From 65129087f4cd6c4d20ec22461423f871b200a645 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Wed, 28 Oct 2020 04:16:41 +0100 Subject: [PATCH] attach: require that LXC_ATTACH_LSM_LABEL is specified to avoid liblxc stumbling over an smaller struct passed in from an older liblxc. In the future we should version by size but this requires a new attach2(). Signed-off-by: Christian Brauner --- src/lxc/attach.c | 5 ++++- src/lxc/attach_options.h | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 13224805c..acbffa238 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -779,7 +779,10 @@ static int attach_child_main(struct attach_clone_payload *payload) /* Change into our new LSM profile. */ on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false; - lsm_label = options->lsm_label ? options->lsm_label : init_ctx->lsm_label; + if (options->attach_flags & LXC_ATTACH_LSM_LABEL) + lsm_label = options->lsm_label; + if (!lsm_label) + lsm_label = init_ctx->lsm_label; ret = init_ctx->lsm_ops->process_label_set_at(init_ctx->lsm_ops, lsm_fd, lsm_label, on_exec); close(lsm_fd); diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h index cdcd8f8ec..80fe43910 100644 --- a/src/lxc/attach_options.h +++ b/src/lxc/attach_options.h @@ -30,6 +30,7 @@ enum { /* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */ LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */ LXC_ATTACH_TERMINAL = 0x00080000, /*!< Allocate new terminal for attached process. */ + LXC_ATTACH_LSM_LABEL = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */ /* We have 16 bits for things that are on by default and 16 bits that * are off by default, that should be sufficient to keep binary -- 2.47.2