]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
projects / thirdparty / lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7c8b10e)
attach: set no_new_privs flag after LSM label 3466/head
authorAlexander Livenets <a.livenets@gmail.com>
Mon, 29 Jun 2020 22:06:20 +0000 (00:06 +0200)
committerAlexander Livenets <a.livenets@gmail.com>
Mon, 29 Jun 2020 22:54:36 +0000 (00:54 +0200)
In `start.c:1284`, no_new_privs flag is set after LSM label is set.
Also, in `lxc.container.conf` documentation it is written that:
```
Note that PR_SET_NO_NEW_PRIVS is applied after the container has
changed into its intended AppArmor profile or SElinux context.
```
This commit fixes the behavior of `lxc_attach` by moving
`PR_SET_NO_NEW_PRIVS` set logic after LSM for the process is configured;

Closes #3393

Signed-off-by: Alexander Livenets <a.livenets@gmail.com>
src/lxc/attach.c patch | blob | blame | history

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 38e16f2d1e48ff9c1a4b8e182b9fd7705d59e12a..4cd4f4175a7f316f55bb5237209c801da3984db7 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -770,17 +770,6 @@ static int attach_child_main(struct attach_clone_payload *payload)
        else
                new_gid = ns_root_gid;
 
-       if ((init_ctx->container && init_ctx->container->lxc_conf &&
-            init_ctx->container->lxc_conf->no_new_privs) ||
-           (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
-               ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
-                           prctl_arg(0), prctl_arg(0));
-               if (ret < 0)
-                       goto on_error;
-
-               TRACE("Set PR_SET_NO_NEW_PRIVS");
-       }
-
        if (needs_lsm) {
                bool on_exec;
 
@@ -795,6 +784,17 @@ static int attach_child_main(struct attach_clone_payload *payload)
                TRACE("Set %s LSM label to \"%s\"", lsm_name(), init_ctx->lsm_label);
        }
 
+       if ((init_ctx->container && init_ctx->container->lxc_conf &&
+            init_ctx->container->lxc_conf->no_new_privs) ||
+           (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
+               ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0),
+                           prctl_arg(0), prctl_arg(0));
+               if (ret < 0)
+                       goto on_error;
+
+               TRACE("Set PR_SET_NO_NEW_PRIVS");
+       }
+
        if (init_ctx->container && init_ctx->container->lxc_conf &&
            init_ctx->container->lxc_conf->seccomp.seccomp) {
                struct lxc_conf *conf = init_ctx->container->lxc_conf;
Mirror of https://github.com/lxc/lxc.git