]> git.ipfire.org Git - thirdparty/lxc.git/commit
projects / thirdparty / lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7c8b10e) | patch
attach: set no_new_privs flag after LSM label 3466/head
authorAlexander Livenets <a.livenets@gmail.com>
Mon, 29 Jun 2020 22:06:20 +0000 (00:06 +0200)
committerAlexander Livenets <a.livenets@gmail.com>
Mon, 29 Jun 2020 22:54:36 +0000 (00:54 +0200)
commit6ce8e67825258fe8a38b057b1459a4f35e4b39bb
treedab98ec86fe64f74ce4d00e8665d494124f79400tree
parent7c8b10e515c7c5d2d3418a053a656ac871019f9acommit | diff
attach: set no_new_privs flag after LSM label

In `start.c:1284`, no_new_privs flag is set after LSM label is set.
Also, in `lxc.container.conf` documentation it is written that:
```
Note that PR_SET_NO_NEW_PRIVS is applied after the container has
changed into its intended AppArmor profile or SElinux context.
```
This commit fixes the behavior of `lxc_attach` by moving
`PR_SET_NO_NEW_PRIVS` set logic after LSM for the process is configured;

Closes #3393

Signed-off-by: Alexander Livenets <a.livenets@gmail.com>
src/lxc/attach.c diff | blob | blame | history
Mirror of https://github.com/lxc/lxc.git