[lxc-devel] [lxc/lxc] 4b826b: start: make us dumpable

GitHub noreply at github.com
Fri Dec 22 19:51:01 UTC 2017 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 4b826b1fdc516c71c7222ef68a45c4f6ad964df1
      https://github.com/lxc/lxc/commit/4b826b1fdc516c71c7222ef68a45c4f6ad964df1
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2017-12-22 (Fri, 22 Dec 2017)

  Changed paths:
    M src/lxc/start.c

  Log Message:
  -----------
  start: make us dumpable

When set set{u,g}id() the kernel will make us undumpable. This is unnecessary
since we can guarantee that whatever is running inside the child process at
this point this is fully trusted by the parent. Making us dumpable let's users
use debuggers on the child process before the exec as well and also allows us
to open /proc/<child-pid> files in lieu of the child.
Note, that we only need to perform the prctl(PR_SET_DUMPABLE, ...) if our
effective uid on the host is not 0. If our effective uid on the host is 0 then
we will keep all capabilities in the child user namespace across set{g,u}id().

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>


  Commit: 8bf3abfbd04670101dad7c2adc197a77054a3d70
      https://github.com/lxc/lxc/commit/8bf3abfbd04670101dad7c2adc197a77054a3d70
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2017-12-22 (Fri, 22 Dec 2017)

  Changed paths:
    M src/lxc/start.c

  Log Message:
  -----------
  start: simplify cgroup namespace preservation

Since we are now dumpable we can open /proc/<child-pid>/ns/cgroup so let's
avoid the overhead of sending around fds.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>


  Commit: 715584350efc7ed459d8e86c8fbe4a090d1ba385
      https://github.com/lxc/lxc/commit/715584350efc7ed459d8e86c8fbe4a090d1ba385
  Author: Serge Hallyn <serge at hallyn.com>
  Date:   2017-12-22 (Fri, 22 Dec 2017)

  Changed paths:
    M src/lxc/start.c

  Log Message:
  -----------
  Merge pull request #2057 from brauner/2017-12-22/bugfixes

start: simplify cgroup namespace preservation


Compare: https://github.com/lxc/lxc/compare/150901398d4b...715584350efc

More information about the lxc-devel mailing list