[Libct] [PATCH 4/7] ct: use propertios from a process descriptor

Thu Oct 30 01:55:11 PDT 2014

Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 src/ct.c               | 10 +++++++---
 src/include/security.h |  4 ++--
 src/security.c         | 19 +++++++++++++------
 3 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/src/ct.c b/src/ct.c
index 11abd6a..785f31f 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -200,6 +200,7 @@ static int ct_clone(void *arg)
 	int ret = -1;
 	struct ct_clone_arg *ca = arg;
 	struct container *ct = ca->ct;
+	struct process_desc *p = ca->p;
 
 	close(ca->child_wait_pipe[1]);
 	close(ca->parent_wait_pipe[0]);
@@ -213,7 +214,7 @@ static int ct_clone(void *arg)
 			goto err;
 	}
 
-	if (prctl(PR_SET_PDEATHSIG, ct->pdeathsig))
+	if (prctl(PR_SET_PDEATHSIG, p->pdeathsig))
 		goto err;
 
 	if (!(ct->flags & CT_NOSETSID) && setsid() == -1)
@@ -267,7 +268,7 @@ static int ct_clone(void *arg)
 	if (ret < 0)
 		goto err_um;
 
-	ret = apply_caps(ct);
+	ret = apply_creds(p);
 	if (ret < 0)
 		goto err_um;
 
@@ -321,6 +322,7 @@ err:
 static int local_spawn_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *), void *arg)
 {
 	struct container *ct = cth2ct(h);
+	struct process_desc *p = prh2pr(ph);
 	int ret = -1, pid, aux;
 	struct ct_clone_arg ca;
 
@@ -349,6 +351,7 @@ static int local_spawn_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *
 	ca.cb = cb;
 	ca.arg = arg;
 	ca.ct = ct;
+	ca.p = p;
 	pid = clone(ct_clone, &ca.stack_ptr, ct->nsmask | SIGCHLD, &ca);
 	if (pid < 0)
 		goto err_clone;
@@ -450,6 +453,7 @@ static int local_spawn_execve(ct_handler_t ct, ct_process_desc_t pr, char *path,
 static int local_enter_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *), void *arg)
 {
 	struct container *ct = cth2ct(h);
+	struct process_desc *p = prh2pr(ph);
 	int aux = -1, pid;
 
 	if (ct->state != CT_RUNNING)
@@ -491,7 +495,7 @@ static int local_enter_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *
 				exit(-1);
 		}
 
-		if (apply_caps(ct))
+		if (apply_creds(p))
 			exit(-1);
 
 		aux = cb(arg);
diff --git a/src/include/security.h b/src/include/security.h
index a79d42e..fe8cd84 100644
--- a/src/include/security.h
+++ b/src/include/security.h
@@ -1,8 +1,8 @@
 #ifndef __LIBCT_SECURITY_H__
 #define __LIBCT_SECURITY_H__
 
-struct container;
+struct process_desc;
 
-extern int apply_caps(struct container *ct);
+extern int apply_creds(struct process_desc *p);
 
 #endif /* __LIBCT_SECURITY_H__ */
diff --git a/src/security.c b/src/security.c
index 9e971e2..1970e1e 100644
--- a/src/security.c
+++ b/src/security.c
@@ -1,6 +1,7 @@
 #include <unistd.h>
 #include <string.h>
 #include <stdio.h>
+#include <grp.h>
 
 #include <sys/prctl.h>
 
@@ -59,17 +60,23 @@ static int apply_all_caps(unsigned long mask)
 	return capset(&header, data);
 }
 
-int apply_caps(struct container *ct)
+int apply_creds(struct process_desc *p)
 {
-	if (!ct->cap_mask)
+	if (setgroups(p->ngroups, p->groups))
+		return -1;
+
+	if (setgid(p->gid) || setuid(p->uid))
+		return -1;
+
+	if (!p->cap_mask)
 		return 0;
 
-	if (ct->cap_mask & CAPS_BSET)
-		if (apply_bset(ct->cap_bset) < 0)
+	if (p->cap_mask & CAPS_BSET)
+		if (apply_bset(p->cap_bset) < 0)
 			return -1;
 
-	if (ct->cap_mask & CAPS_ALLCAPS)
-		if (apply_all_caps(ct->cap_caps) < 0)
+	if (p->cap_mask & CAPS_ALLCAPS)
+		if (apply_all_caps(p->cap_caps) < 0)
 			return -1;
 
 	return 0;
-- 
1.9.1

