if (ctx->setup_ns_gid == LXC_INVALID_UID)
ctx->setup_ns_gid = init_ns_gid;
- /*
- * TODO: we should also parse supplementary groups and use
- * setgroups() to set them.
- */
-
return 0;
}
return log_error_errno(ret, errno, "Failed to get setup ids");
userns_target_ids(ctx, options);
- /*
- * TODO: we should also parse supplementary groups and use
- * setgroups() to set them.
- */
-
return 0;
}
goto on_error;
}
- if (!lxc_drop_groups() && errno != EPERM)
- goto on_error;
+ if (options->attach_flags & LXC_ATTACH_SETGROUPS && options->groups.size > 0) {
+ if (!lxc_setgroups(options->groups.list, options->groups.size))
+ goto on_error;
+ } else {
+ if (!lxc_drop_groups() && errno != EPERM)
+ goto on_error;
+ }
if (options->namespaces & CLONE_NEWUSER)
if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid))
LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
LXC_ATTACH_TERMINAL = 0x00080000, /*!< Allocate new terminal for attached process. */
LXC_ATTACH_LSM_LABEL = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */
+ LXC_ATTACH_SETGROUPS = 0x00200000, /*!< Set additional group ids specified in @groups. */
/* We have 16 bits for things that are on by default and 16 bits that
* are off by default, that should be sufficient to keep binary
*/
typedef int (*lxc_attach_exec_t)(void* payload);
+typedef struct lxc_groups_t {
+ int size;
+ gid_t *list;
+} lxc_groups_t;
+
/*!
* LXC attach options for \ref lxc_container \c attach().
*/
/*! lsm label to set. */
char *lsm_label;
+
+ /*! The additional group GIDs to run with.
+ *
+ * If unset all additional groups are dropped.
+ */
+ lxc_groups_t groups;
+
} lxc_attach_options_t;
/*! Default attach options to use */
projects / thirdparty / lxc.git / commitdiff
