[lxc-devel] [lxd/master] forksyscall: protect CLONE_NEWCGROUP with ifdef

Tue Jul 16 23:16:55 UTC 2019

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 531 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190716/a953d749/attachment.bin>
-------------- next part --------------
From ba9035dda94b234a198c79bf988e629e758a012c Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 17 Jul 2019 01:15:46 +0200
Subject: [PATCH] forksyscall: protect CLONE_NEWCGROUP with ifdef
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Link: https://launchpadlibrarian.net/433373076/buildlog_snap_ubuntu_xenial_amd64_lxd-latest-edge_BUILDING.txt.gz
Reported-by: Stéphane Graber <stgraber at ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/main_forksyscall.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lxd/main_forksyscall.go b/lxd/main_forksyscall.go
index 075e4e1e51..d59945da9f 100644
--- a/lxd/main_forksyscall.go
+++ b/lxd/main_forksyscall.go
@@ -267,10 +267,12 @@ static bool change_creds(int ns_fd, cap_t caps, uid_t nsuid, gid_t nsgid)
 		return false;
 	close(fd);
 
+#ifdef CLONE_NEWCGROUP
 	fd = openat(ns_fd, "cgroup", O_RDONLY | O_CLOEXEC);
 	if (setns(fd, CLONE_NEWCGROUP))
 		return false;
 	close(fd);
+#endif
 
 	fd = openat(ns_fd, "ipc", O_RDONLY | O_CLOEXEC);
 	if (setns(fd, CLONE_NEWIPC))
