[lxc-devel] [lxc/master] execute: skip lxc-init logging when unprivileged

Thu, 23 Aug 2018 06:49:35 -0700 

The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2569

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Unprivileged app containers will not be able to open the passed in
/proc/1/fd/<idx> log path and will thus currently fail completely as soon as
any log level or log file is passed.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
Reported-by: Mrinal Dhillon <mdhil...@juniper.net>

From a35036ca3ab5d58ada11d74a0ccabb83972e54c9 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Thu, 23 Aug 2018 15:46:12 +0200
Subject: [PATCH] execute: skip lxc-init logging when unprivileged

Unprivileged app containers will not be able to open the passed in
/proc/1/fd/<idx> log path and will thus currently fail completely as soon as
any log level or log file is passed.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
Reported-by: Mrinal Dhillon <mdhil...@juniper.net>
---
 src/lxc/execute.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index d01df6b2e..43130be61 100644
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -43,6 +43,7 @@ static int execute_start(struct lxc_handler *handler, void* 
data)
        int argc = 0, i = 0, logfd = -1;
        struct execute_args *my_args = data;
        char logfile[LXC_PROC_PID_FD_LEN];
+       bool is_privileged = lxc_list_empty(&handler->conf->id_map);
 
        while (my_args->argv[argc++]);
 
@@ -51,11 +52,13 @@ static int execute_start(struct lxc_handler *handler, void* 
data)
        if (my_args->quiet)
                argc_add++;
 
-       if (!handler->conf->rootfs.path)
-               argc_add += 2;
+       if (is_privileged) {
+               if (!handler->conf->rootfs.path)
+                       argc_add += 2;
 
-       if (lxc_log_has_valid_level())
-               argc_add += 2;
+               if (lxc_log_has_valid_level())
+                       argc_add += 2;
+       }
 
        if (current_config->logfd != -1 || lxc_log_fd != -1)
                argc_add += 2;
@@ -79,7 +82,7 @@ static int execute_start(struct lxc_handler *handler, void* 
data)
                argv[i++] = (char 
*)lxc_log_priority_to_string(lxc_log_get_level());
        }
 
-       if (current_config->logfd != -1 || lxc_log_fd != -1) {
+       if (is_privileged && (current_config->logfd != -1 || lxc_log_fd != -1)) 
{
                int ret;
                int to_dup = current_config->logfd;
 

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to