The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4722
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Christian Brauner <[email protected]>
From b1c982ad65b50bb228f7d3833cd669735627f3f7 Mon Sep 17 00:00:00 2001 From: Christian Brauner <[email protected]> Date: Tue, 3 Jul 2018 12:26:45 +0200 Subject: [PATCH 1/2] proxy: add non-abstract unix socket DAC properties Closes #4718. Signed-off-by: Christian Brauner <[email protected]> --- lxd/container.go | 16 ++++++++++++++-- lxd/container_lxc.go | 5 ++++- lxd/main_forkproxy.go | 44 +++++++++++++++++++++++++++++++++++++++++++- lxd/proxy_device_utils.go | 22 ++++++++++++++-------- 4 files changed, 75 insertions(+), 12 deletions(-) diff --git a/lxd/container.go b/lxd/container.go index b5ee111a8..07d8effbc 100644 --- a/lxd/container.go +++ b/lxd/container.go @@ -227,11 +227,17 @@ func containerValidDeviceConfigKey(t, k string) bool { } case "proxy": switch k { - case "listen": + case "bind": + return true + case "gid": return true case "connect": return true - case "bind": + case "listen": + return true + case "mode": + return true + case "uid": return true default: return false @@ -458,6 +464,12 @@ func containerValidDevices(db *db.Cluster, devices types.Devices, profile bool, if m["connect"] == "" { return fmt.Errorf("Proxy device entry is missing the required \"connect\" property.") } + + if (!strings.HasPrefix(m["listen"], "unix:") || + (strings.HasPrefix(m["listen"], "unix:") && strings.HasPrefix(m["listen"][len("unix:"):], "@"))) && + (m["uid"] != "" || m["gid"] != "" || m["mode"] != "") { + return fmt.Errorf("Only proxy devices for non-abstract unix sockets can carry gid, uid, or mode properties") + } } else if m["type"] == "none" { continue } else { diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 77b53cb36..5d647dd9d 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -6861,7 +6861,10 @@ func (c *containerLXC) insertProxyDevice(devName string, m types.Device) error { proxyValues.connectPid, proxyValues.connectAddr, logPath, - pidPath) + pidPath, + proxyValues.listenAddrGid, + proxyValues.listenAddrUid, + proxyValues.listenAddrMode) if err != nil { return fmt.Errorf("Error occurred when starting proxy device: %s", err) } diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go index 9d5edb08d..0edcc47f8 100644 --- a/lxd/main_forkproxy.go +++ b/lxd/main_forkproxy.go @@ -442,6 +442,8 @@ func (c *cmdForkproxy) Run(cmd *cobra.Command, args []string) error { } if C.whoami == C.FORKPROXY_CHILD { + defer syscall.Close(forkproxyUDSSockFDNum) + if lAddr.connType == "unix" && !lAddr.abstract { err := os.Remove(lAddr.addr[0]) if err != nil && !os.IsNotExist(err) { @@ -467,7 +469,47 @@ func (c *cmdForkproxy) Run(cmd *cobra.Command, args []string) error { file.Close() } - syscall.Close(forkproxyUDSSockFDNum) + if lAddr.connType == "unix" && !lAddr.abstract { + var err error + + listenAddrGid := -1 + if args[6] != "" { + listenAddrGid, err = strconv.Atoi(args[6]) + if err != nil { + return err + } + } + + listenAddrUid := -1 + if args[7] != "" { + listenAddrUid, err = strconv.Atoi(args[7]) + if err != nil { + return err + } + } + + if listenAddrGid != -1 || listenAddrUid != -1 { + err = os.Chown(lAddr.addr[0], listenAddrUid, listenAddrGid) + if err != nil { + return err + } + } + + var listenAddrMode os.FileMode + if args[8] != "" { + tmp, err := strconv.Atoi(args[8]) + if err != nil { + return err + } + + listenAddrMode = os.FileMode(tmp) + err = os.Chmod(lAddr.addr[0], listenAddrMode) + if err != nil { + return err + } + } + } + return err } diff --git a/lxd/proxy_device_utils.go b/lxd/proxy_device_utils.go index 2c8591bf5..30733af2b 100644 --- a/lxd/proxy_device_utils.go +++ b/lxd/proxy_device_utils.go @@ -14,10 +14,13 @@ import ( ) type proxyProcInfo struct { - listenPid string - connectPid string - connectAddr string - listenAddr string + listenPid string + connectPid string + connectAddr string + listenAddr string + listenAddrGid string + listenAddrUid string + listenAddrMode string } func setupProxyProcInfo(c container, device map[string]string) (*proxyProcInfo, error) { @@ -54,10 +57,13 @@ func setupProxyProcInfo(c container, device map[string]string) (*proxyProcInfo, } p := &proxyProcInfo{ - listenPid: listenPid, - connectPid: connectPid, - connectAddr: connectAddr, - listenAddr: listenAddr, + listenPid: listenPid, + connectPid: connectPid, + connectAddr: connectAddr, + listenAddr: listenAddr, + listenAddrGid: device["gid"], + listenAddrUid: device["uid"], + listenAddrMode: device["mode"], } return p, nil From f8bb52455383bb0fdf6937d04b32d8ac235de51e Mon Sep 17 00:00:00 2001 From: Christian Brauner <[email protected]> Date: Tue, 3 Jul 2018 12:29:50 +0200 Subject: [PATCH 2/2] api: proxy_unix_dac_properties Closes #4718. Signed-off-by: Christian Brauner <[email protected]> --- doc/api-extensions.md | 3 +++ shared/version/api.go | 1 + 2 files changed, 4 insertions(+) diff --git a/doc/api-extensions.md b/doc/api-extensions.md index 0b9d7779f..bb9f921d5 100644 --- a/doc/api-extensions.md +++ b/doc/api-extensions.md @@ -533,3 +533,6 @@ This adds the following new endpoint (see [RESTful API](rest-api.md) for details * `GET /1.0/networks/<name>/state` +## proxy\_unix\_dac\_properties +This adds support for gid, uid, and mode properties for non-abstract unix +sockets. diff --git a/shared/version/api.go b/shared/version/api.go index 3c23bf0dc..ae15abe9a 100644 --- a/shared/version/api.go +++ b/shared/version/api.go @@ -111,6 +111,7 @@ var APIExtensions = []string{ "clustering_join", "proxy_tcp_udp_multi_port_handling", "network_state", + "proxy_unix_dac_properties", } // APIExtensionsCount returns the number of available API extensions.
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
