From 0af683cf29633c8655c3dd07eb75feaf2e8cc3cb Mon Sep 17 00:00:00 2001
From: "clg@linux.vnet.ibm.com" <clg@linux.vnet.ibm.com>
Date: Thu, 27 May 2010 12:17:40 +0200
Subject: [PATCH] drop capabilities in lxc-init (V2)

capabilities are reseted just after the filesystem is mounted.
lxc_setup_fs() is moved up, before the process is forked.

Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
 configure.ac        |  9 +++++++++
 src/lxc/Makefile.am |  1 +
 src/lxc/lxc_init.c  | 31 +++++++++++++++++++++++++++----
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index 46e8ff768..83e01d5e5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -72,6 +72,15 @@ AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h],
 AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install libcap-devel.]),
 [#include <sys/types.h>
 #include <sys/capability.h>])
+AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
+AC_MSG_CHECKING([linux capabilities])
+if test "x$caplib" = "xyes" ; then
+   CAP_LIBS="-lcap"
+   AC_MSG_RESULT([$CAP_LIBS])
+else
+   AC_MSG_ERROR([not found])
+fi
+AC_SUBST([CAP_LIBS])
 
 # Some systems lack PR_CAPBSET_DROP definition => HAVE_DECL_PR_CAPBSET_DROP
 AC_CHECK_DECLS([PR_CAPBSET_DROP], [], [], [#include <sys/prctl.h>])
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 7c9ae7ad9..41cbb014d 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -100,6 +100,7 @@ lxc_execute_SOURCES = lxc_execute.c
 lxc_freeze_SOURCES = lxc_freeze.c
 lxc_info_SOURCES = lxc_info.c
 lxc_init_SOURCES = lxc_init.c
+lxc_init_LDADD = $(LDADD) @CAP_LIBS@
 lxc_monitor_SOURCES = lxc_monitor.c
 lxc_restart_SOURCES = lxc_restart.c
 lxc_start_SOURCES = lxc_start.c
diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index a34818e5f..270bf35c4 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -30,6 +30,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <sys/capability.h>
 #define _GNU_SOURCE
 #include <getopt.h>
 
@@ -48,6 +49,25 @@ static struct option options[] = {
 
 static	int was_interrupted = 0;
 
+static int cap_reset(void)
+{
+	cap_t cap = cap_init();
+	int ret = 0;
+
+	if (!cap) {
+		ERROR("cap_init() failed : %m");
+		return -1;
+	}
+
+	if (cap_set_proc(cap)) {
+		ERROR("cap_set_proc() failed : %m");
+		ret = -1;
+	}
+
+	cap_free(cap);
+	return ret;
+}
+
 int main(int argc, char *argv[])
 {
 
@@ -98,6 +118,12 @@ int main(int argc, char *argv[])
 		sigaction(i, &act, NULL);
 	}
 
+	if (lxc_setup_fs())
+		exit(err);
+
+	if (cap_reset())
+		exit(err);
+
 	pid = fork();
 	
 	if (pid < 0)
@@ -109,13 +135,10 @@ int main(int argc, char *argv[])
 			signal(i, SIG_DFL);
 		sigprocmask(SIG_SETMASK, &omask, NULL);
 
-		if (lxc_setup_fs())
-			exit(err);
-
 		NOTICE("about to exec '%s'", aargv[0]);
 
 		execvp(aargv[0], aargv);
-		ERROR("failed to exec: '%s' : %s", aargv[0], strerror(errno));
+		ERROR("failed to exec: '%s' : %m", aargv[0]);
 		exit(err);
 	}
 
-- 
2.47.2