[lxc-devel] [lxd/master] shared/idmap: test fcaps support

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180817/7726d295/attachment.bin>
-------------- next part --------------
From 372918f2d9c0119f0cbc6dc4f00580cb779b99d5 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 17 Aug 2018 17:03:23 +0200
Subject: [PATCH] shared/idmap: test fcaps support

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 shared/idmap/idmapset_linux.go | 11 ++++++---
 shared/idmap/shift_linux.go    | 45 ++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go
index ea3779384..d31ff9da7 100644
--- a/shared/idmap/idmapset_linux.go
+++ b/shared/idmap/idmapset_linux.go
@@ -543,12 +543,17 @@ func (set *IdmapSet) doUidshiftIntoContainer(dir string, testmode bool, how stri
 				// Shift capabilities
 				if len(caps) != 0 {
 					rootUid := int64(0)
+					v3Caps := true
 					if how == "in" {
 						rootUid, _ = set.ShiftIntoNs(0, 0)
+						v3Caps = supportsV3Fcaps()
 					}
-					err = SetCaps(path, caps, rootUid)
-					if err != nil {
-						logger.Warnf("Unable to set file capabilities on %s", path)
+
+					if how != "in" || v3Caps {
+						err = SetCaps(path, caps, rootUid)
+						if err != nil {
+							logger.Warnf("Unable to set file capabilities on %s", path)
+						}
 					}
 				}
 			}
diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go
index 920789a4c..83f2b5aa4 100644
--- a/shared/idmap/shift_linux.go
+++ b/shared/idmap/shift_linux.go
@@ -5,6 +5,8 @@ package idmap
 
 import (
 	"fmt"
+	"io/ioutil"
+	"os"
 	"unsafe"
 
 	"github.com/lxc/lxd/shared"
@@ -70,6 +72,20 @@ int set_vfs_ns_caps(char *path, char *caps, ssize_t len, uint32_t uid)
 	return setxattr(path, "security.capability", &ns_xattr, sizeof(ns_xattr), 0);
 }
 
+int set_dummy_fs_ns_caps(const char *path)
+{
+	#define __raise_cap_permitted(x, ns_cap_data)   ns_cap_data.data[(x)>>5].permitted   |= (1<<((x)&31))
+
+	struct vfs_ns_cap_data ns_xattr;
+
+	memset(&ns_xattr, 0, sizeof(ns_xattr));
+        __raise_cap_permitted(CAP_NET_RAW, ns_xattr);
+	ns_xattr.magic_etc |= VFS_CAP_REVISION_3 | VFS_CAP_FLAGS_EFFECTIVE;
+	ns_xattr.rootid = BE32_TO_LE32(1000000);
+
+	return setxattr(path, "security.capability", &ns_xattr, sizeof(ns_xattr), 0);
+}
+
 int shiftowner(char *basepath, char *path, int uid, int gid)
 {
 	int fd, ret;
@@ -279,3 +295,32 @@ func shiftAclType(path string, aclType _Ctype_acl_type_t, shiftIds func(uid int6
 
 	return nil
 }
+
+func supportsV3Fcaps() bool {
+	tmpfile, err := ioutil.TempFile("", ".lxd_fcaps_v3_")
+	if err != nil {
+		return false
+	}
+	defer tmpfile.Close()
+	defer os.Remove(tmpfile.Name())
+
+	err = os.Chmod(tmpfile.Name(), 0001)
+	if err != nil {
+		return false
+	}
+
+	cpath := C.CString(tmpfile.Name())
+	defer C.free(unsafe.Pointer(cpath))
+
+	r := C.set_dummy_fs_ns_caps(cpath)
+	if r != 0 {
+		return false
+	}
+
+	_, err = shared.RunCommand(tmpfile.Name())
+	if err != nil {
+		return false
+	}
+
+	return true
+}