attach: require that LXC_ATTACH_LSM_LABEL is specified

to avoid liblxc stumbling over an smaller struct passed in from an older
liblxc. In the future we should version by size but this requires a new
attach2().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 13224805c313acf3f6c4cb1e3cd10e1c879e37f3..acbffa238d253b03381a92283840335f369a3aef 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -779,7 +779,10 @@ static int attach_child_main(struct attach_clone_payload *payload)
 
                /* Change into our new LSM profile. */
                on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
-               lsm_label = options->lsm_label ? options->lsm_label : init_ctx->lsm_label;
+               if (options->attach_flags & LXC_ATTACH_LSM_LABEL)
+                       lsm_label = options->lsm_label;
+               if (!lsm_label)
+                       lsm_label = init_ctx->lsm_label;
                ret = init_ctx->lsm_ops->process_label_set_at(init_ctx->lsm_ops, lsm_fd,
                                                              lsm_label, on_exec);
                close(lsm_fd);

diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
index cdcd8f8ece0873f41d5a4b49a0b2a49f1fc43c59..80fe439103d19f2d9a1e9980bc5a2b6be5808304 100644 (file)
--- a/src/lxc/attach_options.h
+++ b/src/lxc/attach_options.h
@@ -30,6 +30,7 @@ enum {
        /* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
        LXC_ATTACH_NO_NEW_PRIVS          = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
        LXC_ATTACH_TERMINAL              = 0x00080000, /*!< Allocate new terminal for attached process. */
+       LXC_ATTACH_LSM_LABEL             = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */
 
        /* We have 16 bits for things that are on by default and 16 bits that
         * are off by default, that should be sufficient to keep binary