1
Description: lxc-start: exit early if insufficient privs
2
This should be forwarded upstream.
3
Author: Serge Hallyn <serge.hallyn@ubuntu.com>
5
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/925520
7
Index: lxc/src/lxc/caps.c
8
===================================================================
9
--- lxc.orig/src/lxc/caps.c 2012-01-31 15:05:12.426098000 -0600
10
+++ lxc/src/lxc/caps.c 2012-02-02 12:19:12.957178682 -0600
17
+ * check if we have the caps needed to start a container. returns 1 on
18
+ * success, 0 on error. (I'd prefer this be a bool, but am afraid that
19
+ * might fail to build on some distros).
21
+int lxc_caps_check(void)
23
+ uid_t uid = getuid();
25
+ cap_flag_value_t value;
28
+ cap_value_t needed_caps[] = { CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID };
30
+#define NUMCAPS ((int) (sizeof(needed_caps) / sizeof(cap_t)))
35
+ caps = cap_get_proc();
37
+ ERROR("failed to cap_get_proc: %m");
41
+ for (i=0; i<NUMCAPS; i++) {
42
+ ret = cap_get_flag(caps, needed_caps[i], CAP_EFFECTIVE, &value);
44
+ ERROR("Failed to cap_get_flag: %m");
54
Index: lxc/src/lxc/caps.h
55
===================================================================
56
--- lxc.orig/src/lxc/caps.h 2012-01-31 15:05:12.426098000 -0600
57
+++ lxc/src/lxc/caps.h 2012-02-02 12:01:31.445196657 -0600
59
extern int lxc_caps_down(void);
60
extern int lxc_caps_up(void);
61
extern int lxc_caps_init(void);
62
+extern int lxc_caps_check(void);
64
#define lxc_priv(__lxc_function) \
66
Index: lxc/src/lxc/start.c
67
===================================================================
68
--- lxc.orig/src/lxc/start.c 2012-01-31 15:05:12.426098000 -0600
69
+++ lxc/src/lxc/start.c 2012-02-02 12:24:46.797173030 -0600
74
+extern int lxc_caps_check(void);
76
struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf)
78
struct lxc_handler *handler;
80
+ if (!lxc_caps_check()) {
81
+ ERROR("Not running with sufficient privilege");
85
handler = malloc(sizeof(*handler));