[Lxc-users] [lxc-devel] [PATCH 1/1] Fix lxc's handling of CAP_LAST_CAP
Stéphane Graber
stgraber at ubuntu.com
Fri Jun 29 15:53:06 UTC 2012
On 06/29/2012 11:41 AM, Serge Hallyn wrote:
> The following patch allows me to run lxc-execute -n p1 -- /bin/ls
> as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git.
> Thanks, Sam, for pointing this out.
>
> CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel
> actually supports. If the kernel supports fewer capabilities, then a
> cap_get_flag for an unsupported capability returns -EINVAL.
>
> Recognize that, and don't fail when initializing capabilities when this
> happens, rather accept that we've reached the last capability.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> Reported-by: Sam Wang <zhefwang at gmail.com>
> ---
> src/lxc/caps.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> index 10a0b4a..c32e7e4 100644
> --- a/src/lxc/caps.c
> +++ b/src/lxc/caps.c
> @@ -28,6 +28,7 @@
> #include <limits.h>
> #include <sys/prctl.h>
> #include <sys/capability.h>
> +#include <errno.h>
>
> #include "log.h"
>
> @@ -90,6 +91,7 @@ int lxc_caps_up(void)
> cap_t caps;
> cap_value_t cap;
> int ret;
> + int lastcap = 0;
>
> /* when we are run as root, we don't want to play
> * with the capabilities */
> @@ -108,9 +110,15 @@ int lxc_caps_up(void)
>
> ret = cap_get_flag(caps, cap, CAP_PERMITTED, &flag);
> if (ret) {
> - ERROR("failed to cap_get_flag: %m");
> - goto out;
> + if (errno == EINVAL) {
> + INFO("Last supported cap was %d\n", cap-1);
> + break;
> + } else {
> + ERROR("failed to cap_get_flag: %m");
> + goto out;
> + }
> }
> + lastcap = cap;
>
> ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag);
> if (ret) {
>
The idea of the change looks good, though you're defining a new lastcap
variable that you then set but never actually seem to use as you're
instead using cap-1 in the INFO() call.
Am I just missing some context or is that indeed not used?
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120629/25ea0c8a/attachment.pgp>
More information about the lxc-users
mailing list