[lxc-devel] [lxd/master] proxy: add non-abstract unix socket DAC properties
brauner on Github
lxc-bot at linuxcontainers.org
Tue Jul 3 10:33:49 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180703/423c29e9/attachment.bin>
-------------- next part --------------
From b1c982ad65b50bb228f7d3833cd669735627f3f7 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 3 Jul 2018 12:26:45 +0200
Subject: [PATCH 1/2] proxy: add non-abstract unix socket DAC properties
Closes #4718.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
lxd/container.go | 16 ++++++++++++++--
lxd/container_lxc.go | 5 ++++-
lxd/main_forkproxy.go | 44 +++++++++++++++++++++++++++++++++++++++++++-
lxd/proxy_device_utils.go | 22 ++++++++++++++--------
4 files changed, 75 insertions(+), 12 deletions(-)
diff --git a/lxd/container.go b/lxd/container.go
index b5ee111a8..07d8effbc 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -227,11 +227,17 @@ func containerValidDeviceConfigKey(t, k string) bool {
}
case "proxy":
switch k {
- case "listen":
+ case "bind":
+ return true
+ case "gid":
return true
case "connect":
return true
- case "bind":
+ case "listen":
+ return true
+ case "mode":
+ return true
+ case "uid":
return true
default:
return false
@@ -458,6 +464,12 @@ func containerValidDevices(db *db.Cluster, devices types.Devices, profile bool,
if m["connect"] == "" {
return fmt.Errorf("Proxy device entry is missing the required \"connect\" property.")
}
+
+ if (!strings.HasPrefix(m["listen"], "unix:") ||
+ (strings.HasPrefix(m["listen"], "unix:") && strings.HasPrefix(m["listen"][len("unix:"):], "@"))) &&
+ (m["uid"] != "" || m["gid"] != "" || m["mode"] != "") {
+ return fmt.Errorf("Only proxy devices for non-abstract unix sockets can carry gid, uid, or mode properties")
+ }
} else if m["type"] == "none" {
continue
} else {
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 77b53cb36..5d647dd9d 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -6861,7 +6861,10 @@ func (c *containerLXC) insertProxyDevice(devName string, m types.Device) error {
proxyValues.connectPid,
proxyValues.connectAddr,
logPath,
- pidPath)
+ pidPath,
+ proxyValues.listenAddrGid,
+ proxyValues.listenAddrUid,
+ proxyValues.listenAddrMode)
if err != nil {
return fmt.Errorf("Error occurred when starting proxy device: %s", err)
}
diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go
index 9d5edb08d..0edcc47f8 100644
--- a/lxd/main_forkproxy.go
+++ b/lxd/main_forkproxy.go
@@ -442,6 +442,8 @@ func (c *cmdForkproxy) Run(cmd *cobra.Command, args []string) error {
}
if C.whoami == C.FORKPROXY_CHILD {
+ defer syscall.Close(forkproxyUDSSockFDNum)
+
if lAddr.connType == "unix" && !lAddr.abstract {
err := os.Remove(lAddr.addr[0])
if err != nil && !os.IsNotExist(err) {
@@ -467,7 +469,47 @@ func (c *cmdForkproxy) Run(cmd *cobra.Command, args []string) error {
file.Close()
}
- syscall.Close(forkproxyUDSSockFDNum)
+ if lAddr.connType == "unix" && !lAddr.abstract {
+ var err error
+
+ listenAddrGid := -1
+ if args[6] != "" {
+ listenAddrGid, err = strconv.Atoi(args[6])
+ if err != nil {
+ return err
+ }
+ }
+
+ listenAddrUid := -1
+ if args[7] != "" {
+ listenAddrUid, err = strconv.Atoi(args[7])
+ if err != nil {
+ return err
+ }
+ }
+
+ if listenAddrGid != -1 || listenAddrUid != -1 {
+ err = os.Chown(lAddr.addr[0], listenAddrUid, listenAddrGid)
+ if err != nil {
+ return err
+ }
+ }
+
+ var listenAddrMode os.FileMode
+ if args[8] != "" {
+ tmp, err := strconv.Atoi(args[8])
+ if err != nil {
+ return err
+ }
+
+ listenAddrMode = os.FileMode(tmp)
+ err = os.Chmod(lAddr.addr[0], listenAddrMode)
+ if err != nil {
+ return err
+ }
+ }
+ }
+
return err
}
diff --git a/lxd/proxy_device_utils.go b/lxd/proxy_device_utils.go
index 2c8591bf5..30733af2b 100644
--- a/lxd/proxy_device_utils.go
+++ b/lxd/proxy_device_utils.go
@@ -14,10 +14,13 @@ import (
)
type proxyProcInfo struct {
- listenPid string
- connectPid string
- connectAddr string
- listenAddr string
+ listenPid string
+ connectPid string
+ connectAddr string
+ listenAddr string
+ listenAddrGid string
+ listenAddrUid string
+ listenAddrMode string
}
func setupProxyProcInfo(c container, device map[string]string) (*proxyProcInfo, error) {
@@ -54,10 +57,13 @@ func setupProxyProcInfo(c container, device map[string]string) (*proxyProcInfo,
}
p := &proxyProcInfo{
- listenPid: listenPid,
- connectPid: connectPid,
- connectAddr: connectAddr,
- listenAddr: listenAddr,
+ listenPid: listenPid,
+ connectPid: connectPid,
+ connectAddr: connectAddr,
+ listenAddr: listenAddr,
+ listenAddrGid: device["gid"],
+ listenAddrUid: device["uid"],
+ listenAddrMode: device["mode"],
}
return p, nil
From f8bb52455383bb0fdf6937d04b32d8ac235de51e Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 3 Jul 2018 12:29:50 +0200
Subject: [PATCH 2/2] api: proxy_unix_dac_properties
Closes #4718.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
doc/api-extensions.md | 3 +++
shared/version/api.go | 1 +
2 files changed, 4 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 0b9d7779f..bb9f921d5 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -533,3 +533,6 @@ This adds the following new endpoint (see [RESTful API](rest-api.md) for details
* `GET /1.0/networks/<name>/state`
+## proxy\_unix\_dac\_properties
+This adds support for gid, uid, and mode properties for non-abstract unix
+sockets.
diff --git a/shared/version/api.go b/shared/version/api.go
index 3c23bf0dc..ae15abe9a 100644
--- a/shared/version/api.go
+++ b/shared/version/api.go
@@ -111,6 +111,7 @@ var APIExtensions = []string{
"clustering_join",
"proxy_tcp_udp_multi_port_handling",
"network_state",
+ "proxy_unix_dac_properties",
}
// APIExtensionsCount returns the number of available API extensions.
More information about the lxc-devel
mailing list