[lxc-devel] [lxc/master] attach: set no_new_privs flag after LSM label

alivenets on Github lxc-bot at linuxcontainers.org
Mon Jun 29 22:56:28 UTC 2020


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 781 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200629/9138d0e5/attachment.bin>
-------------- next part --------------
From 6ce8e67825258fe8a38b057b1459a4f35e4b39bb Mon Sep 17 00:00:00 2001
From: Alexander Livenets <a.livenets at gmail.com>
Date: Tue, 30 Jun 2020 00:06:20 +0200
Subject: [PATCH] attach: set no_new_privs flag after LSM label

In `start.c:1284`, no_new_privs flag is set after LSM label is set.
Also, in `lxc.container.conf` documentation it is written that:
```
Note that PR_SET_NO_NEW_PRIVS is applied after the container has
changed into its intended AppArmor profile or SElinux context.
```
This commit fixes the behavior of `lxc_attach` by moving
`PR_SET_NO_NEW_PRIVS` set logic after LSM for the process is configured;

Closes #3393

Signed-off-by: Alexander Livenets <a.livenets at gmail.com>
---
 src/lxc/attach.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 38e16f2d1e..4cd4f4175a 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -770,17 +770,6 @@ static int attach_child_main(struct attach_clone_payload *payload)
 	else
 		new_gid = ns_root_gid;
 
-	if ((init_ctx->container && init_ctx->container->lxc_conf &&
-	     init_ctx->container->lxc_conf->no_new_privs) ||
-	    (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
-		ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
-			    prctl_arg(0), prctl_arg(0));
-		if (ret < 0)
-			goto on_error;
-
-		TRACE("Set PR_SET_NO_NEW_PRIVS");
-	}
-
 	if (needs_lsm) {
 		bool on_exec;
 
@@ -795,6 +784,17 @@ static int attach_child_main(struct attach_clone_payload *payload)
 		TRACE("Set %s LSM label to \"%s\"", lsm_name(), init_ctx->lsm_label);
 	}
 
+	if ((init_ctx->container && init_ctx->container->lxc_conf &&
+	     init_ctx->container->lxc_conf->no_new_privs) ||
+	    (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
+		ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
+			    prctl_arg(0), prctl_arg(0));
+		if (ret < 0)
+			goto on_error;
+
+		TRACE("Set PR_SET_NO_NEW_PRIVS");
+	}
+
 	if (init_ctx->container && init_ctx->container->lxc_conf &&
 	    init_ctx->container->lxc_conf->seccomp.seccomp) {
 		struct lxc_conf *conf = init_ctx->container->lxc_conf;


More information about the lxc-devel mailing list