[Libct] [PATCH 4/7] ct: use propertios from a process descriptor
Andrey Vagin
avagin at openvz.org
Thu Oct 30 01:55:11 PDT 2014
Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
src/ct.c | 10 +++++++---
src/include/security.h | 4 ++--
src/security.c | 19 +++++++++++++------
3 files changed, 22 insertions(+), 11 deletions(-)
diff --git a/src/ct.c b/src/ct.c
index 11abd6a..785f31f 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -200,6 +200,7 @@ static int ct_clone(void *arg)
int ret = -1;
struct ct_clone_arg *ca = arg;
struct container *ct = ca->ct;
+ struct process_desc *p = ca->p;
close(ca->child_wait_pipe[1]);
close(ca->parent_wait_pipe[0]);
@@ -213,7 +214,7 @@ static int ct_clone(void *arg)
goto err;
}
- if (prctl(PR_SET_PDEATHSIG, ct->pdeathsig))
+ if (prctl(PR_SET_PDEATHSIG, p->pdeathsig))
goto err;
if (!(ct->flags & CT_NOSETSID) && setsid() == -1)
@@ -267,7 +268,7 @@ static int ct_clone(void *arg)
if (ret < 0)
goto err_um;
- ret = apply_caps(ct);
+ ret = apply_creds(p);
if (ret < 0)
goto err_um;
@@ -321,6 +322,7 @@ err:
static int local_spawn_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *), void *arg)
{
struct container *ct = cth2ct(h);
+ struct process_desc *p = prh2pr(ph);
int ret = -1, pid, aux;
struct ct_clone_arg ca;
@@ -349,6 +351,7 @@ static int local_spawn_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *
ca.cb = cb;
ca.arg = arg;
ca.ct = ct;
+ ca.p = p;
pid = clone(ct_clone, &ca.stack_ptr, ct->nsmask | SIGCHLD, &ca);
if (pid < 0)
goto err_clone;
@@ -450,6 +453,7 @@ static int local_spawn_execve(ct_handler_t ct, ct_process_desc_t pr, char *path,
static int local_enter_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *), void *arg)
{
struct container *ct = cth2ct(h);
+ struct process_desc *p = prh2pr(ph);
int aux = -1, pid;
if (ct->state != CT_RUNNING)
@@ -491,7 +495,7 @@ static int local_enter_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *
exit(-1);
}
- if (apply_caps(ct))
+ if (apply_creds(p))
exit(-1);
aux = cb(arg);
diff --git a/src/include/security.h b/src/include/security.h
index a79d42e..fe8cd84 100644
--- a/src/include/security.h
+++ b/src/include/security.h
@@ -1,8 +1,8 @@
#ifndef __LIBCT_SECURITY_H__
#define __LIBCT_SECURITY_H__
-struct container;
+struct process_desc;
-extern int apply_caps(struct container *ct);
+extern int apply_creds(struct process_desc *p);
#endif /* __LIBCT_SECURITY_H__ */
diff --git a/src/security.c b/src/security.c
index 9e971e2..1970e1e 100644
--- a/src/security.c
+++ b/src/security.c
@@ -1,6 +1,7 @@
#include <unistd.h>
#include <string.h>
#include <stdio.h>
+#include <grp.h>
#include <sys/prctl.h>
@@ -59,17 +60,23 @@ static int apply_all_caps(unsigned long mask)
return capset(&header, data);
}
-int apply_caps(struct container *ct)
+int apply_creds(struct process_desc *p)
{
- if (!ct->cap_mask)
+ if (setgroups(p->ngroups, p->groups))
+ return -1;
+
+ if (setgid(p->gid) || setuid(p->uid))
+ return -1;
+
+ if (!p->cap_mask)
return 0;
- if (ct->cap_mask & CAPS_BSET)
- if (apply_bset(ct->cap_bset) < 0)
+ if (p->cap_mask & CAPS_BSET)
+ if (apply_bset(p->cap_bset) < 0)
return -1;
- if (ct->cap_mask & CAPS_ALLCAPS)
- if (apply_all_caps(ct->cap_caps) < 0)
+ if (p->cap_mask & CAPS_ALLCAPS)
+ if (apply_all_caps(p->cap_caps) < 0)
return -1;
return 0;
--
1.9.1
More information about the Libct
mailing list