check permissions when receiving command

report to command requester the errno if credential failure,
rather than to only close the connection.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Signed-off-by: Michel Normand <normand@fr.ibm.com>

diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 98e6121d814a8e22251098ce6a038ba97c9cb459..662ad9e15489749a5655f17aef9e0e2a8dc6213c 100644 (file)
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -128,7 +128,12 @@ static int command_handler(int fd, void *data,
        struct lxc_handler *handler = data;
 
        ret = lxc_af_unix_rcv_credential(fd, &request, sizeof(request));
-       if (ret < 0) {
+       if (ret < 0 && ret == -EACCES) {
+               /* we don't care for the peer, just send and close */
+               struct lxc_answer answer = { .ret = ret };
+               send(fd, &answer, sizeof(answer), 0);
+               goto out_close;
+       } else if (ret < 0) {
                SYSERROR("failed to receive data on command socket");
                goto out_close;
        }

diff --git a/src/lxc/console.c b/src/lxc/console.c
index d32941c168e63163f03989a7033476d839e67b21..92bbd47c62b362fd3335a27ba96a48728e12763f 100644 (file)
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -51,6 +51,12 @@ extern int lxc_console(const char *name, int ttynum, int *fd)
                return -1;
        }
 
+       if (command.answer.ret) {
+               ERROR("console access denied: %s",
+                       strerror(-command.answer.ret));
+               return -1;
+       }
+
        *fd = command.answer.fd;
        if (*fd <0) {
                ERROR("unable to allocate fd for tty %d", ttynum);