[lxc-devel] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP

Serge Hallyn serge.hallyn at canonical.com
Fri Jun 29 15:55:01 UTC 2012


Quoting Stéphane Graber (stgraber at ubuntu.com):
> On 06/29/2012 11:41 AM, Serge Hallyn wrote:
> > The following patch allows me to run lxc-execute -n p1 -- /bin/ls
> > as unprivileged user.  I've pushed it to git://github.com/hallyn/lxc.git.
> > Thanks, Sam, for pointing this out.
> > 
> > CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel
> > actually supports.  If the kernel supports fewer capabilities, then a
> > cap_get_flag for an unsupported capability returns -EINVAL.
> > 
> > Recognize that, and don't fail when initializing capabilities when this
> > happens, rather accept that we've reached the last capability.
> > 
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > Reported-by: Sam Wang <zhefwang at gmail.com>
> > ---
> >  src/lxc/caps.c |   12 ++++++++++--
> >  1 file changed, 10 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> > index 10a0b4a..c32e7e4 100644
> > --- a/src/lxc/caps.c
> > +++ b/src/lxc/caps.c
> > @@ -28,6 +28,7 @@
> >  #include <limits.h>
> >  #include <sys/prctl.h>
> >  #include <sys/capability.h>
> > +#include <errno.h>
> >  
> >  #include "log.h"
> >  
> > @@ -90,6 +91,7 @@ int lxc_caps_up(void)
> >  	cap_t caps;
> >  	cap_value_t cap;
> >  	int ret;
> > +	int lastcap = 0;
> >  
> >  	/* when we are run as root, we don't want to play
> >  	 * with the capabilities */
> > @@ -108,9 +110,15 @@ int lxc_caps_up(void)
> >  
> >  		ret = cap_get_flag(caps, cap, CAP_PERMITTED, &flag);
> >  		if (ret) {
> > -			ERROR("failed to cap_get_flag: %m");
> > -			goto out;
> > +			if (errno == EINVAL) {
> > +				INFO("Last supported cap was %d\n", cap-1);
> > +				break;
> > +			} else {
> > +				ERROR("failed to cap_get_flag: %m");
> > +				goto out;
> > +			}
> >  		}
> > +		lastcap = cap;
> >  
> >  		ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
> >  		if (ret) {
> > 
> 
> The idea of the change looks good, though you're defining a new lastcap
> variable that you then set but never actually seem to use as you're
> instead using cap-1 in the INFO() call.
> 
> Am I just missing some context or is that indeed not used?

It's not used, but I didn't remove it because I was debating whether
it should be made global and used later.  But yes it could be removed.




More information about the lxc-devel mailing list