From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Tue, 24 Aug 2021 07:54:27 +0000 (+0200)
Subject: confile: rework lxc_fill_elevated_privileges()
X-Git-Tag: lxc-5.0.0~104^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d253a09f9b69ab278254b9cd2468da7024ef8c7a;p=thirdparty%2Flxc.git

confile: rework lxc_fill_elevated_privileges()

Cc: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 1cc8da15f..2afcd87d4 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -3256,10 +3256,10 @@ int lxc_config_parse_arch(const char *arch, signed long *persona)
 	return ret_errno(EINVAL);
 }
 
-int lxc_fill_elevated_privileges(char *flaglist, int *flags)
+int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags)
 {
+	unsigned int flags_tmp = 0;
 	char *token;
-	int i, aflag;
 	struct {
 		const char *token;
 		int flag;
@@ -3271,28 +3271,33 @@ int lxc_fill_elevated_privileges(char *flaglist, int *flags)
 	};
 
 	if (!flaglist) {
-		/* For the sake of backward compatibility, drop all privileges
-		*  if none is specified.
+		/*
+		 * For the sake of backward compatibility, keep all privileges
+		 * if no specific privileges are specified.
 		 */
-		for (i = 0; all_privs[i].token; i++)
-			*flags |= all_privs[i].flag;
+		for (unsigned int i = 0; all_privs[i].token; i++)
+			flags_tmp |= all_privs[i].flag;
 
+		*flags = flags_tmp;
 		return 0;
 	}
 
 	lxc_iterate_parts(token, flaglist, "|") {
-		aflag = -1;
+		bool valid_token = false;
 
-		for (i = 0; all_privs[i].token; i++)
-			if (strequal(all_privs[i].token, token))
-				aflag = all_privs[i].flag;
+		for (unsigned int i = 0; all_privs[i].token; i++) {
+			if (!strequal(all_privs[i].token, token))
+				continue;
 
-		if (aflag < 0)
-			return ret_errno(EINVAL);
+			valid_token = true;
+			flags_tmp |= all_privs[i].flag;
+		}
 
-		*flags |= aflag;
+		if (!valid_token)
+			return syserror_set(-EINVAL, "Invalid elevated privilege \"%s\" requested", token);
 	}
 
+	*flags = flags_tmp;
 	return 0;
 }
 
diff --git a/src/lxc/confile.h b/src/lxc/confile.h
index 96c589189..999dc1648 100644
--- a/src/lxc/confile.h
+++ b/src/lxc/confile.h
@@ -89,7 +89,7 @@ __hidden extern void lxc_config_define_free(struct lxc_list *defines);
  */
 __hidden extern int lxc_config_parse_arch(const char *arch, signed long *persona);
 
-__hidden extern int lxc_fill_elevated_privileges(char *flaglist, int *flags);
+__hidden extern int lxc_fill_elevated_privileges(char *flaglist, unsigned int *flags);
 
 __hidden extern int lxc_clear_config_item(struct lxc_conf *c, const char *key);
 
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index cd1518f8f..e06500884 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -52,7 +52,7 @@ static int add_to_simple_array(char ***array, ssize_t *capacity, char *value);
 static bool stdfd_is_pty(void);
 static int lxc_attach_create_log_file(const char *log_file);
 
-static int elevated_privileges;
+static unsigned int elevated_privileges;
 static signed long new_personality = -1;
 static int namespace_flags = -1;
 static int remount_sys_proc;