[lxc-devel] [lxc/master] tree-wide: improve setgroups() dropping
brauner on Github
lxc-bot at linuxcontainers.org
Wed Feb 12 23:17:59 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 460 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200212/5a995f50/attachment-0001.bin>
-------------- next part --------------
From b58214ac30bd8f0a25ef22f4ac5a72676df1f8e7 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 13 Feb 2020 00:16:15 +0100
Subject: [PATCH] tree-wide: improve setgroups() dropping
Drop groups before we change to userns root.
Reported-by: Teddy Reed <teddy.reed at gmail.com>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/attach.c | 6 +++---
src/lxc/cgroups/cgfsng.c | 14 ++++++--------
src/lxc/lxccontainer.c | 5 ++---
src/lxc/start.c | 12 ++++++------
src/lxc/storage/btrfs.c | 5 ++---
src/lxc/storage/storage_utils.c | 5 ++---
6 files changed, 21 insertions(+), 26 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 5c50e1a109..7b07dce440 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -769,6 +769,9 @@ static int attach_child_main(struct attach_clone_payload *payload)
goto on_error;
}
+ if (!lxc_setgroups(0, NULL) && errno != EPERM)
+ goto on_error;
+
if (options->namespaces & CLONE_NEWUSER) {
/* Check whether nsuid 0 has a mapping. */
ns_root_uid = get_ns_uid(0);
@@ -789,9 +792,6 @@ static int attach_child_main(struct attach_clone_payload *payload)
goto on_error;
}
- if (!lxc_setgroups(0, NULL) && errno != EPERM)
- goto on_error;
-
/* Set {u,g}id. */
if (options->uid != LXC_INVALID_UID)
new_uid = options->uid;
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 9751fb7612..3e5345b62d 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1027,6 +1027,9 @@ static int cgroup_rmdir_wrapper(void *data)
gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid;
int ret;
+ if (!lxc_setgroups(0, NULL) && errno != EPERM)
+ return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)");
+
ret = setresgid(nsgid, nsgid, nsgid);
if (ret < 0)
return log_error_errno(-1, errno,
@@ -1039,10 +1042,6 @@ static int cgroup_rmdir_wrapper(void *data)
"Failed to setresuid(%d, %d, %d)",
(int)nsuid, (int)nsuid, (int)nsuid);
- ret = setgroups(0, NULL);
- if (ret < 0 && errno != EPERM)
- return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)");
-
return cgroup_rmdir(arg->hierarchies, arg->container_cgroup);
}
@@ -1494,6 +1493,9 @@ static int chown_cgroup_wrapper(void *data)
uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid;
gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid;
+ if (!lxc_setgroups(0, NULL) && errno != EPERM)
+ return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)");
+
ret = setresgid(nsgid, nsgid, nsgid);
if (ret < 0)
return log_error_errno(-1, errno,
@@ -1506,10 +1508,6 @@ static int chown_cgroup_wrapper(void *data)
"Failed to setresuid(%d, %d, %d)",
(int)nsuid, (int)nsuid, (int)nsuid);
- ret = setgroups(0, NULL);
- if (ret < 0 && errno != EPERM)
- return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)");
-
destuid = get_ns_uid(arg->origuid);
if (destuid == LXC_INVALID_UID)
destuid = 0;
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 15c5ec9031..55e391870a 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -3660,6 +3660,8 @@ static int clone_update_rootfs(struct clone_update_data *data)
/* update hostname in rootfs */
/* we're going to mount, so run in a clean namespace to simplify cleanup */
+ (void)lxc_setgroups(0, NULL);
+
if (setgid(0) < 0) {
ERROR("Failed to setgid to 0");
return -1;
@@ -3670,9 +3672,6 @@ static int clone_update_rootfs(struct clone_update_data *data)
return -1;
}
- if (setgroups(0, NULL) < 0)
- WARN("Failed to clear groups");
-
if (unshare(CLONE_NEWNS) < 0)
return -1;
diff --git a/src/lxc/start.c b/src/lxc/start.c
index d70ffdf0e6..b727e3ab9b 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1198,9 +1198,6 @@ static int do_start(void *data)
if (!handler->conf->root_nsgid_map)
nsgid = handler->conf->init_gid;
- if (!lxc_switch_uid_gid(nsuid, nsgid))
- goto out_warn_father;
-
/* Drop groups only after we switched to a valid gid in the new
* user namespace.
*/
@@ -1208,6 +1205,9 @@ static int do_start(void *data)
(handler->am_root || errno != EPERM))
goto out_warn_father;
+ if (!lxc_switch_uid_gid(nsuid, nsgid))
+ goto out_warn_father;
+
ret = prctl(PR_SET_DUMPABLE, prctl_arg(1), prctl_arg(0),
prctl_arg(0), prctl_arg(0));
if (ret < 0)
@@ -1447,9 +1447,6 @@ static int do_start(void *data)
if (new_gid == nsgid)
new_gid = LXC_INVALID_GID;
- if (!lxc_switch_uid_gid(new_uid, new_gid))
- goto out_warn_father;
-
/* If we are in a new user namespace we already dropped all groups when
* we switched to root in the new user namespace further above. Only
* drop groups if we can, so ensure that we have necessary privilege.
@@ -1461,6 +1458,9 @@ static int do_start(void *data)
if (!lxc_setgroups(0, NULL))
goto out_warn_father;
+ if (!lxc_switch_uid_gid(new_uid, new_gid))
+ goto out_warn_father;
+
ret = lxc_ambient_caps_down();
if (ret < 0) {
ERROR("Failed to clear ambient capabilities");
diff --git a/src/lxc/storage/btrfs.c b/src/lxc/storage/btrfs.c
index 160dc6df30..be66aef775 100644
--- a/src/lxc/storage/btrfs.c
+++ b/src/lxc/storage/btrfs.c
@@ -374,14 +374,13 @@ int btrfs_snapshot_wrapper(void *data)
const char *src;
struct rsync_data_char *arg = data;
+ (void)lxc_setgroups(0, NULL);
+
if (setgid(0) < 0) {
ERROR("Failed to setgid to 0");
return -1;
}
- if (setgroups(0, NULL) < 0)
- WARN("Failed to clear groups");
-
if (setuid(0) < 0) {
ERROR("Failed to setuid to 0");
return -1;
diff --git a/src/lxc/storage/storage_utils.c b/src/lxc/storage/storage_utils.c
index 6132113f20..79ee62ecbd 100644
--- a/src/lxc/storage/storage_utils.c
+++ b/src/lxc/storage/storage_utils.c
@@ -465,14 +465,13 @@ int storage_destroy_wrapper(void *data)
{
struct lxc_conf *conf = data;
+ (void)lxc_setgroups(0, NULL);
+
if (setgid(0) < 0) {
SYSERROR("Failed to setgid to 0");
return -1;
}
- if (setgroups(0, NULL) < 0)
- SYSWARN("Failed to clear groups");
-
if (setuid(0) < 0) {
SYSERROR("Failed to setuid to 0");
return -1;
More information about the lxc-devel
mailing list