The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4943
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Christian Brauner <[email protected]> Signed-off-by: Stéphane Graber <[email protected]>
From 0505a8b5078b2e1ee276a37995ba8397d79ae46c Mon Sep 17 00:00:00 2001 From: Christian Brauner <[email protected]> Date: Fri, 17 Aug 2018 17:03:23 +0200 Subject: [PATCH] shared/idmap: test fcaps support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Christian Brauner <[email protected]> Signed-off-by: Stéphane Graber <[email protected]> --- shared/idmap/idmapset_linux.go | 17 +++++++++-- shared/idmap/shift_linux.go | 53 ++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 3 deletions(-) diff --git a/shared/idmap/idmapset_linux.go b/shared/idmap/idmapset_linux.go index ea3779384..d6e7bdf49 100644 --- a/shared/idmap/idmapset_linux.go +++ b/shared/idmap/idmapset_linux.go @@ -469,6 +469,14 @@ func (m IdmapSet) ShiftFromNs(uid int64, gid int64) (int64, int64) { } func (set *IdmapSet) doUidshiftIntoContainer(dir string, testmode bool, how string, skipper func(dir string, absPath string, fi os.FileInfo) bool) error { + v3Caps := true + if how == "in" { + if !supportsV3Fcaps(dir) { + logger.Debugf("System doesn't support unprivileged file capabilities") + v3Caps = false + } + } + // Expand any symlink before the final path component tmp := filepath.Dir(dir) tmp, err := filepath.EvalSymlinks(tmp) @@ -546,9 +554,12 @@ func (set *IdmapSet) doUidshiftIntoContainer(dir string, testmode bool, how stri if how == "in" { rootUid, _ = set.ShiftIntoNs(0, 0) } - err = SetCaps(path, caps, rootUid) - if err != nil { - logger.Warnf("Unable to set file capabilities on %s", path) + + if how != "in" || v3Caps { + err = SetCaps(path, caps, rootUid) + if err != nil { + logger.Warnf("Unable to set file capabilities on %s", path) + } } } } diff --git a/shared/idmap/shift_linux.go b/shared/idmap/shift_linux.go index 920789a4c..9045fe395 100644 --- a/shared/idmap/shift_linux.go +++ b/shared/idmap/shift_linux.go @@ -5,6 +5,10 @@ package idmap import ( "fmt" + "io/ioutil" + "os" + "os/exec" + "syscall" "unsafe" "github.com/lxc/lxd/shared" @@ -70,6 +74,20 @@ int set_vfs_ns_caps(char *path, char *caps, ssize_t len, uint32_t uid) return setxattr(path, "security.capability", &ns_xattr, sizeof(ns_xattr), 0); } +int set_dummy_fs_ns_caps(const char *path) +{ + #define __raise_cap_permitted(x, ns_cap_data) ns_cap_data.data[(x)>>5].permitted |= (1<<((x)&31)) + + struct vfs_ns_cap_data ns_xattr; + + memset(&ns_xattr, 0, sizeof(ns_xattr)); + __raise_cap_permitted(CAP_NET_RAW, ns_xattr); + ns_xattr.magic_etc |= VFS_CAP_REVISION_3 | VFS_CAP_FLAGS_EFFECTIVE; + ns_xattr.rootid = BE32_TO_LE32(1000000); + + return setxattr(path, "security.capability", &ns_xattr, sizeof(ns_xattr), 0); +} + int shiftowner(char *basepath, char *path, int uid, int gid) { int fd, ret; @@ -279,3 +297,38 @@ func shiftAclType(path string, aclType _Ctype_acl_type_t, shiftIds func(uid int6 return nil } + +func supportsV3Fcaps(prefix string) bool { + tmpfile, err := ioutil.TempFile(prefix, ".lxd_fcaps_v3_") + if err != nil { + return false + } + tmpfile.Close() + defer os.Remove(tmpfile.Name()) + + err = os.Chmod(tmpfile.Name(), 0001) + if err != nil { + return false + } + + cpath := C.CString(tmpfile.Name()) + defer C.free(unsafe.Pointer(cpath)) + + r := C.set_dummy_fs_ns_caps(cpath) + if r != 0 { + return false + } + + cmd := exec.Command(tmpfile.Name()) + err = cmd.Run() + if err != nil { + errno, isErrno := shared.GetErrno(err) + if isErrno && (errno == syscall.ERANGE || errno == syscall.EOVERFLOW) { + return false + } + + return true + } + + return true +}
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
