attach: Add groups option to keep additional group IDs.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

attach: Add groups option to keep additional group IDs.
8caac583 · Ruben Jenster · Christian Brauner · bf31b337 · 8caac583 · 8caac583
Unverified Commit 8caac583 authored Feb 04, 2021 by Ruben Jenster Committed by Christian Brauner Feb 05, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 12 deletions

attach.c src/lxc/attach.c +7 -12

attach_options.h src/lxc/attach_options.h +13 -0

No files found.
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -277,11 +277,6 @@ static int userns_setup_ids(struct attach_context *ctx,
 	if (ctx->setup_ns_gid == LXC_INVALID_UID)
 		ctx->setup_ns_gid = init_ns_gid;

-	/*
-	 * TODO: we should also parse supplementary groups and use
-	 * setgroups() to set them.
-	 */
-
 	return 0;
 }

@@ -360,11 +355,6 @@ static int parse_init_status(struct attach_context *ctx, lxc_attach_options_t *o
 		return log_error_errno(ret, errno, "Failed to get setup ids");
 	userns_target_ids(ctx, options);

-	/*
-	 * TODO: we should also parse supplementary groups and use
-	 * setgroups() to set them.
-	 */
-
 	return 0;
 }

@@ -1214,8 +1204,13 @@ __noreturn static void do_attach(struct attach_payload *ap)
 			goto on_error;
 	}

-	if (!lxc_drop_groups() && errno != EPERM)
-		goto on_error;
+	if (options->attach_flags & LXC_ATTACH_SETGROUPS && options->groups.size > 0) {
+		if (!lxc_setgroups(options->groups.list, options->groups.size))
+			goto on_error;
+	} else {
+		if (!lxc_drop_groups() && errno != EPERM)
+			goto on_error;
+	}

 	if (options->namespaces & CLONE_NEWUSER)
 		if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid))

--- a/src/lxc/attach_options.h
+++ b/src/lxc/attach_options.h
@@ -31,6 +31,7 @@ enum {
 	LXC_ATTACH_NO_NEW_PRIVS		 = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
 	LXC_ATTACH_TERMINAL              = 0x00080000, /*!< Allocate new terminal for attached process. */
 	LXC_ATTACH_LSM_LABEL             = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */
+	LXC_ATTACH_SETGROUPS             = 0x00200000, /*!< Set additional group ids specified in @groups. */

 	/* We have 16 bits for things that are on by default and 16 bits that
 	 * are off by default, that should be sufficient to keep binary
@@ -52,6 +53,11 @@ enum {
 */
 typedef int (*lxc_attach_exec_t)(void* payload);

+typedef struct lxc_groups_t {
+	int size;
+	gid_t *list;
+} lxc_groups_t;
+
 /*!
 * LXC attach options for \ref lxc_container \c attach().
 */
@@ -117,6 +123,13 @@ typedef struct lxc_attach_options_t {

 	/*! lsm label to set. */
 	char *lsm_label;
+
+	/*! The additional group GIDs to run with.
+	 *
+	 * If unset all additional groups are dropped.
+	 */
+	lxc_groups_t groups;
+
 } lxc_attach_options_t;

 /*! Default attach options to use */