Merge pull request #3692 from brauner/2021-02-23/fixes

build fix & cgroup braino

Merge pull request #3692 from brauner/2021-02-23/fixes
5dc90afd · Stéphane Graber · GitHub · 162402cc · 6ee13f5b · 5dc90afd
Unverified Commit 5dc90afd authored Feb 23, 2021 by Stéphane Graber Committed by GitHub Feb 23, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

attach.c src/lxc/attach.c +7 -0

cgfsng.c src/lxc/cgroups/cgfsng.c +1 -1

commands.h src/lxc/commands.h +1 -2

No files found.
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1657,6 +1657,13 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
 		TRACE("Moved transient process %d into container cgroup", pid);
 	}
+	/*
+	 * Close sensitive file descriptors we don't need anymore. Even if
+	 * we're the parent.
+	 */
+	if (!attach_context_security_barrier(ctx))
+		goto on_error;
 	/* Setup /proc limits */
 	if (!lxc_list_empty(&conf->procs)) {
 		ret = setup_proc_filesystem(&conf->procs, pid);

--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -337,7 +337,7 @@ static char **list_add_controllers(char *controllers)
 	__do_free_string_list char **list = NULL;
 	char *it;
-	lxc_iterate_parts(it, controllers, " \t\n") {
+	lxc_iterate_parts(it, controllers, ", \t\n") {
 		int ret;
 		ret = list_add_string(&list, it);

--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -127,8 +127,7 @@ __hidden extern int lxc_cmd_get_seccomp_notify_fd(const char *name, const char *
 __hidden extern int lxc_cmd_get_cgroup_ctx(const char *name, const char *lxcpath,
 					   const char *controller, bool batch,
 					   size_t size_ret_ctx,
-					   struct cgroup_ctx *ret_ctx)
+					   struct cgroup_ctx *ret_ctx);
-    __access_r(6, 5);
 __hidden extern int lxc_cmd_seccomp_notify_add_listener(const char *name, const char *lxcpath, int fd,
 							/* unused */ unsigned int command,
 							/* unused */ unsigned int flags);