2
* lxc: linux Container library
4
* (C) Copyright IBM Corp. 2007, 2008
7
* Daniel Lezcano <dlezcano at fr.ibm.com>
9
* This library is free software; you can redistribute it and/or
10
* modify it under the terms of the GNU Lesser General Public
11
* License as published by the Free Software Foundation; either
12
* version 2.1 of the License, or (at your option) any later version.
14
* This library is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17
* Lesser General Public License for more details.
19
* You should have received a copy of the GNU Lesser General Public
20
* License along with this library; if not, write to the Free Software
21
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
31
#include <sys/param.h>
32
#include <sys/prctl.h>
34
#if !HAVE_DECL_PR_CAPBSET_DROP
35
#define PR_CAPBSET_DROP 24
38
#include "namespace.h"
47
lxc_log_define(lxc_attach, lxc);
49
int setns(int fd, int nstype)
55
return syscall(__NR_setns, fd, nstype);
59
struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid)
61
struct lxc_proc_context_info *info = calloc(1, sizeof(*info));
63
char proc_fn[MAXPATHLEN];
64
char *line = NULL, *ptr, *ptr2;
65
size_t line_bufsz = 0;
70
SYSERROR("Could not allocate memory.");
74
/* read capabilities */
75
snprintf(proc_fn, MAXPATHLEN, "/proc/%d/status", pid);
77
proc_file = fopen(proc_fn, "r");
79
SYSERROR("Could not open %s", proc_fn);
84
while (getline(&line, &line_bufsz, proc_file) != -1) {
85
ret = sscanf(line, "CapBnd: %llx", &info->capability_mask);
86
if (ret != EOF && ret > 0) {
95
SYSERROR("Could not read capability bounding set from %s", proc_fn);
100
/* read personality */
101
snprintf(proc_fn, MAXPATHLEN, "/proc/%d/personality", pid);
103
proc_file = fopen(proc_fn, "r");
105
SYSERROR("Could not open %s", proc_fn);
109
ret = fscanf(proc_file, "%lx", &info->personality);
112
if (ret == EOF || ret == 0) {
113
SYSERROR("Could not read personality from %s", proc_fn);
119
snprintf(proc_fn, MAXPATHLEN, "/proc/%d/cgroup", pid);
121
proc_file = fopen(proc_fn, "r");
123
SYSERROR("Could not open %s", proc_fn);
127
/* we don't really know how many cgroup subsystems there are
128
* mounted, so we go through the whole file twice */
130
while (getline(&line, &line_bufsz, proc_file) != -1) {
131
/* we assume that all lines containing at least two colons
133
ptr = strchr(line, ':');
134
if (ptr && strchr(ptr + 1, ':'))
140
info->cgroups = calloc(i, sizeof(*(info->cgroups)));
141
info->cgroups_count = i;
144
while (getline(&line, &line_bufsz, proc_file) != -1 && i < info->cgroups_count) {
145
/* format of the lines is:
146
* id:subsystems:path, where subsystems are separated by
147
* commas and each subsystem may also be of the form
148
* name=xxx if it describes a private named hierarchy
149
* we will ignore the id in the following */
150
ptr = strchr(line, ':');
151
ptr2 = ptr ? strchr(ptr + 1, ':') : NULL;
153
/* ignore invalid lines */
154
if (!ptr || !ptr2) continue;
156
l = strlen(ptr2) - 1;
160
info->cgroups[i].subsystems = strndup(ptr + 1, ptr2 - (ptr + 1));
161
info->cgroups[i].cgroup = strdup(ptr2 + 1);
172
lxc_proc_free_context_info(info);
177
void lxc_proc_free_context_info(struct lxc_proc_context_info *info)
184
for (i = 0; i < info->cgroups_count; i++) {
185
free(info->cgroups[i].subsystems);
186
free(info->cgroups[i].cgroup);
193
int lxc_attach_proc_to_cgroups(pid_t pid, struct lxc_proc_context_info *ctx)
198
ERROR("No valid context supplied when asked to attach "
199
"process to cgroups.");
203
for (i = 0; i < ctx->cgroups_count; i++) {
206
/* the kernel should return paths that start with '/' */
207
if (ctx->cgroups[i].cgroup[0] != '/') {
208
ERROR("For cgroup subsystem(s) %s the path '%s' does "
209
"not start with a '/'",
210
ctx->cgroups[i].subsystems,
211
ctx->cgroups[i].cgroup);
215
/* lxc_cgroup_path_get can process multiple subsystems */
216
ret = lxc_cgroup_path_get(&path, ctx->cgroups[i].subsystems,
217
&ctx->cgroups[i].cgroup[1]);
221
ret = lxc_cgroup_attach(path, pid);
229
int lxc_attach_to_ns(pid_t pid)
231
char path[MAXPATHLEN];
232
char *ns[] = { "pid", "mnt", "net", "ipc", "uts" };
233
const int size = sizeof(ns) / sizeof(char *);
237
snprintf(path, MAXPATHLEN, "/proc/%d/ns", pid);
238
if (access(path, X_OK)) {
239
ERROR("Does this kernel version support 'attach' ?");
243
for (i = 0; i < size; i++) {
244
snprintf(path, MAXPATHLEN, "/proc/%d/ns/%s", pid, ns[i]);
245
fd[i] = open(path, O_RDONLY);
247
SYSERROR("failed to open '%s'", path);
252
for (i = 0; i < size; i++) {
253
if (setns(fd[i], 0)) {
254
SYSERROR("failed to set namespace '%s'", ns[i]);
264
int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx)
266
int last_cap = lxc_caps_last_cap();
269
for (cap = 0; cap <= last_cap; cap++) {
270
if (ctx->capability_mask & (1LL << cap))
273
if (prctl(PR_CAPBSET_DROP, cap, 0, 0, 0)) {
274
SYSERROR("failed to remove capability id %d", cap);
added
removed
.pc/0104-add-option-to-lxc-attach-to-select-ns/src/lxc/attach.c
