From: Alexander Mikhalitsyn Date: Sat, 17 Feb 2024 15:43:21 +0000 (+0100) Subject: confile: move lxc_fill_elevated_privileges() to tools/lxc_attach X-Git-Tag: v6.0.0~19^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=672b2172de2277e950e05d2abe0b1115fa6c3f53;p=thirdparty%2Flxc.git confile: move lxc_fill_elevated_privileges() to tools/lxc_attach lxc_fill_elevated_privileges() is used only in lxc-attach tool, let's move this function in there. Signed-off-by: Alexander Mikhalitsyn --- diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 2c25e7712..bf0f10008 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -3297,51 +3297,6 @@ int lxc_config_parse_arch(const char *arch, signed long *persona) return ret_errno(EINVAL); } -int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags) -{ - unsigned int flags_tmp = 0; - char *token; - struct { - const char *token; - int flag; - } all_privs[] = { - { "CGROUP", LXC_ATTACH_MOVE_TO_CGROUP }, - { "CAP", LXC_ATTACH_DROP_CAPABILITIES }, - { "LSM", LXC_ATTACH_LSM_EXEC }, - { NULL, 0 } - }; - - if (!flaglist) { - /* - * For the sake of backward compatibility, keep all privileges - * if no specific privileges are specified. - */ - for (unsigned int i = 0; all_privs[i].token; i++) - flags_tmp |= all_privs[i].flag; - - *flags = flags_tmp; - return 0; - } - - lxc_iterate_parts(token, flaglist, "|") { - bool valid_token = false; - - for (unsigned int i = 0; all_privs[i].token; i++) { - if (!strequal(all_privs[i].token, token)) - continue; - - valid_token = true; - flags_tmp |= all_privs[i].flag; - } - - if (!valid_token) - return syserror_set(-EINVAL, "Invalid elevated privilege \"%s\" requested", token); - } - - *flags = flags_tmp; - return 0; -} - /* Write out a configuration file. */ int write_config(int fd, const struct lxc_conf *conf) { diff --git a/src/lxc/confile.h b/src/lxc/confile.h index d9b20c64e..168fbce29 100644 --- a/src/lxc/confile.h +++ b/src/lxc/confile.h @@ -90,8 +90,6 @@ __hidden extern void lxc_config_define_free(struct lxc_list *defines); */ __hidden extern int lxc_config_parse_arch(const char *arch, signed long *persona); -__hidden extern int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags); - __hidden extern int lxc_clear_config_item(struct lxc_conf *c, const char *key); __hidden extern int write_config(int fd, const struct lxc_conf *conf); diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c index 6482b0aee..a76877dc2 100644 --- a/src/lxc/tools/lxc_attach.c +++ b/src/lxc/tools/lxc_attach.c @@ -46,6 +46,7 @@ __attribute__((constructor)) static void lxc_attach_rexec(void) #endif static int my_parser(struct lxc_arguments *args, int c, char *arg); +static int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags); static int add_to_simple_array(char ***array, ssize_t *capacity, char *value); static bool stdfd_is_pty(void); static int lxc_attach_create_log_file(const char *log_file); @@ -213,6 +214,51 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) return 0; } +static int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags) +{ + unsigned int flags_tmp = 0; + char *token; + struct { + const char *token; + int flag; + } all_privs[] = { + { "CGROUP", LXC_ATTACH_MOVE_TO_CGROUP }, + { "CAP", LXC_ATTACH_DROP_CAPABILITIES }, + { "LSM", LXC_ATTACH_LSM_EXEC }, + { NULL, 0 } + }; + + if (!flaglist) { + /* + * For the sake of backward compatibility, keep all privileges + * if no specific privileges are specified. + */ + for (unsigned int i = 0; all_privs[i].token; i++) + flags_tmp |= all_privs[i].flag; + + *flags = flags_tmp; + return 0; + } + + lxc_iterate_parts(token, flaglist, "|") { + bool valid_token = false; + + for (unsigned int i = 0; all_privs[i].token; i++) { + if (!strequal(all_privs[i].token, token)) + continue; + + valid_token = true; + flags_tmp |= all_privs[i].flag; + } + + if (!valid_token) + return syserror_set(-EINVAL, "Invalid elevated privilege \"%s\" requested", token); + } + + *flags = flags_tmp; + return 0; +} + static int add_to_simple_array(char ***array, ssize_t *capacity, char *value) { ssize_t count = 0;