Improve behaviour for unprivileged users

author Stéphane Graber <stgraber@ubuntu.com>

Wed, 2 Oct 2013 22:25:37 +0000 (18:25 -0400)

committer Serge Hallyn <serge.hallyn@ubuntu.com>

Thu, 3 Oct 2013 14:34:55 +0000 (09:34 -0500)
author Stéphane Graber <stgraber@ubuntu.com>
Wed, 2 Oct 2013 22:25:37 +0000 (18:25 -0400)
committer Serge Hallyn <serge.hallyn@ubuntu.com>
Thu, 3 Oct 2013 14:34:55 +0000 (09:34 -0500)
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c

index 4ca00a97f03d46efb743963c566e6fc710b26ad2..bd4e674d23185c0b4dc8f068a1b6fdcb88a45110 100644 (file)
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -188,6 +188,9 @@ int main(int argc, char *argv[])
         if (ret)
                 return ret;
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         ret = lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                            my_args.progname, my_args.quiet, my_args.lxcpath[0]);
         if (ret)
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c

index 2c0508c7ea08ef059d453b3d00006192e5866286..b9727a0f43611848b0417b9b60ac6145dc4309fc 100644 (file)
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -70,6 +70,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 return -1;
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                          my_args.progname, my_args.quiet, my_args.lxcpath[0]))
                 return -1;
@@ -79,6 +82,12 @@ int main(int argc, char *argv[])
         c = lxc_container_new(my_args.name, my_args.lxcpath[0]);
         if (!c)
                 return -1;
+
+       if (!c->may_control(c)) {
+               ERROR("Insufficent privileges to control %s:%s", my_args.lxcpath[0], my_args.name);
+               return -1;
+       }
+
         if (!c->is_running(c)) {
                 ERROR("'%s:%s' is not running", my_args.lxcpath[0], my_args.name);
                 lxc_container_put(c);
diff --git a/src/lxc/lxc_checkpoint.c b/src/lxc/lxc_checkpoint.c

index ecf19b139ab211fc7b4dbb343f9f591ab7b75abd..f6a03139099710da9150c63e91926dccac5bcbef 100644 (file)
--- a/src/lxc/lxc_checkpoint.c
+++ b/src/lxc/lxc_checkpoint.c
@@ -115,6 +115,9 @@ int main(int argc, char *argv[])
         if (ret)
                 return ret;
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         ret = lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                            my_args.progname, my_args.quiet, my_args.lxcpath[0]);
         if (ret)
diff --git a/src/lxc/lxc_clone.c b/src/lxc/lxc_clone.c

index e0be9da3fa4d7f22d66b864b3c223b0f1d73574a..e01c98b277ba714fba4e3b0dfb94f4b6825ce1cb 100644 (file)
--- a/src/lxc/lxc_clone.c
+++ b/src/lxc/lxc_clone.c
@@ -160,6 +160,12 @@ int main(int argc, char *argv[])
         c1 = lxc_container_new(orig, lxcpath);
         if (!c1)
                 exit(1);
+
+       if (!c1->may_control(c1)) {
+               fprintf(stderr, "Insufficent privileges to control %s\n", orig);
+               return -1;
+       }
+
         if (!c1->is_defined(c1)) {
                 fprintf(stderr, "Error: container %s is not defined\n", orig);
                 lxc_container_put(c1);
diff --git a/src/lxc/lxc_console.c b/src/lxc/lxc_console.c

index ea1e9993fff840a2bba678e2a4b1e9cfa4b4973d..f5d16fa6be74660e767cf9b42c871773ceaf272a 100644 (file)
--- a/src/lxc/lxc_console.c
+++ b/src/lxc/lxc_console.c
@@ -97,6 +97,9 @@ int main(int argc, char *argv[])
         if (ret)
                 return EXIT_FAILURE;
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         ret = lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                            my_args.progname, my_args.quiet, my_args.lxcpath[0]);
         if (ret)
@@ -108,6 +111,11 @@ int main(int argc, char *argv[])
                 exit(EXIT_FAILURE);
         }
  
