Skip to content

L
lxc
Unverified Commit 8caac583 by Ruben Jenster Committed by Christian Brauner
Options

attach: Add groups option to keep additional group IDs.

Signed-off-by: 's avatarRuben Jenster <r.jenster@drachenfels.de>
parent bf31b337
Showing with 20 additions and 12 deletions
src/lxc/attach.c
...@@ -277,11 +277,6 @@ static int userns_setup_ids(struct attach_context *ctx, ...@@ -277,11 +277,6 @@ static int userns_setup_ids(struct attach_context *ctx,
if (ctx->setup_ns_gid == LXC_INVALID_UID) if (ctx->setup_ns_gid == LXC_INVALID_UID)
ctx->setup_ns_gid = init_ns_gid; ctx->setup_ns_gid = init_ns_gid;
/*
* TODO: we should also parse supplementary groups and use
* setgroups() to set them.
*/
return 0; return 0;
} }
...@@ -360,11 +355,6 @@ static int parse_init_status(struct attach_context *ctx, lxc_attach_options_t *o ...@@ -360,11 +355,6 @@ static int parse_init_status(struct attach_context *ctx, lxc_attach_options_t *o
return log_error_errno(ret, errno, "Failed to get setup ids"); return log_error_errno(ret, errno, "Failed to get setup ids");
userns_target_ids(ctx, options); userns_target_ids(ctx, options);
/*
* TODO: we should also parse supplementary groups and use
* setgroups() to set them.
*/
return 0; return 0;
} }
...@@ -1214,8 +1204,13 @@ __noreturn static void do_attach(struct attach_payload *ap) ...@@ -1214,8 +1204,13 @@ __noreturn static void do_attach(struct attach_payload *ap)
goto on_error; goto on_error;
} }
if (!lxc_drop_groups() && errno != EPERM) if (options->attach_flags & LXC_ATTACH_SETGROUPS && options->groups.size > 0) {
goto on_error; if (!lxc_setgroups(options->groups.list, options->groups.size))
goto on_error;
} else {
if (!lxc_drop_groups() && errno != EPERM)
goto on_error;
}
if (options->namespaces & CLONE_NEWUSER) if (options->namespaces & CLONE_NEWUSER)
if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid)) if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid))
......
src/lxc/attach_options.h
...@@ -31,6 +31,7 @@ enum { ...@@ -31,6 +31,7 @@ enum {
LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */ LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
LXC_ATTACH_TERMINAL = 0x00080000, /*!< Allocate new terminal for attached process. */ LXC_ATTACH_TERMINAL = 0x00080000, /*!< Allocate new terminal for attached process. */
LXC_ATTACH_LSM_LABEL = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */ LXC_ATTACH_LSM_LABEL = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */
LXC_ATTACH_SETGROUPS = 0x00200000, /*!< Set additional group ids specified in @groups. */
/* We have 16 bits for things that are on by default and 16 bits that /* We have 16 bits for things that are on by default and 16 bits that
* are off by default, that should be sufficient to keep binary * are off by default, that should be sufficient to keep binary
...@@ -52,6 +53,11 @@ enum { ...@@ -52,6 +53,11 @@ enum {
*/ */
typedef int (*lxc_attach_exec_t)(void* payload); typedef int (*lxc_attach_exec_t)(void* payload);
typedef struct lxc_groups_t {
int size;
gid_t *list;
} lxc_groups_t;
/*! /*!
* LXC attach options for \ref lxc_container \c attach(). * LXC attach options for \ref lxc_container \c attach().
*/ */
...@@ -117,6 +123,13 @@ typedef struct lxc_attach_options_t { ...@@ -117,6 +123,13 @@ typedef struct lxc_attach_options_t {
/*! lsm label to set. */ /*! lsm label to set. */
char *lsm_label; char *lsm_label;
/*! The additional group GIDs to run with.
*
* If unset all additional groups are dropped.
*/
lxc_groups_t groups;
} lxc_attach_options_t; } lxc_attach_options_t;
/*! Default attach options to use */ /*! Default attach options to use */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment