check permissions when receiving command

report to command requester the errno if credential failure, rather than to only close the connection. Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com> Signed-off-by: Michel Normand <normand@fr.ibm.com>

check permissions when receiving command
3cc5de36 · Michel Normand · Daniel Lezcano · 724e753c · 3cc5de36 · 3cc5de36
Commit 3cc5de36 authored Oct 07, 2009 by Michel Normand Committed by Daniel Lezcano Oct 07, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletion

commands.c src/lxc/commands.c +6 -1

console.c src/lxc/console.c +6 -0

No files found.
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -128,7 +128,12 @@ static int command_handler(int fd, void *data,
 	struct lxc_handler *handler = data;

 	ret = lxc_af_unix_rcv_credential(fd, &request, sizeof(request));
-	if (ret < 0) {
+	if (ret < 0 && ret == -EACCES) {
+		/* we don't care for the peer, just send and close */
+		struct lxc_answer answer = { .ret = ret };
+		send(fd, &answer, sizeof(answer), 0);
+		goto out_close;
+	} else if (ret < 0) {
 		SYSERROR("failed to receive data on command socket");
 		goto out_close;
 	}

--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -51,6 +51,12 @@ extern int lxc_console(const char *name, int ttynum, int *fd)
 		return -1;
 	}

+	if (command.answer.ret) {
+		ERROR("console access denied: %s",
+			strerror(-command.answer.ret));
+		return -1;
+	}
+
 	*fd = command.answer.fd;
 	if (*fd <0) {
 		ERROR("unable to allocate fd for tty %d", ttynum);