The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4940
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Christian Brauner <[email protected]>
From 372918f2d9c0119f0cbc6dc4f00580cb779b99d5 Mon Sep 17 00:00:00 2001 From: Christian Brauner <[email protected]> Date: Fri, 17 Aug 2018 17:03:23 +0200 Subject: [PATCH] shared/idmap: test fcaps support Signed-off-by: Christian Brauner <[email protected]> --- shared/idmap/idmapset_linux.go | 11 ++++++--- shared/idmap/shift_linux.go | 45 ++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go index ea3779384..d31ff9da7 100644 --- a/shared/idmap/idmapset_linux.go +++ b/shared/idmap/idmapset_linux.go @@ -543,12 +543,17 @@ func (set *IdmapSet) doUidshiftIntoContainer(dir string, testmode bool, how stri // Shift capabilities if len(caps) != 0 { rootUid := int64(0) + v3Caps := true if how == "in" { rootUid, _ = set.ShiftIntoNs(0, 0) + v3Caps = supportsV3Fcaps() } - err = SetCaps(path, caps, rootUid) - if err != nil { - logger.Warnf("Unable to set file capabilities on %s", path) + + if how != "in" || v3Caps { + err = SetCaps(path, caps, rootUid) + if err != nil { + logger.Warnf("Unable to set file capabilities on %s", path) + } } } } diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go index 920789a4c..83f2b5aa4 100644 --- a/shared/idmap/shift_linux.go +++ b/shared/idmap/shift_linux.go @@ -5,6 +5,8 @@ package idmap import ( "fmt" + "io/ioutil" + "os" "unsafe" "github.com/lxc/lxd/shared" @@ -70,6 +72,20 @@ int set_vfs_ns_caps(char *path, char *caps, ssize_t len, uint32_t uid) return setxattr(path, "security.capability", &ns_xattr, sizeof(ns_xattr), 0); } +int set_dummy_fs_ns_caps(const char *path) +{ + #define __raise_cap_permitted(x, ns_cap_data) ns_cap_data.data[(x)>>5].permitted |= (1<<((x)&31)) + + struct vfs_ns_cap_data ns_xattr; + + memset(&ns_xattr, 0, sizeof(ns_xattr)); + __raise_cap_permitted(CAP_NET_RAW, ns_xattr); + ns_xattr.magic_etc |= VFS_CAP_REVISION_3 | VFS_CAP_FLAGS_EFFECTIVE; + ns_xattr.rootid = BE32_TO_LE32(1000000); + + return setxattr(path, "security.capability", &ns_xattr, sizeof(ns_xattr), 0); +} + int shiftowner(char *basepath, char *path, int uid, int gid) { int fd, ret; @@ -279,3 +295,32 @@ func shiftAclType(path string, aclType _Ctype_acl_type_t, shiftIds func(uid int6 return nil } + +func supportsV3Fcaps() bool { + tmpfile, err := ioutil.TempFile("", ".lxd_fcaps_v3_") + if err != nil { + return false + } + defer tmpfile.Close() + defer os.Remove(tmpfile.Name()) + + err = os.Chmod(tmpfile.Name(), 0001) + if err != nil { + return false + } + + cpath := C.CString(tmpfile.Name()) + defer C.free(unsafe.Pointer(cpath)) + + r := C.set_dummy_fs_ns_caps(cpath) + if r != 0 { + return false + } + + _, err = shared.RunCommand(tmpfile.Name()) + if err != nil { + return false + } + + return true +}
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
