From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 28 Oct 2020 03:16:41 +0000 (+0100)
Subject: attach: require that LXC_ATTACH_LSM_LABEL is specified
X-Git-Tag: lxc-5.0.0~344^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3568%2Fhead;p=thirdparty%2Flxc.git

attach: require that LXC_ATTACH_LSM_LABEL is specified

to avoid liblxc stumbling over an smaller struct passed in from an older
liblxc. In the future we should version by size but this requires a new
attach2().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 13224805c..acbffa238 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -779,7 +779,10 @@ static int attach_child_main(struct attach_clone_payload *payload)
 
 		/* Change into our new LSM profile. */
 		on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
-		lsm_label = options->lsm_label ? options->lsm_label : init_ctx->lsm_label;
+		if (options->attach_flags & LXC_ATTACH_LSM_LABEL)
+			lsm_label = options->lsm_label;
+		if (!lsm_label)
+			lsm_label = init_ctx->lsm_label;
 		ret = init_ctx->lsm_ops->process_label_set_at(init_ctx->lsm_ops, lsm_fd,
 							      lsm_label, on_exec);
 		close(lsm_fd);
diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
index cdcd8f8ec..80fe43910 100644
--- a/src/lxc/attach_options.h
+++ b/src/lxc/attach_options.h
@@ -30,6 +30,7 @@ enum {
 	/* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
 	LXC_ATTACH_NO_NEW_PRIVS		 = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
 	LXC_ATTACH_TERMINAL              = 0x00080000, /*!< Allocate new terminal for attached process. */
+	LXC_ATTACH_LSM_LABEL             = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */
 
 	/* We have 16 bits for things that are on by default and 16 bits that
 	 * are off by default, that should be sufficient to keep binary