[lxc-devel] [lxc/master] tools: fix lxc-attach regression with -s USER
brauner on Github
lxc-bot at linuxcontainers.org
Wed Sep 21 15:29:09 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 384 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160921/3b26d0bb/attachment.bin>
-------------- next part --------------
From bd4307f0c154ace6560082cf449b08f2f567c98c Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at canonical.com>
Date: Wed, 21 Sep 2016 13:02:08 +0200
Subject: [PATCH] tools: fix lxc-attach regression with -s USER
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
---
src/lxc/attach.c | 24 +++++++++++-------------
src/lxc/seccomp.c | 2 +-
2 files changed, 12 insertions(+), 14 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index c741410..99b07fa 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -665,16 +665,16 @@ static int attach_child_main(void* data);
/* define default options if no options are supplied by the user */
static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;
-static bool fetch_seccomp(struct lxc_proc_context_info *i,
+static bool fetch_seccomp(struct lxc_container *c,
lxc_attach_options_t *options)
{
- struct lxc_container *c;
char *path;
- if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
+ if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM)) {
+ free(c->lxc_conf->seccomp);
+ c->lxc_conf->seccomp = NULL;
return true;
-
- c = i->container;
+ }
/* Remove current setting. */
if (!c->set_config_item(c, "lxc.seccomp", "")) {
@@ -684,6 +684,7 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
/* Fetch the current profile path over the cmd interface */
path = c->get_running_config_item(c, "lxc.seccomp");
if (!path) {
+ INFO("Failed to get running config item for lxc.seccomp.");
return true;
}
@@ -704,14 +705,11 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
return true;
}
-static bool no_new_privs(struct lxc_proc_context_info *ctx,
+static bool no_new_privs(struct lxc_container *c,
lxc_attach_options_t *options)
{
- struct lxc_container *c;
char *val;
- c = ctx->container;
-
/* Remove current setting. */
if (!c->set_config_item(c, "lxc.no_new_privs", "")) {
return false;
@@ -784,10 +782,10 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
if (!init_ctx->container)
return -1;
- if (!fetch_seccomp(init_ctx, options))
+ if (!fetch_seccomp(init_ctx->container, options))
WARN("Failed to get seccomp policy");
- if (!no_new_privs(init_ctx, options))
+ if (!no_new_privs(init_ctx->container, options))
WARN("Could not determine whether PR_SET_NO_NEW_PRIVS is set.");
cwd = getcwd(NULL, 0);
@@ -1211,9 +1209,9 @@ static int attach_child_main(void* data)
rexit(-1);
}
}
-
if (init_ctx->container && init_ctx->container->lxc_conf &&
- lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) {
+ init_ctx->container->lxc_conf->seccomp &&
+ (lxc_seccomp_load(init_ctx->container->lxc_conf) != 0)) {
ERROR("Loading seccomp policy");
rexit(-1);
}
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 5069730..ccffa9f 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -748,7 +748,7 @@ int lxc_seccomp_load(struct lxc_conf *conf)
#endif
);
if (ret < 0) {
- ERROR("Error loading the seccomp policy.");
+ ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
return -1;
}
return 0;
More information about the lxc-devel
mailing list