context(void)

2
src/lxc/attach_options.h
View File

@ -65,7 +65,7 @@ enum {
}; };
/*! All Linux Security Module flags */ /*! All Linux Security Module flags */
#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW) #define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW | LXC_ATTACH_LSM_LABEL)
/*! LXC attach function type. /*! LXC attach function type.
* *

33
src/lxc/confile.c
View File

@ -3252,10 +3252,10 @@ int lxc_config_parse_arch(const char *arch, signed long *persona)
return ret_errno(EINVAL); return ret_errno(EINVAL);
} }
int lxc_fill_elevated_privileges(char *flaglist, int *flags) int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags)
{ {
unsigned int flags_tmp = 0;
char *token; char *token;
int i, aflag;
struct { struct {
const char *token; const char *token;
int flag; int flag;
@ -3267,28 +3267,33 @@ int lxc_fill_elevated_privileges(char *flaglist, int *flags)
}; };
if (!flaglist) { if (!flaglist) {
/* For the sake of backward compatibility, drop all privileges /*
* if none is specified. * For the sake of backward compatibility, keep all privileges
* if no specific privileges are specified.
*/ */
for (i = 0; all_privs[i].token; i++) for (unsigned int i = 0; all_privs[i].token; i++)
*flags |= all_privs[i].flag; flags_tmp |= all_privs[i].flag;
*flags = flags_tmp;
return 0; return 0;
} }
lxc_iterate_parts(token, flaglist, "|") { lxc_iterate_parts(token, flaglist, "|") {
aflag = -1; bool valid_token = false;
for (i = 0; all_privs[i].token; i++) for (unsigned int i = 0; all_privs[i].token; i++) {
if (strequal(all_privs[i].token, token)) if (!strequal(all_privs[i].token, token))
aflag = all_privs[i].flag; continue;
if (aflag < 0) valid_token = true;
return ret_errno(EINVAL); flags_tmp |= all_privs[i].flag;
*flags |= aflag;
} }
if (!valid_token)
return syserror_set(-EINVAL, "Invalid elevated privilege \"%s\" requested", token);
}
*flags = flags_tmp;
return 0; return 0;
} }

2
src/lxc/confile.h
View File

@ -89,7 +89,7 @@ __hidden extern void lxc_config_define_free(struct lxc_list *defines);
*/ */
__hidden extern int lxc_config_parse_arch(const char *arch, signed long *persona); __hidden extern int lxc_config_parse_arch(const char *arch, signed long *persona);
__hidden extern int lxc_fill_elevated_privileges(char *flaglist, int *flags); __hidden extern int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags);
__hidden extern int lxc_clear_config_item(struct lxc_conf *c, const char *key); __hidden extern int lxc_clear_config_item(struct lxc_conf *c, const char *key);

26
src/lxc/tools/lxc_attach.c
View File

@ -52,7 +52,7 @@ static int add_to_simple_array(char ***array, ssize_t *capacity, char *value);
static bool stdfd_is_pty(void); static bool stdfd_is_pty(void);
static int lxc_attach_create_log_file(const char *log_file); static int lxc_attach_create_log_file(const char *log_file);
static int elevated_privileges; static unsigned int elevated_privileges;
static signed long new_personality = -1; static signed long new_personality = -1;
static int namespace_flags = -1; static int namespace_flags = -1;
static int remount_sys_proc; static int remount_sys_proc;
@ -277,10 +277,11 @@ int main(int argc, char *argv[])
{ {
int ret = -1; int ret = -1;
int wexit = 0; int wexit = 0;
struct lxc_log log;
pid_t pid;
lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT; lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
lxc_attach_command_t command = (lxc_attach_command_t){.program = NULL}; lxc_attach_command_t command = (lxc_attach_command_t){.program = NULL};
pid_t pid;
struct lxc_container *c;
struct lxc_log log;
if (lxc_caps_init()) if (lxc_caps_init())
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
@ -304,7 +305,7 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
struct lxc_container *c = lxc_container_new(my_args.name, my_args.lxcpath[0]); c = lxc_container_new(my_args.name, my_args.lxcpath[0]);
if (!c) if (!c)
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
@ -333,8 +334,23 @@ int main(int argc, char *argv[])
if (remount_sys_proc) if (remount_sys_proc)
attach_options.attach_flags |= LXC_ATTACH_REMOUNT_PROC_SYS; attach_options.attach_flags |= LXC_ATTACH_REMOUNT_PROC_SYS;
if (elevated_privileges) if (elevated_privileges) {
if ((elevated_privileges & LXC_ATTACH_LSM_EXEC)) {
if (selinux_context) {
ERROR("Cannot combine elevated LSM privileges while requesting LSM profile");
goto out;
}
/*
* While most LSM flags are off by default let's still
* make sure they are stripped when elevated LSM
* privileges are requested.
*/
elevated_privileges |= LXC_ATTACH_LSM;
}
attach_options.attach_flags &= ~(elevated_privileges); attach_options.attach_flags &= ~(elevated_privileges);
}
if (stdfd_is_pty()) if (stdfd_is_pty())
attach_options.attach_flags |= LXC_ATTACH_TERMINAL; attach_options.attach_flags |= LXC_ATTACH_TERMINAL;