Merge pull request #2510 from brauner/2018-08-05/cap_fixes

src/lxc/attach.c

@@ -318,7 +318,8 @@ static int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx)
 		if (ctx->capability_mask & (1LL << cap))
 			continue;
 
-		if (prctl(PR_CAPBSET_DROP, cap, 0, 0, 0)) {
+		if (prctl(PR_CAPBSET_DROP, prctl_arg(cap), prctl_arg(0),
+			  prctl_arg(0), prctl_arg(0))) {
 			SYSERROR("Failed to drop capability %d", cap);
 			return -1;
 		}
@@ -898,7 +899,8 @@ static int attach_child_main(struct attach_clone_payload *payload)
 	if ((init_ctx->container && init_ctx->container->lxc_conf &&
 	     init_ctx->container->lxc_conf->no_new_privs) ||
 	    (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
-		ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+		ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
+			    prctl_arg(0), prctl_arg(0));
 		if (ret < 0)
 			goto on_error;
 

src/lxc/caps.c

@@ -198,7 +198,8 @@ int lxc_ambient_caps_up(void)
 	}
 
 	for (cap = 0; cap <= last_cap; cap++) {
-		ret = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0);
+		ret = prctl(PR_CAP_AMBIENT, prctl_arg(PR_CAP_AMBIENT_RAISE),
+			    prctl_arg(cap), prctl_arg(0), prctl_arg(0));
 		if (ret < 0) {
 			SYSWARN("Failed to raise ambient capability %d", cap);
 			goto out;
@@ -230,7 +231,8 @@ int lxc_ambient_caps_down(void)
 	if (!getuid())
 		return 0;
 
-	ret = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0);
+	ret = prctl(PR_CAP_AMBIENT, prctl_arg(PR_CAP_AMBIENT_CLEAR_ALL),
+		    prctl_arg(0), prctl_arg(0), prctl_arg(0));
 	if (ret < 0) {
 		SYSERROR("Failed to clear ambient capability set");
 		return -1;
@@ -276,7 +278,7 @@ int lxc_caps_init(void)
 
 		INFO("Command is run as setuid root (uid: %d)", uid);
 
-		ret = prctl(PR_SET_KEEPCAPS, 1);
+		ret = prctl(PR_SET_KEEPCAPS, prctl_arg(1));
 		if (ret < 0) {
 			SYSERROR("Failed to set PR_SET_KEEPCAPS");
 			return -1;
@@ -341,7 +343,7 @@ static int _real_caps_last_cap(void)
 		/* Try to get it manually by trying to get the status of each
 		 * capability individually from the kernel.
 		 */
-		while (prctl(PR_CAPBSET_READ, cap) >= 0)
+		while (prctl(PR_CAPBSET_READ, prctl_arg(cap)) >= 0)
 			cap++;
 
 		result = cap - 1;

src/lxc/conf.c

@@ -2544,7 +2544,8 @@ static int setup_caps(struct lxc_list *caps)
 			return -1;
 		}
 
-		ret = prctl(PR_CAPBSET_DROP, capid, 0, 0, 0);
+		ret = prctl(PR_CAPBSET_DROP, prctl_arg(capid), prctl_arg(0),
+			    prctl_arg(0), prctl_arg(0));
 		if (ret < 0) {
 			SYSERROR("Failed to remove %s capability", drop_entry);
 			return -1;
@@ -2593,7 +2594,8 @@ static int dropcaps_except(struct lxc_list *caps)
 		if (caplist[i])
 			continue;
 
-		ret = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
+		ret = prctl(PR_CAPBSET_DROP, prctl_arg(i), prctl_arg(0),
+			    prctl_arg(0), prctl_arg(0));
 		if (ret < 0) {
 			SYSERROR("Failed to remove capability %d", i);
 			return -1;

src/lxc/initutils.c

@@ -26,6 +26,7 @@
 
 #include "initutils.h"
 #include "log.h"
+#include "macro.h"
 
 #ifndef HAVE_STRLCPY
 #include "include/strlcpy.h"
@@ -361,7 +362,8 @@ int setproctitle(char *title)
 		.exe_fd = -1,
 	};
 
-	ret = prctl(PR_SET_MM, PR_SET_MM_MAP, (long) &prctl_map, sizeof(prctl_map), 0);
+	ret = prctl(PR_SET_MM, prctl_arg(PR_SET_MM_MAP), prctl_arg(&prctl_map),
+		    prctl_arg(sizeof(prctl_map)), prctl_arg(0));
 	if (ret == 0)
 		(void)strlcpy((char*)arg_start, title, len);
 	else

src/lxc/macro.h

@@ -136,4 +136,6 @@ extern int __build_bug_on_failed;
 	     (__iterator = __it);                                               \
 	     __iterator = __it = strtok_r(NULL, __separators, &__p))
 
+#define prctl_arg(x) ((unsigned long)x)
+
 #endif /* __LXC_MACRO_H */

src/lxc/start.c

@@ -1152,7 +1152,8 @@ static int do_start(void *data)
 		if (ret < 0 && (handler->am_root || errno != EPERM))
 			goto out_warn_father;
 
-		ret = prctl(PR_SET_DUMPABLE, 1, 0, 0, 0);
+		ret = prctl(PR_SET_DUMPABLE, prctl_arg(1), prctl_arg(0),
+			    prctl_arg(0), prctl_arg(0));
 		if (ret < 0)
 			goto out_warn_father;
 
@@ -1255,7 +1256,8 @@ static int do_start(void *data)
 	 * before we aren't allowed anymore.
 	 */
 	if (handler->conf->no_new_privs) {
-		ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+		ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
+			    prctl_arg(0), prctl_arg(0));
 		if (ret < 0) {
 			SYSERROR("Could not set PR_SET_NO_NEW_PRIVS to block "
 				 "execve() gainable privileges");

src/lxc/storage/nbd.c

@@ -209,7 +209,8 @@ static int do_attach_nbd(void *d)
 		exit(1);
 	}
 
-	if (prctl(PR_SET_PDEATHSIG, SIGHUP, 0, 0, 0) < 0)
+	if (prctl(PR_SET_PDEATHSIG, prctl_arg(SIGHUP), prctl_arg(0),
+		  prctl_arg(0), prctl_arg(0)) < 0)
 		SYSERROR("Error setting parent death signal for nbd watcher");
 
 	pid = fork();

src/lxc/utils.c

@@ -2680,7 +2680,8 @@ int lxc_set_death_signal(int signal)
 	int ret;
 	pid_t ppid;
 
-	ret = prctl(PR_SET_PDEATHSIG, signal, 0, 0, 0);
+	ret = prctl(PR_SET_PDEATHSIG, prctl_arg(signal), prctl_arg(0),
+		    prctl_arg(0), prctl_arg(0));
 
 	/* Check whether we have been orphaned. */
 	ppid = (pid_t)syscall(SYS_getppid);