conf: fix containers retaining CAP_NET_ADMIN

author Christian Brauner <christian.brauner@ubuntu.com>

Fri, 22 Jan 2021 10:41:11 +0000 (11:41 +0100)

committer Christian Brauner <christian.brauner@ubuntu.com>

Fri, 22 Jan 2021 10:54:25 +0000 (11:54 +0100)
author Christian Brauner <christian.brauner@ubuntu.com>
Fri, 22 Jan 2021 10:41:11 +0000 (11:41 +0100)
committer Christian Brauner <christian.brauner@ubuntu.com>
Fri, 22 Jan 2021 10:54:25 +0000 (11:54 +0100)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c

index bf181987f193d84b9b6f9ca3b849d127d80ac1ba..1df135d946a09a8d18a70055de4bc7d2eb51d14e 100644 (file)
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1832,7 +1832,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
         }
  
         if (!wants_force_mount) {
-               wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
+               wants_force_mount = !lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
  
                 /*
                  * Most recent distro versions currently have init system that
diff --git a/src/lxc/conf.c b/src/lxc/conf.c

index 3ddd30bf202395b314810ac225f7b125a42608ed..e6486cbe5eb04873e3e403f9bbba21395495cc66 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -620,24 +620,24 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
                  * it's busy...  MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for
                  * kernels as low as 2.6.32...
                  */
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",                                           "%r/proc",                    "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID,                    NULL, 0 },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",                                           "%r/proc",                    "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID,                    NULL, false },
                 /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net",                                "%r/proc/tty",                NULL,    MS_BIND,                                         NULL, 1 },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",                                    "%r/proc/sys",                NULL,    MS_BIND,                                         NULL, 0 },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                             "%r/proc/sys",                NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY,                    NULL, 0 },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty",                                    "%r/proc/sys/net",            NULL,    MS_MOVE,                                         NULL, 1 },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger",                          "%r/proc/sysrq-trigger",      NULL,    MS_BIND,                                         NULL, 0 },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                             "%r/proc/sysrq-trigger",      NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY,                    NULL, 0 },
-               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",                                           "%r/proc",                    "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID,                    NULL, 0 },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RW,     "sysfs",                                          "%r/sys",                     "sysfs", 0,                                               NULL, 0 },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RO,     "sysfs",                                          "%r/sys",                     "sysfs", MS_RDONLY,                                       NULL, 0 },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                          "%r/sys",                     "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID,                    NULL, 0 },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys",                                         "%r/sys",                     NULL,    MS_BIND,                                         NULL, 0 },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                             "%r/sys",                     NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY,                    NULL, 0 },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                          "%r/sys/devices/virtual/net", "sysfs", 0,                                               NULL, 0 },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL,    MS_BIND,                                         NULL, 0 },
-               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                             "%r/sys/devices/virtual/net", NULL,    MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, 0 },
-               { 0,                  0,                   NULL,                                             NULL,                         NULL,    0,                                               NULL, 0 }
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net",                                "%r/proc/tty",                NULL,    MS_BIND,                                         NULL, true  },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",                                    "%r/proc/sys",                NULL,    MS_BIND,                                         NULL, false },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                             "%r/proc/sys",                NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY,                    NULL, false },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty",                                    "%r/proc/sys/net",            NULL,    MS_MOVE,                                         NULL, true  },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger",                          "%r/proc/sysrq-trigger",      NULL,    MS_BIND,                                         NULL, false },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                                             "%r/proc/sysrq-trigger",      NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY,                    NULL, false },
+               { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",                                           "%r/proc",                    "proc",  MS_NODEV|MS_NOEXEC|MS_NOSUID,                    NULL, false },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RW,     "sysfs",                                          "%r/sys",                     "sysfs", 0,                                               NULL, false },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_RO,     "sysfs",                                          "%r/sys",                     "sysfs", MS_RDONLY,                                       NULL, false },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                          "%r/sys",                     "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID,                    NULL, false },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys",                                         "%r/sys",                     NULL,    MS_BIND,                                         NULL, false },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                             "%r/sys",                     NULL,    MS_REMOUNT|MS_BIND|MS_RDONLY,                    NULL, false },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "sysfs",                                          "%r/sys/devices/virtual/net", "sysfs", 0,                                               NULL, false },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL,    MS_BIND,                                         NULL, false },
+               { LXC_AUTO_SYS_MASK,  LXC_AUTO_SYS_MIXED,  NULL,                                             "%r/sys/devices/virtual/net", NULL,    MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, false },
+               { 0,                  0,                   NULL,                                             NULL,                         NULL,    0,                                               NULL, false }
         };
  
          bool has_cap_net_admin = lxc_wants_cap(CAP_NET_ADMIN, conf);
diff --git a/src/lxc/conf.h b/src/lxc/conf.h

index 46bab5b3039776896cd92509adb5e834900aac4f..2fd9b783df4cc15fc5de0627a22be074357f2c4c 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -522,9 +522,9 @@ static inline bool lxc_wants_cap(int cap, struct lxc_conf *conf)
                 return false;
  
         if (!lxc_list_empty(&conf->keepcaps))
-               return !in_caplist(cap, &conf->keepcaps);
+               return in_caplist(cap, &conf->keepcaps);
  
-       return in_caplist(cap, &conf->caps);
+       return !in_caplist(cap, &conf->caps);
  }
  
  __hidden extern int setup_sysctl_parameters(struct lxc_list *sysctls);
author	Christian Brauner <christian.brauner@ubuntu.com>
	Fri, 22 Jan 2021 10:41:11 +0000 (11:41 +0100)
committer	Christian Brauner <christian.brauner@ubuntu.com>
	Fri, 22 Jan 2021 10:54:25 +0000 (11:54 +0100)
src/lxc/cgroups/cgfsng.c		patch \| blob \| blame \| history
src/lxc/conf.c		patch \| blob \| blame \| history
src/lxc/conf.h		patch \| blob \| blame \| history