On 06/29/2012 11:41 AM, Serge Hallyn wrote: > The following patch allows me to run lxc-execute -n p1 -- /bin/ls > as unprivileged user. I've pushed it to git://github.com/hallyn/lxc.git. > Thanks, Sam, for pointing this out. > > CAP_LAST_CAP in linux/capability.h doesn't always match what the kernel > actually supports. If the kernel supports fewer capabilities, then a > cap_get_flag for an unsupported capability returns -EINVAL. > > Recognize that, and don't fail when initializing capabilities when this > happens, rather accept that we've reached the last capability. > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> > Reported-by: Sam Wang <zhefw...@gmail.com> > --- > src/lxc/caps.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/src/lxc/caps.c b/src/lxc/caps.c > index 10a0b4a..c32e7e4 100644 > --- a/src/lxc/caps.c > +++ b/src/lxc/caps.c > @@ -28,6 +28,7 @@ > #include <limits.h> > #include <sys/prctl.h> > #include <sys/capability.h> > +#include <errno.h> > > #include "log.h" > > @@ -90,6 +91,7 @@ int lxc_caps_up(void) > cap_t caps; > cap_value_t cap; > int ret; > + int lastcap = 0; > > /* when we are run as root, we don't want to play > * with the capabilities */ > @@ -108,9 +110,15 @@ int lxc_caps_up(void) > > ret = cap_get_flag(caps, cap, CAP_PERMITTED, &flag); > if (ret) { > - ERROR("failed to cap_get_flag: %m"); > - goto out; > + if (errno == EINVAL) { > + INFO("Last supported cap was %d\n", cap-1); > + break; > + } else { > + ERROR("failed to cap_get_flag: %m"); > + goto out; > + } > } > + lastcap = cap; > > ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap, flag); > if (ret) { >
The idea of the change looks good, though you're defining a new lastcap variable that you then set but never actually seem to use as you're instead using cap-1 in the INFO() call. Am I just missing some context or is that indeed not used? -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users