Merge pull request #1202 from brauner/2016-09-21/lxc_attach_no_new_priv_fix

tools: fix lxc-attach regression with -s USER

Merge pull request #1202 from brauner/2016-09-21/lxc_attach_no_new_priv_fix
9c395c35 · Stéphane Graber · GitHub · 5c01fd0b · bd4307f0 · 9c395c35
Commit 9c395c35 authored Sep 21, 2016 by Stéphane Graber Committed by GitHub Sep 21, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 14 deletions

attach.c src/lxc/attach.c +11 -13

seccomp.c src/lxc/seccomp.c +1 -1

No files found.
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -665,16 +665,16 @@ static int attach_child_main(void* data);
 /* define default options if no options are supplied by the user */
 static lxc_attach_options_t attach_static_default_options = LXC_ATTACH_OPTIONS_DEFAULT;
-static bool fetch_seccomp(struct lxc_proc_context_info *i,
+static bool fetch_seccomp(struct lxc_container *c,
 			  lxc_attach_options_t *options)
 {
-	struct lxc_container *c;
 	char *path;
-	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM))
+	if (!(options->namespaces & CLONE_NEWNS) || !(options->attach_flags & LXC_ATTACH_LSM)) {
+		free(c->lxc_conf->seccomp);
+		c->lxc_conf->seccomp = NULL;
 		return true;
+	}
-	c = i->container;
 	/* Remove current setting. */
 	if (!c->set_config_item(c, "lxc.seccomp", "")) {
@@ -684,6 +684,7 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
 	/* Fetch the current profile path over the cmd interface */
 	path = c->get_running_config_item(c, "lxc.seccomp");
 	if (!path) {
+		INFO("Failed to get running config item for lxc.seccomp.");
 		return true;
 	}
@@ -704,14 +705,11 @@ static bool fetch_seccomp(struct lxc_proc_context_info *i,
 	return true;
 }
-static bool no_new_privs(struct lxc_proc_context_info *ctx,
+static bool no_new_privs(struct lxc_container *c,
 			 lxc_attach_options_t *options)
 {
-	struct lxc_container *c;
 	char *val;
-	c = ctx->container;
 	/* Remove current setting. */
 	if (!c->set_config_item(c, "lxc.no_new_privs", "")) {
 		return false;
@@ -784,10 +782,10 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
 	if (!init_ctx->container)
 		return -1;
-	if (!fetch_seccomp(init_ctx, options))
+	if (!fetch_seccomp(init_ctx->container, options))
 		WARN("Failed to get seccomp policy");
-	if (!no_new_privs(init_ctx, options))
+	if (!no_new_privs(init_ctx->container, options))
 		WARN("Could not determine whether PR_SET_NO_NEW_PRIVS is set.");
 	cwd = getcwd(NULL, 0);
@@ -1211,9 +1209,9 @@ static int attach_child_main(void* data)
 			rexit(-1);
 		}
 	}
 	if (init_ctx->container && init_ctx->container->lxc_conf &&
-			lxc_seccomp_load(init_ctx->container->lxc_conf) != 0) {
+	    init_ctx->container->lxc_conf->seccomp &&
+	    (lxc_seccomp_load(init_ctx->container->lxc_conf) != 0)) {
 		ERROR("Loading seccomp policy");
 		rexit(-1);
 	}

--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -748,7 +748,7 @@ int lxc_seccomp_load(struct lxc_conf *conf)
 #endif
 	    );
 	if (ret < 0) {
-		ERROR("Error loading the seccomp policy.");
+		ERROR("Error loading the seccomp policy: %s.", strerror(-ret));
 		return -1;
 	}
 	return 0;