[lxc-devel] [lxc/master] caps: skip file capability checks on android

Serge E. Hallyn serge at hallyn.com
Tue Apr 18 19:54:45 UTC 2017 

Wouldn't it be better to have configure.ac check for the presence of
the function and store that as a separate HAVE_CAP_GET_FILE ?

Quoting brauner on Github (lxc-bot at linuxcontainers.org):
> The following pull request was submitted through Github.
> It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1513
> 
> This e-mail was sent by the LXC bot, direct replies will not reach the author
> unless they happen to be subscribed to this list.
> 
> === Description (from pull-request) ===
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>

> From d6018f88cb5a7bd89ad8b7811879512a6181d236 Mon Sep 17 00:00:00 2001
> From: Christian Brauner <christian.brauner at ubuntu.com>
> Date: Mon, 17 Apr 2017 23:23:26 +0200
> Subject: [PATCH] caps: skip file capability checks on android
> 
> Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
> ---
>  src/lxc/caps.c | 5 +++++
>  src/lxc/conf.c | 6 +++++-
>  2 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> index 705ac94..2d6a3b8 100644
> --- a/src/lxc/caps.c
> +++ b/src/lxc/caps.c
> @@ -225,6 +225,10 @@ static bool lxc_cap_is_set(cap_t caps, cap_value_t cap, cap_flag_t flag)
>  
>  bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag)
>  {
> +	/* Android's bionic currently seems to lack support for cap_get_file(). */
> +	#if IS_BIONIC
> +	return true;
> +	#else
>  	bool cap_is_set;
>  	cap_t caps;
>  
> @@ -243,6 +247,7 @@ bool lxc_file_cap_is_set(const char *path, cap_value_t cap, cap_flag_t flag)
>  	cap_is_set = lxc_cap_is_set(caps, cap, flag);
>  	cap_free(caps);
>  	return cap_is_set;
> +	#endif
>  }
>  
>  bool lxc_proc_cap_is_set(cap_value_t cap, cap_flag_t flag)
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 8cd5174..999f2eb 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -3353,7 +3353,7 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap)
>  		goto cleanup;
>  	}
>  
> -	#if HAVE_LIBCAP
> +	#if HAVE_LIBCAP && !IS_BIONIC
>  	/* Check if it has the CAP_SETUID capability. */
>  	if ((cap & CAP_SETUID) &&
>  	    lxc_file_cap_is_set(path, CAP_SETUID, CAP_EFFECTIVE) &&
> @@ -3373,6 +3373,10 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap)
>  		fret = 1;
>  		goto cleanup;
>  	}
> +	#else
> +	DEBUG("Cannot check for file capabilites as full capability support is "
> +	      "missing. Manual intervention needed.");
> +	fret = 1;
>  	#endif
>  
>  cleanup:

> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list