From: Christian Brauner <christian.brauner@canonical.com>
Date: Thu, 1 Sep 2016 23:30:59 +0000 (+0200)
Subject: conf, confile: add option for PR_SET_NO_NEW_PRIVS
X-Git-Tag: lxc-2.1.0~325^2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5a46f2831ee8444c6146345dd0e0ec2a83e4e761;p=thirdparty%2Flxc.git

conf, confile: add option for PR_SET_NO_NEW_PRIVS

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
---

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 69a72ea50..e48466730 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -382,6 +382,9 @@ struct lxc_conf {
 	/* The facility to pass to syslog. Let's users establish as what type of
 	 * program liblxc is supposed to write to the syslog. */
 	char *syslog;
+
+	/* Whether PR_SET_NO_NEW_PRIVS will be set for the container. */
+	bool no_new_privs;
 };
 
 #ifdef HAVE_TLS
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 9ad05e588..8f370f6cf 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -114,6 +114,7 @@ static int config_init_cmd(const char *, const char *, struct lxc_conf *);
 static int config_init_uid(const char *, const char *, struct lxc_conf *);
 static int config_init_gid(const char *, const char *, struct lxc_conf *);
 static int config_ephemeral(const char *, const char *, struct lxc_conf *);
+static int config_no_new_privs(const char *, const char *, struct lxc_conf *);
 
 static struct lxc_config_t config[] = {
 
@@ -187,6 +188,7 @@ static struct lxc_config_t config[] = {
 	{ "lxc.init_gid",             config_init_gid             },
 	{ "lxc.ephemeral",            config_ephemeral            },
 	{ "lxc.syslog",               config_syslog               },
+	{ "lxc.no_new_privs",	      config_no_new_privs	  },
 };
 
 struct signame {
@@ -2562,6 +2564,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
 		return lxc_get_conf_int(c, retv, inlen, c->ephemeral);
 	else if (strcmp(key, "lxc.syslog") == 0)
 		v = c->syslog;
+	else if (strcmp(key, "lxc.no_new_privs") == 0)
+		return lxc_get_conf_int(c, retv, inlen, c->no_new_privs);
 	else return -1;
 
 	if (!v)
@@ -2954,3 +2958,17 @@ static int config_syslog(const char *key, const char *value,
 	lxc_log_syslog(facility);
 	return config_string_item(&lxc_conf->syslog, value);
 }
+
+static int config_no_new_privs(const char *key, const char *value,
+				    struct lxc_conf *lxc_conf)
+{
+	int v = atoi(value);
+
+	if (v != 0 && v != 1) {
+		ERROR("Wrong value for lxc.no_new_privs. Can only be set to 0 or 1");
+		return -1;
+	}
+	lxc_conf->no_new_privs = v ? true : false;
+
+	return 0;
+}