Skip to content

L
lxc
Unverified Commit be0fb2f7 by Stéphane Graber Committed by GitHub
Options

Merge pull request #3628 from brauner/2021-01-22/fixes

conf: fix containers retaining CAP_NET_ADMIN
parents 092529ea 7b854e37
Showing with 35 additions and 29 deletions
src/lxc/cgroups/cgfsng.c
...@@ -1832,7 +1832,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, ...@@ -1832,7 +1832,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
} }
if (!wants_force_mount) { if (!wants_force_mount) {
wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf); wants_force_mount = !lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
/* /*
* Most recent distro versions currently have init system that * Most recent distro versions currently have init system that
...@@ -1871,13 +1871,21 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, ...@@ -1871,13 +1871,21 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
return cg_mount_cgroup_full(type, ops->unified, cgroup_root) == 0; return cg_mount_cgroup_full(type, ops->unified, cgroup_root) == 0;
} }
/* mount tmpfs */ /*
ret = safe_mount_beneath(root, NULL, DEFAULT_CGROUP_MOUNTPOINT, "tmpfs", * Mount a tmpfs over DEFAULT_CGROUP_MOUNTPOINT. Note that we're
* relying on RESOLVE_BENEATH so we need to skip the leading "/" in the
* DEFAULT_CGROUP_MOUNTPOINT define.
*/
ret = safe_mount_beneath(root, NULL,
DEFAULT_CGROUP_MOUNTPOINT_RELATIVE,
"tmpfs",
MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
"size=10240k,mode=755"); "size=10240k,mode=755");
if (ret < 0) { if (ret < 0) {
if (errno != ENOSYS) if (errno != ENOSYS)
return false; return log_error_errno(false, errno,
"Failed to mount tmpfs on %s",
DEFAULT_CGROUP_MOUNTPOINT);
ret = safe_mount(NULL, cgroup_root, "tmpfs", ret = safe_mount(NULL, cgroup_root, "tmpfs",
MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
......
src/lxc/cgroups/cgroup.h
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
#include "macro.h" #include "macro.h"
#include "memory_utils.h" #include "memory_utils.h"
#define DEFAULT_CGROUP_MOUNTPOINT_RELATIVE "sys/fs/cgroup"
#define DEFAULT_CGROUP_MOUNTPOINT "/sys/fs/cgroup" #define DEFAULT_CGROUP_MOUNTPOINT "/sys/fs/cgroup"
#define DEFAULT_PAYLOAD_CGROUP_PREFIX "lxc.payload." #define DEFAULT_PAYLOAD_CGROUP_PREFIX "lxc.payload."
#define DEFAULT_MONITOR_CGROUP_PREFIX "lxc.monitor." #define DEFAULT_MONITOR_CGROUP_PREFIX "lxc.monitor."
......
src/lxc/conf.c
...@@ -620,24 +620,24 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha ...@@ -620,24 +620,24 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
* it's busy... MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for * it's busy... MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for
* kernels as low as 2.6.32... * kernels as low as 2.6.32...
*/ */
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 }, { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
/* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */ /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL, 1 }, { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL, true },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL, 0 }, { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL, false },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 }, { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL, 1 }, { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL, true },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL, 0 }, { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL, false },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 }, { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
{ LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 }, { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, 0 }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, 0 }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL, 0 }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL, 0 }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, 0 }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL, false },
{ LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, 0 }, { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
{ 0, 0, NULL, NULL, NULL, 0, NULL, 0 } { 0, 0, NULL, NULL, NULL, 0, NULL, false }
}; };
bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf); bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
......
src/lxc/conf.h
...@@ -522,9 +522,9 @@ static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf) ...@@ -522,9 +522,9 @@ static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
return false; return false;
if (!lxc_list_empty(&conf->keepcaps)) if (!lxc_list_empty(&conf->keepcaps))
return !in_caplist(cap, &conf->keepcaps); return in_caplist(cap, &conf->keepcaps);
return in_caplist(cap, &conf->caps); return !in_caplist(cap, &conf->caps);
} }
__hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls); __hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls);
......
src/lxc/lsm/apparmor.c
...@@ -523,11 +523,6 @@ static inline char *apparmor_namespace(const char *ctname, const char *lxcpath) ...@@ -523,11 +523,6 @@ static inline char *apparmor_namespace(const char *ctname, const char *lxcpath)
return full; return full;
} }
/* TODO: This is currently run only in the context of a constructor (via the
* initial lsm_init() called due to its __attribute__((constructor)), so we
* do not have ERROR/... macros available, so there are some fprintf(stderr)s
* in there.
*/
static bool check_apparmor_parser_version(struct lsm_ops *ops) static bool check_apparmor_parser_version(struct lsm_ops *ops)
{ {
int major = 0, minor = 0, micro = 0, ret = 0; int major = 0, minor = 0, micro = 0, ret = 0;
......
src/lxc/tools/lxc_attach.c
...@@ -23,7 +23,9 @@ ...@@ -23,7 +23,9 @@
#include "config.h" #include "config.h"
#include "confile.h" #include "confile.h"
#include "log.h" #include "log.h"
#ifdef ENFORCE_MEMFD_REXEC
#include "rexec.h" #include "rexec.h"
#endif
#include "utils.h" #include "utils.h"
lxc_log_define(lxc_attach, lxc); lxc_log_define(lxc_attach, lxc);
......
src/lxc/utils.c
...@@ -1103,7 +1103,7 @@ int __safe_mount_beneath_at(int beneath_fd, const char *src, const char *dst, co ...@@ -1103,7 +1103,7 @@ int __safe_mount_beneath_at(int beneath_fd, const char *src, const char *dst, co
target_fd = openat2(beneath_fd, dst, &how, sizeof(how)); target_fd = openat2(beneath_fd, dst, &how, sizeof(how));
if (target_fd < 0) if (target_fd < 0)
return -errno; return log_error_errno(-errno, errno, "Failed to open %d(%s)", beneath_fd, dst);
ret = snprintf(tgt_buf, sizeof(tgt_buf), "/proc/self/fd/%d", target_fd); ret = snprintf(tgt_buf, sizeof(tgt_buf), "/proc/self/fd/%d", target_fd);
if (ret < 0 || ret >= sizeof(tgt_buf)) if (ret < 0 || ret >= sizeof(tgt_buf))
return -EIO; return -EIO;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment