2 * lxc: linux Container library
4 * (C) Copyright IBM Corp. 2007, 2008
7 * Daniel Lezcano <daniel.lezcano at free.fr>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
33 #include <sys/param.h>
34 #include <sys/prctl.h>
35 #include <sys/mount.h>
36 #include <sys/socket.h>
37 #include <sys/syscall.h>
39 #include <linux/unistd.h>
42 #ifndef HAVE_DECL_PR_CAPBSET_DROP
43 #define PR_CAPBSET_DROP 24
46 #ifndef HAVE_DECL_PR_SET_NO_NEW_PRIVS
47 #define PR_SET_NO_NEW_PRIVS 38
50 #ifndef HAVE_DECL_PR_GET_NO_NEW_PRIVS
51 #define PR_GET_NO_NEW_PRIVS 39
54 #include "namespace.h"
65 #include "lxcseccomp.h"
66 #include <lxc/lxccontainer.h>
70 #if HAVE_SYS_PERSONALITY_H
71 #include <sys/personality.h>
75 # define SOCK_CLOEXEC 02000000
83 #define MS_SLAVE (1<<19)
86 lxc_log_define(lxc_attach
, lxc
);
88 /* /proc/pid-to-str/current\0 = (5 + 21 + 7 + 1) */
89 #define __LSMATTRLEN (5 + (LXC_NUMSTRLEN64) + 7 + 1)
90 static int lsm_openat(int procfd
, pid_t pid
, int on_exec
)
95 char path
[__LSMATTRLEN
];
99 if (strcmp(name
, "nop") == 0)
102 if (strcmp(name
, "none") == 0)
105 /* We don't support on-exec with AppArmor */
106 if (strcmp(name
, "AppArmor") == 0)
110 ret
= snprintf(path
, __LSMATTRLEN
, "%d/attr/exec", pid
);
112 ret
= snprintf(path
, __LSMATTRLEN
, "%d/attr/current", pid
);
113 if (ret
< 0 || ret
>= __LSMATTRLEN
)
116 labelfd
= openat(procfd
, path
, O_RDWR
);
118 SYSERROR("Unable to open file descriptor to set LSM label.");
125 static int lsm_set_label_at(int lsm_labelfd
, int on_exec
, char *lsm_label
)
129 char *command
= NULL
;
133 if (strcmp(name
, "nop") == 0)
136 if (strcmp(name
, "none") == 0)
139 /* We don't support on-exec with AppArmor */
140 if (strcmp(name
, "AppArmor") == 0)
143 if (strcmp(name
, "AppArmor") == 0) {
146 command
= malloc(strlen(lsm_label
) + strlen("changeprofile ") + 1);
148 SYSERROR("Failed to write apparmor profile.");
152 size
= sprintf(command
, "changeprofile %s", lsm_label
);
154 SYSERROR("Failed to write apparmor profile.");
158 if (write(lsm_labelfd
, command
, size
+ 1) < 0) {
159 SYSERROR("Unable to set LSM label: %s.", command
);
162 INFO("Set LSM label to: %s.", command
);
163 } else if (strcmp(name
, "SELinux") == 0) {
164 if (write(lsm_labelfd
, lsm_label
, strlen(lsm_label
) + 1) < 0) {
165 SYSERROR("Unable to set LSM label: %s.", lsm_label
);
168 INFO("Set LSM label to: %s.", lsm_label
);
170 ERROR("Unable to restore label for unknown LSM: %s.", name
);
178 if (lsm_labelfd
!= -1)
184 /* /proc/pid-to-str/status\0 = (5 + 21 + 7 + 1) */
185 #define __PROC_STATUS_LEN (5 + (LXC_NUMSTRLEN64) + 7 + 1)
186 static struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid
)
189 char proc_fn
[__PROC_STATUS_LEN
];
193 size_t line_bufsz
= 0;
194 struct lxc_proc_context_info
*info
= NULL
;
196 /* Read capabilities. */
197 ret
= snprintf(proc_fn
, __PROC_STATUS_LEN
, "/proc/%d/status", pid
);
198 if (ret
< 0 || ret
>= __PROC_STATUS_LEN
)
201 proc_file
= fopen(proc_fn
, "r");
203 SYSERROR("Could not open %s.", proc_fn
);
207 info
= calloc(1, sizeof(*info
));
209 SYSERROR("Could not allocate memory.");
214 while (getline(&line
, &line_bufsz
, proc_file
) != -1) {
215 ret
= sscanf(line
, "CapBnd: %llx", &info
->capability_mask
);
216 if (ret
!= EOF
&& ret
== 1) {
226 SYSERROR("Could not read capability bounding set from %s.", proc_fn
);
231 info
->lsm_label
= lsm_process_label_get(pid
);
240 static void lxc_proc_put_context_info(struct lxc_proc_context_info
*ctx
)
242 free(ctx
->lsm_label
);
244 lxc_container_put(ctx
->container
);
248 static int lxc_attach_to_ns(pid_t pid
, int which
)
251 int i
, j
, saved_errno
;
254 if (access("/proc/self/ns", X_OK
)) {
255 ERROR("Does this kernel version support namespaces?");
259 for (i
= 0; i
< LXC_NS_MAX
; i
++) {
260 /* Ignore if we are not supposed to attach to that namespace. */
261 if (which
!= -1 && !(which
& ns_info
[i
].clone_flag
)) {
266 fd
[i
] = lxc_preserve_ns(pid
, ns_info
[i
].proc_name
);
270 /* Close all already opened file descriptors before we
271 * return an error, so we don't leak them.
273 for (j
= 0; j
< i
; j
++)
277 SYSERROR("Failed to open namespace: \"%s\".", ns_info
[i
].proc_name
);
282 for (i
= 0; i
< LXC_NS_MAX
; i
++) {
286 if (setns(fd
[i
], 0) < 0) {
289 for (j
= i
; j
< LXC_NS_MAX
; j
++)
293 SYSERROR("Failed to attach to namespace \"%s\".", ns_info
[i
].proc_name
);
297 DEBUG("Attached to namespace \"%s\".", ns_info
[i
].proc_name
);
305 static int lxc_attach_remount_sys_proc(void)
309 ret
= unshare(CLONE_NEWNS
);
311 SYSERROR("Failed to unshare mount namespace.");
315 if (detect_shared_rootfs()) {
316 if (mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
)) {
317 SYSERROR("Failed to make / rslave.");
318 ERROR("Continuing...");
322 /* Assume /proc is always mounted, so remount it. */
323 ret
= umount2("/proc", MNT_DETACH
);
325 SYSERROR("Failed to unmount /proc.");
329 ret
= mount("none", "/proc", "proc", 0, NULL
);
331 SYSERROR("Failed to remount /proc.");
335 /* Try to umount /sys. If it's not a mount point, we'll get EINVAL, then
336 * we ignore it because it may not have been mounted in the first place.
338 ret
= umount2("/sys", MNT_DETACH
);
339 if (ret
< 0 && errno
!= EINVAL
) {
340 SYSERROR("Failed to unmount /sys.");
342 } else if (ret
== 0) {
344 ret
= mount("none", "/sys", "sysfs", 0, NULL
);
346 SYSERROR("Failed to remount /sys.");
354 static int lxc_attach_drop_privs(struct lxc_proc_context_info
*ctx
)
356 int last_cap
= lxc_caps_last_cap();
359 for (cap
= 0; cap
<= last_cap
; cap
++) {
360 if (ctx
->capability_mask
& (1LL << cap
))
363 if (prctl(PR_CAPBSET_DROP
, cap
, 0, 0, 0)) {
364 SYSERROR("Failed to remove capability id %d.", cap
);
372 static int lxc_attach_set_environment(enum lxc_attach_env_policy_t policy
, char** extra_env
, char** extra_keep
)
374 if (policy
== LXC_ATTACH_CLEAR_ENV
) {
375 char **extra_keep_store
= NULL
;
381 for (count
= 0; extra_keep
[count
]; count
++);
383 extra_keep_store
= calloc(count
, sizeof(char *));
384 if (!extra_keep_store
) {
385 SYSERROR("Failed to allocate memory for storing current "
386 "environment variable values that will be kept.");
389 for (i
= 0; i
< count
; i
++) {
390 char *v
= getenv(extra_keep
[i
]);
392 extra_keep_store
[i
] = strdup(v
);
393 if (!extra_keep_store
[i
]) {
394 SYSERROR("Failed to allocate memory for storing current "
395 "environment variable values that will be kept.");
397 free(extra_keep_store
[--i
]);
398 free(extra_keep_store
);
401 if (strcmp(extra_keep
[i
], "PATH") == 0)
404 /* Calloc sets entire array to zero, so we don't
412 SYSERROR("Failed to clear environment.");
413 if (extra_keep_store
) {
414 for (p
= extra_keep_store
; *p
; p
++)
416 free(extra_keep_store
);
421 if (extra_keep_store
) {
423 for (i
= 0; extra_keep
[i
]; i
++) {
424 if (extra_keep_store
[i
]) {
425 if (setenv(extra_keep
[i
], extra_keep_store
[i
], 1) < 0)
426 SYSERROR("Unable to set environment variable.");
428 free(extra_keep_store
[i
]);
430 free(extra_keep_store
);
433 /* Always set a default path; shells and execlp tend to be fine
434 * without it, but there is a disturbing number of C programs
435 * out there that just assume that getenv("PATH") is never NULL
436 * and then die a painful segfault death.
439 setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 1);
442 if (putenv("container=lxc")) {
443 SYSERROR("Failed to set environment variable.");
447 /* Set extra environment variables. */
449 for (; *extra_env
; extra_env
++) {
450 /* Duplicate the string, just to be on the safe side,
451 * because putenv does not do it for us.
453 char *p
= strdup(*extra_env
);
454 /* We just assume the user knows what they are doing, so
455 * we don't do any checks.
458 SYSERROR("Failed to allocate memory for additional environment "
469 static char *lxc_attach_getpwshell(uid_t uid
)
477 /* We need to fork off a process that runs the getent program, and we
478 * need to capture its output, so we use a pipe for that purpose.
494 size_t line_bufsz
= 0;
500 pipe_f
= fdopen(pipes
[0], "r");
501 while (getline(&line
, &line_bufsz
, pipe_f
) != -1) {
503 char *saveptr
= NULL
;
508 /* If we already found something, just continue to read
509 * until the pipe doesn't deliver any more data, but
510 * don't modify the existing data structure.
515 /* Trim line on the right hand side. */
516 for (i
= strlen(line
); i
> 0 && (line
[i
- 1] == '\n' || line
[i
- 1] == '\r'); --i
)
519 /* Split into tokens: first: user name. */
520 token
= strtok_r(line
, ":", &saveptr
);
523 /* next: dummy password field */
524 token
= strtok_r(NULL
, ":", &saveptr
);
528 token
= strtok_r(NULL
, ":", &saveptr
);
529 value
= token
? strtol(token
, &endptr
, 10) : 0;
530 if (!token
|| !endptr
|| *endptr
|| value
== LONG_MIN
|| value
== LONG_MAX
)
532 /* dummy sanity check: user id matches */
533 if ((uid_t
) value
!= uid
)
535 /* skip fields: gid, gecos, dir, go to next field 'shell' */
536 for (i
= 0; i
< 4; i
++) {
537 token
= strtok_r(NULL
, ":", &saveptr
);
544 result
= strdup(token
);
546 /* Sanity check that there are no fields after that. */
547 token
= strtok_r(NULL
, ":", &saveptr
);
557 if (waitpid(pid
, &status
, 0) < 0) {
563 /* Some sanity checks. If anything even hinted at going wrong,
564 * we can't be sure we have a valid result, so we assume we
568 if (!WIFEXITED(status
))
571 if (WEXITSTATUS(status
) != 0)
580 char *arguments
[] = {
589 /* We want to capture stdout. */
593 /* Get rid of stdin/stderr, so we try to associate it with
596 fd
= open("/dev/null", O_RDWR
);
606 /* Finish argument list. */
607 ret
= snprintf(uid_buf
, sizeof(uid_buf
), "%ld", (long) uid
);
611 /* Try to run getent program. */
612 (void) execvp("getent", arguments
);
617 static void lxc_attach_get_init_uidgid(uid_t
* init_uid
, gid_t
* init_gid
)
620 char proc_fn
[__PROC_STATUS_LEN
];
623 size_t line_bufsz
= 0;
625 uid_t uid
= (uid_t
)-1;
626 gid_t gid
= (gid_t
)-1;
628 /* Read capabilities. */
629 snprintf(proc_fn
, __PROC_STATUS_LEN
, "/proc/%d/status", 1);
631 proc_file
= fopen(proc_fn
, "r");
635 while (getline(&line
, &line_bufsz
, proc_file
) != -1) {
636 /* Format is: real, effective, saved set user, fs we only care
639 ret
= sscanf(line
, "Uid: %ld", &value
);
640 if (ret
!= EOF
&& ret
== 1) {
643 ret
= sscanf(line
, "Gid: %ld", &value
);
644 if (ret
!= EOF
&& ret
== 1)
647 if (uid
!= (uid_t
)-1 && gid
!= (gid_t
)-1)
654 /* Only override arguments if we found something. */
655 if (uid
!= (uid_t
)-1)
657 if (gid
!= (gid_t
)-1)
660 /* TODO: we should also parse supplementary groups and use
661 * setgroups() to set them.
665 struct attach_clone_payload
{
667 lxc_attach_options_t
* options
;
668 struct lxc_proc_context_info
* init_ctx
;
669 lxc_attach_exec_t exec_function
;
673 static int attach_child_main(void* data
);
675 /* Help the optimizer along if it doesn't know that exit always exits. */
676 #define rexit(c) do { int __c = (c); _exit(__c); return __c; } while(0)
678 /* Define default options if no options are supplied by the user. */
679 static lxc_attach_options_t attach_static_default_options
= LXC_ATTACH_OPTIONS_DEFAULT
;
681 static bool fetch_seccomp(struct lxc_container
*c
,
682 lxc_attach_options_t
*options
)
686 if (!(options
->namespaces
& CLONE_NEWNS
) || !(options
->attach_flags
& LXC_ATTACH_LSM
)) {
687 free(c
->lxc_conf
->seccomp
);
688 c
->lxc_conf
->seccomp
= NULL
;
692 /* Remove current setting. */
693 if (!c
->set_config_item(c
, "lxc.seccomp", "")) {
697 /* Fetch the current profile path over the cmd interface. */
698 path
= c
->get_running_config_item(c
, "lxc.seccomp");
700 INFO("Failed to get running config item for lxc.seccomp.");
704 /* Copy the value into the new lxc_conf. */
705 if (!c
->set_config_item(c
, "lxc.seccomp", path
)) {
711 /* Attempt to parse the resulting config. */
712 if (lxc_read_seccomp_config(c
->lxc_conf
) < 0) {
713 ERROR("Error reading seccomp policy.");
717 INFO("Retrieved seccomp policy.");
721 static bool no_new_privs(struct lxc_container
*c
,
722 lxc_attach_options_t
*options
)
726 /* Remove current setting. */
727 if (!c
->set_config_item(c
, "lxc.no_new_privs", "")) {
731 /* Retrieve currently active setting. */
732 val
= c
->get_running_config_item(c
, "lxc.no_new_privs");
734 INFO("Failed to get running config item for lxc.no_new_privs.");
738 /* Set currently active setting. */
739 if (!c
->set_config_item(c
, "lxc.no_new_privs", val
)) {
748 static signed long get_personality(const char *name
, const char *lxcpath
)
750 char *p
= lxc_cmd_get_config_item(name
, "lxc.arch", lxcpath
);
755 ret
= lxc_config_parse_arch(p
);
760 int lxc_attach(const char* name
, const char* lxcpath
, lxc_attach_exec_t exec_function
, void* exec_payload
, lxc_attach_options_t
* options
, pid_t
* attached_process
)
763 pid_t init_pid
, pid
, attached_pid
, expected
;
764 struct lxc_proc_context_info
*init_ctx
;
768 signed long personality
;
771 options
= &attach_static_default_options
;
773 init_pid
= lxc_cmd_get_init_pid(name
, lxcpath
);
775 ERROR("Failed to get init pid.");
779 init_ctx
= lxc_proc_get_context_info(init_pid
);
781 ERROR("Failed to get context of init process: %ld.",
786 personality
= get_personality(name
, lxcpath
);
787 if (init_ctx
->personality
< 0) {
788 ERROR("Failed to get personality of the container.");
789 lxc_proc_put_context_info(init_ctx
);
792 init_ctx
->personality
= personality
;
794 init_ctx
->container
= lxc_container_new(name
, lxcpath
);
795 if (!init_ctx
->container
)
798 if (!fetch_seccomp(init_ctx
->container
, options
))
799 WARN("Failed to get seccomp policy.");
801 if (!no_new_privs(init_ctx
->container
, options
))
802 WARN("Could not determine whether PR_SET_NO_NEW_PRIVS is set.");
804 cwd
= getcwd(NULL
, 0);
806 /* Determine which namespaces the container was created with
807 * by asking lxc-start, if necessary.
809 if (options
->namespaces
== -1) {
810 options
->namespaces
= lxc_cmd_get_clone_flags(name
, lxcpath
);
812 if (options
->namespaces
== -1) {
813 ERROR("Failed to automatically determine the "
814 "namespaces which the container uses.");
816 lxc_proc_put_context_info(init_ctx
);
821 /* Create a socket pair for IPC communication; set SOCK_CLOEXEC in order
822 * to make sure we don't irritate other threads that want to fork+exec
825 * IMPORTANT: if the initial process is multithreaded and another call
826 * just fork()s away without exec'ing directly after, the socket fd will
827 * exist in the forked process from the other thread and any close() in
828 * our own child process will not really cause the socket to close
829 * properly, potentiall causing the parent to hang.
831 * For this reason, while IPC is still active, we have to use shutdown()
832 * if the child exits prematurely in order to signal that the socket is
833 * closed and cannot assume that the child exiting will automatically do
836 * IPC mechanism: (X is receiver)
837 * initial process intermediate attached
841 * send 0 ------------------------------------> X
842 * [do initialization]
843 * X <------------------------------------ send 1
844 * [add to cgroup, ...]
845 * send 2 ------------------------------------> X
846 * [set LXC_ATTACH_NO_NEW_PRIVS]
847 * X <------------------------------------ send 3
848 * [open LSM label fd]
849 * send 4 ------------------------------------> X
851 * close socket close socket
854 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, ipc_sockets
);
856 SYSERROR("Could not set up required IPC mechanism for attaching.");
858 lxc_proc_put_context_info(init_ctx
);
862 /* Create intermediate subprocess, three reasons:
863 * 1. Runs all pthread_atfork handlers and the child will no
864 * longer be threaded (we can't properly setns() in a threaded
866 * 2. We can't setns() in the child itself, since we want to make
867 * sure we are properly attached to the pidns.
868 * 3. Also, the initial thread has to put the attached process
869 * into the cgroup, which we can only do if we didn't already
870 * setns() (otherwise, user namespaces will hate us).
875 SYSERROR("Failed to create first subprocess.");
877 lxc_proc_put_context_info(init_ctx
);
883 pid_t to_cleanup_pid
= pid
;
885 /* Initial thread, we close the socket that is for the
888 close(ipc_sockets
[1]);
891 /* Attach to cgroup, if requested. */
892 if (options
->attach_flags
& LXC_ATTACH_MOVE_TO_CGROUP
) {
893 if (!cgroup_attach(name
, lxcpath
, pid
))
897 /* Setup resource limits */
898 if (!lxc_list_empty(&init_ctx
->container
->lxc_conf
->limits
) && setup_resource_limits(&init_ctx
->container
->lxc_conf
->limits
, pid
)) {
902 /* Open /proc before setns() to the containers namespace so we
903 * don't rely on any information from inside the container.
905 procfd
= open("/proc", O_DIRECTORY
| O_RDONLY
| O_CLOEXEC
);
907 SYSERROR("Unable to open /proc.");
911 /* Let the child process know to go ahead. */
913 ret
= lxc_write_nointr(ipc_sockets
[0], &status
, sizeof(status
));
915 ERROR("Intended to send sequence number 0: %s.",
920 /* Get pid of attached process from intermediate process. */
921 ret
= lxc_read_nointr_expect(ipc_sockets
[0], &attached_pid
, sizeof(attached_pid
), NULL
);
924 ERROR("Expected to receive pid: %s.", strerror(errno
));
928 /* Ignore SIGKILL (CTRL-C) and SIGQUIT (CTRL-\) - issue #313. */
929 if (options
->stdin_fd
== 0) {
930 signal(SIGINT
, SIG_IGN
);
931 signal(SIGQUIT
, SIG_IGN
);
934 /* Reap intermediate process. */
935 ret
= wait_for_pid(pid
);
939 /* We will always have to reap the attached process now. */
940 to_cleanup_pid
= attached_pid
;
942 /* Tell attached process it may start initializing. */
944 ret
= lxc_write_nointr(ipc_sockets
[0], &status
, sizeof(status
));
946 ERROR("Intended to send sequence number 0: %s.", strerror(errno
));
950 /* Wait for the attached process to finish initializing. */
952 ret
= lxc_read_nointr_expect(ipc_sockets
[0], &status
, sizeof(status
), &expected
);
955 ERROR("Expected to receive sequence number 1: %s.", strerror(errno
));
959 /* Tell attached process we're done. */
961 ret
= lxc_write_nointr(ipc_sockets
[0], &status
, sizeof(status
));
963 ERROR("Intended to send sequence number 2: %s.", strerror(errno
));
967 /* Wait for the (grand)child to tell us that it's ready to set
971 ret
= lxc_read_nointr_expect(ipc_sockets
[0], &status
, sizeof(status
), &expected
);
973 ERROR("Expected to receive sequence number 3: %s.",
978 /* Open LSM fd and send it to child. */
979 if ((options
->namespaces
& CLONE_NEWNS
) && (options
->attach_flags
& LXC_ATTACH_LSM
) && init_ctx
->lsm_label
) {
980 int on_exec
, saved_errno
;
982 on_exec
= options
->attach_flags
& LXC_ATTACH_LSM_EXEC
? 1 : 0;
983 /* Open fd for the LSM security module. */
984 labelfd
= lsm_openat(procfd
, attached_pid
, on_exec
);
988 /* Send child fd of the LSM security module to write to. */
989 ret
= lxc_abstract_unix_send_fd(ipc_sockets
[0], labelfd
, NULL
, 0);
993 ERROR("Intended to send file descriptor %d: %s.", labelfd
, strerror(saved_errno
));
1000 /* Now shut down communication with child, we're done. */
1001 shutdown(ipc_sockets
[0], SHUT_RDWR
);
1002 close(ipc_sockets
[0]);
1003 lxc_proc_put_context_info(init_ctx
);
1005 /* We're done, the child process should now execute whatever it
1006 * is that the user requested. The parent can now track it with
1007 * waitpid() or similar.
1010 *attached_process
= attached_pid
;
1014 /* First shut down the socket, then wait for the pid, otherwise
1015 * the pid we're waiting for may never exit.
1019 shutdown(ipc_sockets
[0], SHUT_RDWR
);
1020 close(ipc_sockets
[0]);
1022 (void) wait_for_pid(to_cleanup_pid
);
1023 lxc_proc_put_context_info(init_ctx
);
1027 /* First subprocess begins here, we close the socket that is for the
1030 close(ipc_sockets
[0]);
1032 /* Wait for the parent to have setup cgroups. */
1035 ret
= lxc_read_nointr_expect(ipc_sockets
[1], &status
, sizeof(status
), &expected
);
1037 ERROR("Expected to receive sequence number 0: %s.", strerror(errno
));
1038 shutdown(ipc_sockets
[1], SHUT_RDWR
);
1042 if ((options
->attach_flags
& LXC_ATTACH_MOVE_TO_CGROUP
) && cgns_supported())
1043 options
->namespaces
|= CLONE_NEWCGROUP
;
1045 /* Attach now, create another subprocess later, since pid namespaces
1046 * only really affect the children of the current process.