+       if (!c->may_control(c)) {
+               fprintf(stderr, "Insufficent privileges to control %s\n", my_args.name);
+               return -1;
+       }
+
         if (!c->is_running(c)) {
                 fprintf(stderr, "%s is not running\n", my_args.name);
                 exit(EXIT_FAILURE);
diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c

index f577e3005ee569da3471369182ab79dfa9ed4e8a..98cca325b7c90ab8fa567b3877ca32db17b9d2a9 100644 (file)
--- a/src/lxc/lxc_create.c
+++ b/src/lxc/lxc_create.c
@@ -174,6 +174,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 exit(1);
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                          my_args.progname, my_args.quiet, my_args.lxcpath[0]))
                 exit(1);
diff --git a/src/lxc/lxc_destroy.c b/src/lxc/lxc_destroy.c

index a1f73ca83f3945d7b725ff14554355c91572d461..d50fcf121bfe18eecbb3eacfaee8abec025b8ed7 100644 (file)
--- a/src/lxc/lxc_destroy.c
+++ b/src/lxc/lxc_destroy.c
@@ -74,6 +74,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 exit(1);
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                          my_args.progname, my_args.quiet, my_args.lxcpath[0]))
                 exit(1);
@@ -84,6 +87,11 @@ int main(int argc, char *argv[])
                 exit(1);
         }
  
+       if (!c->may_control(c)) {
+               fprintf(stderr, "Insufficent privileges to control %s\n", my_args.name);
+               return -1;
+       }
+
         if (!c->is_defined(c)) {
                 fprintf(stderr, "Container is not defined\n");
                 lxc_container_put(c);
diff --git a/src/lxc/lxc_freeze.c b/src/lxc/lxc_freeze.c

index 39483a63777980d1f072a928bb585da121f2698b..92d7aa272f199d5b1c7494a40c91d4c94f8bda8b 100644 (file)
--- a/src/lxc/lxc_freeze.c
+++ b/src/lxc/lxc_freeze.c
@@ -59,6 +59,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 exit(1);
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                          my_args.progname, my_args.quiet, my_args.lxcpath[0]))
                 exit(1);
@@ -69,6 +72,11 @@ int main(int argc, char *argv[])
                 exit(1);
         }
  
+       if (!c->may_control(c)) {
+               ERROR("Insufficent privileges to control %s:%s", my_args.lxcpath[0], my_args.name);
+               return -1;
+       }
+
         if (!c->freeze(c)) {
                 ERROR("Failed to freeze %s:%s", my_args.lxcpath[0], my_args.name);
                 lxc_container_put(c);
diff --git a/src/lxc/lxc_info.c b/src/lxc/lxc_info.c

index a4fa3e1f92edddcb3f1a46491022986442ba6e6b..ac562878a62f94b1beee0f9b6897b8075dc9567d 100644 (file)
--- a/src/lxc/lxc_info.c
+++ b/src/lxc/lxc_info.c
@@ -96,6 +96,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 return -1;
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                          my_args.progname, my_args.quiet, my_args.lxcpath[0]))
                 return -1;
@@ -104,6 +107,11 @@ int main(int argc, char *argv[])
         if (!c)
                 return -1;
  
+       if (!c->may_control(c)) {
+               fprintf(stderr, "Insufficent privileges to control %s\n", c->name);
+               return -1;
+       }
+
         if (!state && !pid && !ips && keys <= 0)
                 state = pid = ips = true;
  
diff --git a/src/lxc/lxc_kill.c b/src/lxc/lxc_kill.c

index 3ed6e4e81a07c08838d84ce2779a67b8bc37faae..8322b424f1a41f56b7cf0675cda952b4c900c569 100644 (file)
--- a/src/lxc/lxc_kill.c
+++ b/src/lxc/lxc_kill.c
@@ -61,6 +61,9 @@ int main(int argc, char *argv[], char *envp[])
         if (ret)
                 return ret;
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         ret = lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                            my_args.progname, my_args.quiet, my_args.lxcpath[0]);
         if (ret)
diff --git a/src/lxc/lxc_monitor.c b/src/lxc/lxc_monitor.c

index 00ab58b5119f5e0bfba645e241cf58d503c1dad4..0c277231f0f8df0676ada71d842f727aba2695ca 100644 (file)
--- a/src/lxc/lxc_monitor.c
+++ b/src/lxc/lxc_monitor.c
@@ -67,6 +67,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 return -1;
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                          my_args.progname, my_args.quiet, my_args.lxcpath[0]))
                 return -1;
diff --git a/src/lxc/lxc_snapshot.c b/src/lxc/lxc_snapshot.c

index c21563f602f2983792d4d51fba3d0838d7f04e64..573804b39beb21a4ca63b03dec7680276465284e 100644 (file)
--- a/src/lxc/lxc_snapshot.c
+++ b/src/lxc/lxc_snapshot.c
@@ -160,6 +160,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 exit(1);
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (my_args.argc > 1) {
                 ERROR("Too many arguments");
                 return -1;
@@ -184,6 +187,11 @@ int main(int argc, char *argv[])
                 exit(1);
         }
  
