[lxc-devel] [lxc/lxc] 6ce8e6: attach: set no_new_privs flag after LSM label
Christian Brauner
noreply at github.com
Tue Jun 30 08:18:18 UTC 2020
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: 6ce8e67825258fe8a38b057b1459a4f35e4b39bb
https://github.com/lxc/lxc/commit/6ce8e67825258fe8a38b057b1459a4f35e4b39bb
Author: Alexander Livenets <a.livenets at gmail.com>
Date: 2020-06-30 (Tue, 30 Jun 2020)
Changed paths:
M src/lxc/attach.c
Log Message:
-----------
attach: set no_new_privs flag after LSM label
In `start.c:1284`, no_new_privs flag is set after LSM label is set.
Also, in `lxc.container.conf` documentation it is written that:
```
Note that PR_SET_NO_NEW_PRIVS is applied after the container has
changed into its intended AppArmor profile or SElinux context.
```
This commit fixes the behavior of `lxc_attach` by moving
`PR_SET_NO_NEW_PRIVS` set logic after LSM for the process is configured;
Closes #3393
Signed-off-by: Alexander Livenets <a.livenets at gmail.com>
Commit: f88d8e68b0c4c3c061fa828ae8c0742326c213b4
https://github.com/lxc/lxc/commit/f88d8e68b0c4c3c061fa828ae8c0742326c213b4
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2020-06-30 (Tue, 30 Jun 2020)
Changed paths:
M src/lxc/attach.c
Log Message:
-----------
Merge pull request #3466 from alivenets/fix-no-new-privs
attach: set no_new_privs flag after LSM label
Compare: https://github.com/lxc/lxc/compare/7c8b10e515c7...f88d8e68b0c4
More information about the lxc-devel
mailing list