From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Date: Tue, 24 Aug 2021 07:55:14 +0000 (+0200)
Subject: tools: fix elevated privilege handler in lxc-attach
X-Git-Tag: lxc-5.0.0~104^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3949%2Fhead;p=thirdparty%2Flxc.git

tools: fix elevated privilege handler in lxc-attach

Make sure to return an error when the user requests an LSM profile to be
set while also requesting that elevated LSM privileges are to be used.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index e06500884..0374d980b 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -334,8 +334,23 @@ int main(int argc, char *argv[])
 	if (remount_sys_proc)
 		attach_options.attach_flags |= LXC_ATTACH_REMOUNT_PROC_SYS;
 
-	if (elevated_privileges)
+	if (elevated_privileges) {
+		if ((elevated_privileges & LXC_ATTACH_LSM_EXEC)) {
+			if (selinux_context) {
+				ERROR("Cannot combine elevated LSM privileges while requesting LSM profile");
+				goto out;
+			}
+
+			/*
+			 * While most LSM flags are off by default let's still
+			 * make sure they are stripped when elevated LSM
+			 * privileges are requested.
+			 */
+			elevated_privileges |= LXC_ATTACH_LSM;
+		}
+
 		attach_options.attach_flags &= ~(elevated_privileges);
+	}
 
 	if (stdfd_is_pty())
 		attach_options.attach_flags |= LXC_ATTACH_TERMINAL;