+       if (!c->may_control(c)) {
+               fprintf(stderr, "Insufficent privileges to control %s\n", my_args.name);
+               return -1;
+       }
+
         switch(action) {
         case DO_SNAP:
                 ret = do_snapshot(c);
diff --git a/src/lxc/lxc_stop.c b/src/lxc/lxc_stop.c

index 77de7e5d1ef1551cc4a08d1f77a3ec64f00ce5da..7203d75085553d0c0f243de771b7c3f05c42ac2d 100644 (file)
--- a/src/lxc/lxc_stop.c
+++ b/src/lxc/lxc_stop.c
@@ -145,6 +145,11 @@ int main(int argc, char *argv[])
                 goto out;
         }
  
+       if (!c->may_control(c)) {
+               fprintf(stderr, "Insufficent privileges to control %s\n", c->name);
+               goto out;
+       }
+
         if (!c->is_running(c)) {
                 fprintf(stderr, "%s is not running\n", c->name);
                 ret = 2;
diff --git a/src/lxc/lxc_unfreeze.c b/src/lxc/lxc_unfreeze.c

index 0130224a2dd1ae471fc2e1a12b3b61c5ff5af7f5..4c499ec1944d64d4e5501d5284d3485bcf1ae623 100644 (file)
--- a/src/lxc/lxc_unfreeze.c
+++ b/src/lxc/lxc_unfreeze.c
@@ -58,6 +58,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 exit(1);
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                          my_args.progname, my_args.quiet, my_args.lxcpath[0]))
                 exit(1);
@@ -68,6 +71,11 @@ int main(int argc, char *argv[])
                 exit(1);
         }
  
+       if (!c->may_control(c)) {
+               ERROR("Insufficent privileges to control %s:%s", my_args.lxcpath[0], my_args.name);
+               return -1;
+       }
+
         if (!c->unfreeze(c)) {
                 ERROR("Failed to unfreeze %s:%s", my_args.lxcpath[0], my_args.name);
                 lxc_container_put(c);
diff --git a/src/lxc/lxc_wait.c b/src/lxc/lxc_wait.c

index 4669cee692f8c19bffca614635d9d9d44038094d..0a3487f172979a5e67aecd6c45d33344a2ae2319 100644 (file)
--- a/src/lxc/lxc_wait.c
+++ b/src/lxc/lxc_wait.c
@@ -85,6 +85,9 @@ int main(int argc, char *argv[])
         if (lxc_arguments_parse(&my_args, argc, argv))
                 return -1;
  
+       if (!my_args.log_file)
+               my_args.log_file = "none";
+
         if (lxc_log_init(my_args.name, my_args.log_file, my_args.log_priority,
                          my_args.progname, my_args.quiet, my_args.lxcpath[0]))
                 return -1;
@@ -93,6 +96,11 @@ int main(int argc, char *argv[])
         if (!c)
                 return -1;
  
+       if (!c->may_control(c)) {
+               fprintf(stderr, "Insufficent privileges to control %s\n", c->name);
+               return -1;
+       }
+
         if (!c->wait(c, my_args.states, my_args.timeout)) {
                 lxc_container_put(c);
                 return -1;
author	Stéphane Graber <stgraber@ubuntu.com>
	Wed, 2 Oct 2013 22:25:37 +0000 (18:25 -0400)
committer	Serge Hallyn <serge.hallyn@ubuntu.com>
	Thu, 3 Oct 2013 14:34:55 +0000 (09:34 -0500)
src/lxc/lxc_attach.c		patch \| blob \| blame \| history
src/lxc/lxc_cgroup.c		patch \| blob \| blame \| history
src/lxc/lxc_checkpoint.c		patch \| blob \| blame \| history
src/lxc/lxc_clone.c		patch \| blob \| blame \| history
src/lxc/lxc_console.c		patch \| blob \| blame \| history
src/lxc/lxc_create.c		patch \| blob \| blame \| history
src/lxc/lxc_destroy.c		patch \| blob \| blame \| history
src/lxc/lxc_freeze.c		patch \| blob \| blame \| history
src/lxc/lxc_info.c		patch \| blob \| blame \| history
src/lxc/lxc_kill.c		patch \| blob \| blame \| history
src/lxc/lxc_monitor.c		patch \| blob \| blame \| history
src/lxc/lxc_snapshot.c		patch \| blob \| blame \| history
src/lxc/lxc_stop.c		patch \| blob \| blame \| history
src/lxc/lxc_unfreeze.c		patch \| blob \| blame \| history
src/lxc/lxc_wait.c		patch \| blob \| blame \| history