[lxc-devel] [PATCH 6/8] A few changes for unprivileged lxc-start
Stéphane Graber
stgraber at ubuntu.com
Sun Jul 21 08:44:46 UTC 2013
On Fri, Jul 19, 2013 at 02:26:53PM +0000, Serge Hallyn wrote:
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
>
> When doing reboot test, must add clone_newuser to clone flags, else
> we can't clone(CLONE_NEWPID).
>
> If we don't have caps at lxc-start, don't refuse to start. Drop the
> lxc_caps_check() function altogether as it is unused now.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Happy to see that code go!
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> src/lxc/caps.c | 38 --------------------------------------
> src/lxc/caps.h | 4 ----
> src/lxc/lxc_start.c | 8 --------
> src/lxc/start.c | 24 ++++++++++++------------
> 4 files changed, 12 insertions(+), 62 deletions(-)
>
> diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> index 0544451..56f0241 100644
> --- a/src/lxc/caps.c
> +++ b/src/lxc/caps.c
> @@ -227,42 +227,4 @@ int lxc_caps_last_cap(void)
> return last_cap;
> }
>
> -/*
> - * check if we have the caps needed to start a container. returns 1 on
> - * success, 0 on error. (I'd prefer this be a bool, but am afraid that
> - * might fail to build on some distros).
> - */
> -int lxc_caps_check(void)
> -{
> - uid_t uid = getuid();
> - cap_t caps;
> - cap_flag_value_t value;
> - int i, ret;
> -
> - cap_value_t needed_caps[] = { CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID };
> -
> -#define NUMCAPS ((int) (sizeof(needed_caps) / sizeof(cap_t)))
> -
> - if (!uid)
> - return 1;
> -
> - caps = cap_get_proc();
> - if (!caps) {
> - ERROR("failed to cap_get_proc: %m");
> - return 0;
> - }
> -
> - for (i=0; i<NUMCAPS; i++) {
> - ret = cap_get_flag(caps, needed_caps[i], CAP_EFFECTIVE, &value);
> - if (ret) {
> - ERROR("Failed to cap_get_flag: %m");
> - return 0;
> - }
> - if (!value) {
> - return 0;
> - }
> - }
> -
> - return 1;
> -}
> #endif
> diff --git a/src/lxc/caps.h b/src/lxc/caps.h
> index 97bdab6..8de9635 100644
> --- a/src/lxc/caps.h
> +++ b/src/lxc/caps.h
> @@ -30,7 +30,6 @@ extern int lxc_caps_reset(void);
> extern int lxc_caps_down(void);
> extern int lxc_caps_up(void);
> extern int lxc_caps_init(void);
> -extern int lxc_caps_check(void);
>
> extern int lxc_caps_last_cap(void);
> #else
> @@ -46,9 +45,6 @@ static inline int lxc_caps_up(void) {
> static inline int lxc_caps_init(void) {
> return 0;
> }
> -static inline int lxc_caps_check(void) {
> - return 1;
> -}
>
> static inline int lxc_caps_last_cap(void) {
> return 0;
> diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
> index 490dbad..e779304 100644
> --- a/src/lxc/lxc_start.c
> +++ b/src/lxc/lxc_start.c
> @@ -227,14 +227,6 @@ int main(int argc, char *argv[])
> }
>
> if (my_args.daemonize) {
> - /* do an early check for needed privs, since otherwise the
> - * user won't see the error */
> -
> - if (!lxc_caps_check()) {
> - ERROR("Not running with sufficient privilege");
> - goto out;
> - }
> -
> if (daemon(0, 0)) {
> SYSERROR("failed to daemonize '%s'", my_args.name);
> goto out;
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index c91b231..00020de 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -253,17 +253,10 @@ out_sigfd:
> return -1;
> }
>
> -extern int lxc_caps_check(void);
> -
> struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const char *lxcpath)
> {
> struct lxc_handler *handler;
>
> - if (!lxc_caps_check()) {
> - ERROR("Not running with sufficient privilege");
> - return NULL;
> - }
> -
> handler = malloc(sizeof(*handler));
> if (!handler)
> return NULL;
> @@ -417,10 +410,10 @@ static int container_reboot_supported(void *arg)
> return 0;
> }
>
> -static int must_drop_cap_sys_boot(void)
> +static int must_drop_cap_sys_boot(struct lxc_conf *conf)
> {
> FILE *f = fopen("/proc/sys/kernel/ctrl-alt-del", "r");
> - int ret, cmd, v;
> + int ret, cmd, v, flags;
> long stack_size = 4096;
> void *stack = alloca(stack_size);
> int status;
> @@ -439,11 +432,15 @@ static int must_drop_cap_sys_boot(void)
> }
> cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF;
>
> + flags = CLONE_NEWPID | SIGCHLD;
> + if (!lxc_list_empty(&conf->id_map))
> + flags |= CLONE_NEWUSER;
> +
> #ifdef __ia64__
> - pid = __clone2(container_reboot_supported, stack, stack_size, CLONE_NEWPID | SIGCHLD, &cmd);
> + pid = __clone2(container_reboot_supported, stack, stack_size, flags, &cmd);
> #else
> stack += stack_size;
> - pid = clone(container_reboot_supported, stack, CLONE_NEWPID | SIGCHLD, &cmd);
> + pid = clone(container_reboot_supported, stack, flags, &cmd);
> #endif
> if (pid < 0) {
> SYSERROR("failed to clone\n");
> @@ -668,6 +665,9 @@ int lxc_spawn(struct lxc_handler *handler)
> curcgroup = alloca(len);
> if (lxc_curcgroup(curcgroup, len) <= 1)
> curcgroup = NULL;
> + FILE *f = fopen("/tmp/a", "a");
> + fprintf(f, "curcgroup is %s\n", curcgroup);
> + fclose(f);
> }
> if ((handler->cgroup = lxc_cgroup_path_create(curcgroup, name)) == NULL)
> goto out_delete_net;
> @@ -776,7 +776,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
> handler->ops = ops;
> handler->data = data;
>
> - if (must_drop_cap_sys_boot()) {
> + if (must_drop_cap_sys_boot(handler->conf)) {
> #if HAVE_SYS_CAPABILITY_H
> DEBUG("Dropping cap_sys_boot\n");
> #else
> --
> 1.8.3.2
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130721/b240b43c/attachment.pgp>
More information about the lxc-devel
mailing list