~gary/ubuntu/precise/lxc/bug-951150

Viewing changes to debian/patches/0032-start-check-caps.patch

Committer: Package Import Robot
Author(s): Stéphane Graber, Serge Hallyn, Stéphane Graber
Date: 2012-02-02 19:06:19 UTC
Revision ID: package-import@ubuntu.com-20120202190619-h9w5i7o9e37jtqs7

Tags: 0.7.5-3ubuntu17

[ Serge Hallyn ]
* 0032-start-check-caps.patch: exit early and with a clear error message
  if lxc-start is run with insufficient permissions.  (LP: #925520)
* debian/lxc.init: if there is a failure during lxc network setup, clean
  up and exit. (LP: #925511)

[ Stéphane Graber ]
* 0033-ubuntu-template-multiarch.patch: Add support for building
  containers using qemu-user-static, using multi-arch to install some
  packages of the host architecture so the container boots and works.
* Add qemu-user-static as a Suggest of lxc.

files added:
.pc/0032-start-check-caps.patch

.pc/0032-start-check-caps.patch/src

.pc/0032-start-check-caps.patch/src/lxc

.pc/0032-start-check-caps.patch/src/lxc/caps.c

.pc/0032-start-check-caps.patch/src/lxc/caps.h

.pc/0032-start-check-caps.patch/src/lxc/start.c

.pc/0033-ubuntu-template-multiarch.patch

.pc/0033-ubuntu-template-multiarch.patch/templates

.pc/0033-ubuntu-template-multiarch.patch/templates/lxc-ubuntu.in

debian/patches/0032-start-check-caps.patch

debian/patches/0033-ubuntu-template-multiarch.patch

files modified:
.pc/applied-patches

debian/changelog

debian/control

debian/lxc.init

debian/patches/series

src/lxc/caps.c

src/lxc/caps.h

src/lxc/start.c

templates/lxc-ubuntu.in

Show diffs side-by-side

added added

removed removed

debian/patches/0032-start-check-caps.patch

Description: lxc-start: exit early if insufficient privs

This should be forwarded upstream.

Author: Serge Hallyn <serge.hallyn@ubuntu.com>

Forwarded: no

Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/925520

Index: lxc/src/lxc/caps.c

===================================================================

--- lxc.orig/src/lxc/caps.c 2012-01-31 15:05:12.426098000 -0600

+++ lxc/src/lxc/caps.c 2012-02-02 12:19:12.957178682 -0600

@@ -167,3 +167,42 @@

return 0;

}

+/*

+ * check if we have the caps needed to start a container. returns 1 on

+ * success, 0 on error. (I'd prefer this be a bool, but am afraid that

+ * might fail to build on some distros).

+ */

+int lxc_caps_check(void)

+ uid_t uid = getuid();

+ cap_t caps;

+ cap_flag_value_t value;

+ int i, ret;

+ cap_value_t needed_caps[] = { CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID };

+#define NUMCAPS ((int) (sizeof(needed_caps) / sizeof(cap_t)))

+ if (!uid)

+ return 1;

+ caps = cap_get_proc();

+ if (!caps) {

+ ERROR("failed to cap_get_proc: %m");

+ return 0;

+ }

+ for (i=0; i<NUMCAPS; i++) {

+ ret = cap_get_flag(caps, needed_caps[i], CAP_EFFECTIVE, &value);

+ if (ret) {

+ ERROR("Failed to cap_get_flag: %m");

+ return 0;

+ }

+ if (!value) {

+ return 0;

+ }

+ return 1;

Index: lxc/src/lxc/caps.h

===================================================================

--- lxc.orig/src/lxc/caps.h 2012-01-31 15:05:12.426098000 -0600

+++ lxc/src/lxc/caps.h 2012-02-02 12:01:31.445196657 -0600

@@ -27,6 +27,7 @@

extern int lxc_caps_down(void);

extern int lxc_caps_up(void);

extern int lxc_caps_init(void);

+extern int lxc_caps_check(void);

#define lxc_priv(__lxc_function) \

({ \

Index: lxc/src/lxc/start.c

===================================================================

--- lxc.orig/src/lxc/start.c 2012-01-31 15:05:12.426098000 -0600

+++ lxc/src/lxc/start.c 2012-02-02 12:24:46.797173030 -0600

@@ -335,10 +335,17 @@

return -1;

}

+extern int lxc_caps_check(void);

struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf)

{

struct lxc_handler *handler;

+ if (!lxc_caps_check()) {

+ ERROR("Not running with sufficient privilege");

+ return NULL;

+ }

handler = malloc(sizeof(*handler));

if (!handler)

return NULL;

Older »