[lxc-devel] [lxc/master] lxc-attach: Enable setting the SELinux context
blenk92 on Github
lxc-bot at linuxcontainers.org
Tue Oct 27 16:00:57 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 529 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201027/aa4bb3ec/attachment.bin>
-------------- next part --------------
From d5cfc7dc486d3a3dcf3d56d78d1edef8efa39b00 Mon Sep 17 00:00:00 2001
From: Maximilian Blenk <Maximilian.Blenk at bmw.de>
Date: Tue, 27 Oct 2020 10:38:44 +0100
Subject: [PATCH] lxc-attach: Enable setting the SELinux context
Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before
---
src/lxc/attach.c | 5 +++--
src/lxc/attach_options.h | 3 +++
src/lxc/tools/lxc_attach.c | 10 ++++++++++
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 9528d54064..13224805c3 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -657,6 +657,7 @@ static int attach_child_main(struct attach_clone_payload *payload)
bool needs_lsm = (options->namespaces & CLONE_NEWNS) &&
(options->attach_flags & LXC_ATTACH_LSM) &&
init_ctx->lsm_label;
+ char *lsm_label = NULL;
/* A description of the purpose of this functionality is provided in the
* lxc-attach(1) manual page. We have to remount here and not in the
@@ -778,9 +779,9 @@ static int attach_child_main(struct attach_clone_payload *payload)
/* Change into our new LSM profile. */
on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
-
+ lsm_label = options->lsm_label ? options->lsm_label : init_ctx->lsm_label;
ret = init_ctx->lsm_ops->process_label_set_at(init_ctx->lsm_ops, lsm_fd,
- init_ctx->lsm_label, on_exec);
+ lsm_label, on_exec);
close(lsm_fd);
if (ret < 0)
goto on_error;
diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
index 63e62d4ff0..cdcd8f8ece 100644
--- a/src/lxc/attach_options.h
+++ b/src/lxc/attach_options.h
@@ -113,6 +113,9 @@ typedef struct lxc_attach_options_t {
/*! File descriptor to log output. */
int log_fd;
+
+ /*! lsm label to set. */
+ char *lsm_label;
} lxc_attach_options_t;
/*! Default attach options to use */
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index a8f493aa71..7c70eae51e 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -59,6 +59,7 @@ static char **extra_env;
static ssize_t extra_env_size;
static char **extra_keep;
static ssize_t extra_keep_size;
+static char *selinux_context = NULL;
static const struct option my_longopts[] = {
{"elevated-privileges", optional_argument, 0, 'e'},
@@ -74,6 +75,7 @@ static const struct option my_longopts[] = {
{"rcfile", required_argument, 0, 'f'},
{"uid", required_argument, 0, 'u'},
{"gid", required_argument, 0, 'g'},
+ {"context", required_argument, 0, 'c'},
LXC_COMMON_OPTIONS
};
@@ -126,6 +128,8 @@ Options :\n\
Load configuration file FILE\n\
-u, --uid=UID Execute COMMAND with UID inside the container\n\
-g, --gid=GID Execute COMMAND with GID inside the container\n\
+ -c, --context=context\n\
+ SELinux Context to transition into\n\
",
.options = my_longopts,
.parser = my_parser,
@@ -201,6 +205,9 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg)
if (lxc_safe_uint(arg, &args->gid) < 0)
return -1;
break;
+ case 'c':
+ selinux_context = arg;
+ break;
}
return 0;
@@ -353,6 +360,9 @@ int main(int argc, char *argv[])
if (my_args.gid != LXC_INVALID_GID)
attach_options.gid = my_args.gid;
+ // selinux_context will be NULL if not set
+ attach_options.lsm_label = selinux_context;
+
if (command.program) {
ret = c->attach_run_wait(c, &attach_options, command.program,
(const char **)command.argv);
More information about the lxc-devel
mailing list