From: Dwight Engen <dwight.engen@oracle.com>
Date: Thu, 19 Jun 2014 13:01:26 +0000 (-0400)
Subject: don't force dropping capabilities in lxc-init
X-Git-Tag: lxc-1.1.0.alpha1~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58558042dcdf042e8956a63dc6af78730800f188;p=thirdparty%2Flxc.git

don't force dropping capabilities in lxc-init

Commit 0af683cf added clearing of capabilities to lxc-init, but only
after lxc_setup_fs() was done, likely so that the mounting done in
that routine wouldn't fail.

However, in my testing lxc_caps_reset() wasn't really effective
anyway since it did not clear the bounding set. Adding prctl
PR_CAPBSET_DROP in a loop from 0 to CAP_LAST_CAP would fix this, but I
don't think its necessary to forcefully clear all capabilities since
users can now specify lxc.cap.keep = none to drop all capabilities.

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index 28bb85e47..9f3e96cfe 100644
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -41,25 +41,6 @@ lxc_log_define(lxc_caps, lxc);
 #define PR_CAPBSET_READ 23
 #endif
 
-int lxc_caps_reset(void)
-{
-	cap_t cap = cap_init();
-	int ret = 0;
-
-	if (!cap) {
-		ERROR("cap_init() failed : %m");
-		return -1;
-	}
-
-	if (cap_set_proc(cap)) {
-		ERROR("cap_set_proc() failed : %m");
-		ret = -1;
-	}
-
-	cap_free(cap);
-	return ret;
-}
-
 int lxc_caps_down(void)
 {
 	cap_t caps;
diff --git a/src/lxc/caps.h b/src/lxc/caps.h
index daa8b6188..ac508e321 100644
--- a/src/lxc/caps.h
+++ b/src/lxc/caps.h
@@ -26,16 +26,12 @@
 #define __LXC_CAPS_H
 
 #if HAVE_SYS_CAPABILITY_H
-extern int lxc_caps_reset(void);
 extern int lxc_caps_down(void);
 extern int lxc_caps_up(void);
 extern int lxc_caps_init(void);
 
 extern int lxc_caps_last_cap(void);
 #else
-static inline int lxc_caps_reset(void) {
-        return 0;
-}
 static inline int lxc_caps_down(void) {
         return 0;
 }
diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index b5596a036..5578736af 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -104,9 +104,6 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	if (lxc_caps_init())
-		exit(EXIT_FAILURE);
-
 	err = lxc_log_init(name, name ? NULL : "none", logpriority,
 			   basename(argv[0]), quiet, lxcpath);
 	if (err < 0)
@@ -168,9 +165,6 @@ int main(int argc, char *argv[])
 
 	lxc_setup_fs();
 
-	if (lxc_caps_reset())
-		exit(EXIT_FAILURE);
-
 	pid = fork();
 
 	if (pid < 0)