[lxc-devel] [lxc/master] Split lxc_setup to unshare cgroup before capabilities drop
superboum on Github
lxc-bot at linuxcontainers.org
Mon May 29 21:15:08 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 2587 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170529/0ac3dcd9/attachment.bin>
-------------- next part --------------
From 7143c2d0fc72987e30bd7103f19e372370ef8e81 Mon Sep 17 00:00:00 2001
From: Quentin Dufour <quentin at dufour.tk>
Date: Sun, 28 May 2017 23:11:24 +0200
Subject: [PATCH 1/2] Add a new hook named privileged-start
Signed-off-by: Quentin Dufour <quentin at dufour.io>
---
src/lxc/conf.c | 9 ++++++++-
src/lxc/conf.h | 3 ++-
src/lxc/confile.c | 3 +++
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 85805f975..038a6c213 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -239,7 +239,7 @@ extern int memfd_create(const char *name, unsigned int flags);
#endif
char *lxchook_names[NUM_LXC_HOOKS] = {
- "pre-start", "pre-mount", "mount", "autodev", "start", "stop", "post-stop", "clone", "destroy" };
+ "pre-start", "pre-mount", "mount", "autodev", "priv-start", "start", "stop", "post-stop", "clone", "destroy" };
typedef int (*instantiate_cb)(struct lxc_handler *, struct lxc_netdev *);
@@ -4227,6 +4227,11 @@ int lxc_setup(struct lxc_handler *handler)
return -1;
}
+ if (run_lxc_hooks(name, "priv-start", lxc_conf, lxcpath, NULL)) {
+ ERROR("failed to run privileged-start hooks for container '%s'.", name);
+ return -1;
+ }
+
if (!lxc_list_empty(&lxc_conf->keepcaps)) {
if (!lxc_list_empty(&lxc_conf->caps)) {
ERROR("Container requests lxc.cap.drop and lxc.cap.keep: either use lxc.cap.drop or lxc.cap.keep, not both.");
@@ -4260,6 +4265,8 @@ int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf,
which = LXCHOOK_MOUNT;
else if (strcmp(hook, "autodev") == 0)
which = LXCHOOK_AUTODEV;
+ else if (strcmp(hook, "priv-start") == 0)
+ which = LXCHOOK_PRIVSTART;
else if (strcmp(hook, "start") == 0)
which = LXCHOOK_START;
else if (strcmp(hook, "stop") == 0)
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index a0bb05b0a..f98596656 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -301,7 +301,8 @@ enum {
*/
enum lxchooks {
LXCHOOK_PRESTART, LXCHOOK_PREMOUNT, LXCHOOK_MOUNT, LXCHOOK_AUTODEV,
- LXCHOOK_START, LXCHOOK_STOP, LXCHOOK_POSTSTOP, LXCHOOK_CLONE, LXCHOOK_DESTROY,
+ LXCHOOK_PRIVSTART, LXCHOOK_START, LXCHOOK_STOP, LXCHOOK_POSTSTOP,
+ LXCHOOK_CLONE, LXCHOOK_DESTROY,
NUM_LXC_HOOKS};
extern char *lxchook_names[NUM_LXC_HOOKS];
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 4114e9fff..771589814 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -152,6 +152,7 @@ static struct lxc_config_t config[] = {
{ "lxc.hook.pre-mount", config_hook },
{ "lxc.hook.mount", config_hook },
{ "lxc.hook.autodev", config_hook },
+ { "lxc.hook.priv-start", config_hook },
{ "lxc.hook.start", config_hook },
{ "lxc.hook.stop", config_hook },
{ "lxc.hook.post-stop", config_hook },
@@ -1196,6 +1197,8 @@ static int config_hook(const char *key, const char *value,
return add_hook(lxc_conf, LXCHOOK_AUTODEV, copy);
else if (strcmp(key, "lxc.hook.mount") == 0)
return add_hook(lxc_conf, LXCHOOK_MOUNT, copy);
+ else if (strcmp(key, "lxc.hook.priv-start") == 0)
+ return add_hook(lxc_conf, LXCHOOK_PRIVSTART, copy);
else if (strcmp(key, "lxc.hook.start") == 0)
return add_hook(lxc_conf, LXCHOOK_START, copy);
else if (strcmp(key, "lxc.hook.stop") == 0)
From b9b548f9a03b6253881c19594b155d15ae87479d Mon Sep 17 00:00:00 2001
From: Quentin Dufour <quentin at dufour.tk>
Date: Mon, 29 May 2017 22:42:33 +0200
Subject: [PATCH 2/2] Split lxc_setup to unshare cgroup before capabilities
drop
That's needed if you want to run systemd without cap_sys_admin
on a kernel supporting cgroup namespaces.
Signed-off-by: Quentin Dufour <quentin at dufour.io>
---
src/lxc/conf.c | 12 +++++++++++-
src/lxc/conf.h | 1 +
src/lxc/start.c | 6 ++++++
3 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 038a6c213..1770a2d60 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -4227,6 +4227,16 @@ int lxc_setup(struct lxc_handler *handler)
return -1;
}
+ NOTICE("'%s' is setup.", name);
+
+ return 0;
+}
+
+int lxc_late_setup(struct lxc_handler *handler) {
+ const char *name = handler->name;
+ struct lxc_conf *lxc_conf = handler->conf;
+ const char *lxcpath = handler->lxcpath;
+
if (run_lxc_hooks(name, "priv-start", lxc_conf, lxcpath, NULL)) {
ERROR("failed to run privileged-start hooks for container '%s'.", name);
return -1;
@@ -4246,7 +4256,7 @@ int lxc_setup(struct lxc_handler *handler)
return -1;
}
- NOTICE("'%s' is setup.", name);
+ NOTICE("'%s' late setup is done.", name);
return 0;
}
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index f98596656..e3d2892ab 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -465,6 +465,7 @@ extern int do_rootfs_setup(struct lxc_conf *conf, const char *name,
struct cgroup_process_info;
extern int lxc_setup(struct lxc_handler *handler);
+extern int lxc_late_setup(struct lxc_handler *handler);
extern int setup_resource_limits(struct lxc_list *limits, pid_t pid);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index f1b3f8e11..0bff544b0 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -850,6 +850,12 @@ static int do_start(void *data)
INFO("Unshared CLONE_NEWCGROUP.");
}
+ /* Finish container's setup (keep/drop capabilities) */
+ if (lxc_late_setup(handler)) {
+ ERROR("Failed to setup container \"%s\".", handler->name);
+ goto out_warn_father;
+ }
+
/* Set the label to change to when we exec(2) the container's init. */
if (lsm_process_label_set(NULL, handler->conf, 1, 1) < 0)
goto out_warn_father;
More information about the lxc-devel
mailing list