From: Alexander Livenets Date: Mon, 29 Jun 2020 22:06:20 +0000 (+0200) Subject: attach: set no_new_privs flag after LSM label X-Git-Tag: lxc-5.0.0~402^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3466%2Fhead;p=thirdparty%2Flxc.git attach: set no_new_privs flag after LSM label In `start.c:1284`, no_new_privs flag is set after LSM label is set. Also, in `lxc.container.conf` documentation it is written that: ``` Note that PR_SET_NO_NEW_PRIVS is applied after the container has changed into its intended AppArmor profile or SElinux context. ``` This commit fixes the behavior of `lxc_attach` by moving `PR_SET_NO_NEW_PRIVS` set logic after LSM for the process is configured; Closes #3393 Signed-off-by: Alexander Livenets --- diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 38e16f2d1..4cd4f4175 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -770,17 +770,6 @@ static int attach_child_main(struct attach_clone_payload *payload) else new_gid = ns_root_gid; - if ((init_ctx->container && init_ctx->container->lxc_conf && - init_ctx->container->lxc_conf->no_new_privs) || - (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) { - ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0), - prctl_arg(0), prctl_arg(0)); - if (ret < 0) - goto on_error; - - TRACE("Set PR_SET_NO_NEW_PRIVS"); - } - if (needs_lsm) { bool on_exec; @@ -795,6 +784,17 @@ static int attach_child_main(struct attach_clone_payload *payload) TRACE("Set %s LSM label to \"%s\"", lsm_name(), init_ctx->lsm_label); } + if ((init_ctx->container && init_ctx->container->lxc_conf && + init_ctx->container->lxc_conf->no_new_privs) || + (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) { + ret = prctl(PR_SET_NO_NEW_PRIVS, prctl_arg(1), prctl_arg(0), + prctl_arg(0), prctl_arg(0)); + if (ret < 0) + goto on_error; + + TRACE("Set PR_SET_NO_NEW_PRIVS"); + } + if (init_ctx->container && init_ctx->container->lxc_conf && init_ctx->container->lxc_conf->seccomp.seccomp) { struct lxc_conf *conf = init_ctx->container->lxc_conf;