1048 ret
= lxc_attach_to_ns(init_pid
, options
->namespaces
);
1050 ERROR("Failed to enter namespaces.");
1051 shutdown(ipc_sockets
[1], SHUT_RDWR
);
1055 /* Attach succeeded, try to cwd. */
1056 if (options
->initial_cwd
)
1057 new_cwd
= options
->initial_cwd
;
1060 ret
= chdir(new_cwd
);
1062 WARN("Could not change directory to \"%s\".", new_cwd
);
1065 /* Now create the real child process. */
1067 struct attach_clone_payload payload
= {
1068 .ipc_socket
= ipc_sockets
[1],
1070 .init_ctx
= init_ctx
,
1071 .exec_function
= exec_function
,
1072 .exec_payload
= exec_payload
,
1074 /* We use clone_parent here to make this subprocess a direct
1075 * child of the initial process. Then this intermediate process
1076 * can exit and the parent can directly track the attached
1079 pid
= lxc_clone(attach_child_main
, &payload
, CLONE_PARENT
);
1082 /* Shouldn't happen, clone() should always return positive pid. */
1084 SYSERROR("Failed to create subprocess.");
1085 shutdown(ipc_sockets
[1], SHUT_RDWR
);
1089 /* Tell grandparent the pid of the pid of the newly created child. */
1090 ret
= lxc_write_nointr(ipc_sockets
[1], &pid
, sizeof(pid
));
1091 if (ret
!= sizeof(pid
)) {
1092 /* If this really happens here, this is very unfortunate, since
1093 * the parent will not know the pid of the attached process and
1094 * will not be able to wait for it (and we won't either due to
1095 * CLONE_PARENT) so the parent won't be able to reap it and the
1096 * attached process will remain a zombie.
1098 ERROR("Intended to send pid %d: %s.", pid
, strerror(errno
));
1099 shutdown(ipc_sockets
[1], SHUT_RDWR
);
1103 /* The rest is in the hands of the initial and the attached process. */
1107 static int attach_child_main(void* data
)
1109 struct attach_clone_payload
* payload
= (struct attach_clone_payload
*)data
;
1110 int ipc_socket
= payload
->ipc_socket
;
1111 lxc_attach_options_t
* options
= payload
->options
;
1112 struct lxc_proc_context_info
* init_ctx
= payload
->init_ctx
;
1113 #if HAVE_SYS_PERSONALITY_H
1114 long new_personality
;
1125 /* Wait for the initial thread to signal us that it's ready for us to
1126 * start initializing.
1130 ret
= lxc_read_nointr_expect(ipc_socket
, &status
, sizeof(status
), &expected
);
1132 ERROR("Expected to receive sequence number 0: %s.", strerror(errno
));
1133 shutdown(ipc_socket
, SHUT_RDWR
);
1137 /* A description of the purpose of this functionality is provided in the
1138 * lxc-attach(1) manual page. We have to remount here and not in the
1139 * parent process, otherwise /proc may not properly reflect the new pid
1142 if (!(options
->namespaces
& CLONE_NEWNS
) && (options
->attach_flags
& LXC_ATTACH_REMOUNT_PROC_SYS
)) {
1143 ret
= lxc_attach_remount_sys_proc();
1145 shutdown(ipc_socket
, SHUT_RDWR
);
1150 /* Now perform additional attachments. */
1151 #if HAVE_SYS_PERSONALITY_H
1152 if (options
->personality
< 0)
1153 new_personality
= init_ctx
->personality
;
1155 new_personality
= options
->personality
;
1157 if (options
->attach_flags
& LXC_ATTACH_SET_PERSONALITY
) {
1158 ret
= personality(new_personality
);
1160 SYSERROR("Could not ensure correct architecture.");
1161 shutdown(ipc_socket
, SHUT_RDWR
);
1167 if (options
->attach_flags
& LXC_ATTACH_DROP_CAPABILITIES
) {
1168 ret
= lxc_attach_drop_privs(init_ctx
);
1170 ERROR("Could not drop privileges.");
1171 shutdown(ipc_socket
, SHUT_RDWR
);
1176 /* Always set the environment (specify (LXC_ATTACH_KEEP_ENV, NULL, NULL)
1177 * if you want this to be a no-op).
1179 ret
= lxc_attach_set_environment(options
->env_policy
, options
->extra_env_vars
, options
->extra_keep_env
);
1181 ERROR("Could not set initial environment for attached process.");
1182 shutdown(ipc_socket
, SHUT_RDWR
);
1189 /* Ignore errors, we will fall back to root in that case (/proc was not
1192 if (options
->namespaces
& CLONE_NEWUSER
)
1193 lxc_attach_get_init_uidgid(&new_uid
, &new_gid
);
1195 if (options
->uid
!= (uid_t
)-1)
1196 new_uid
= options
->uid
;
1197 if (options
->gid
!= (gid_t
)-1)
1198 new_gid
= options
->gid
;
1200 /* Setup the controlling tty. */
1201 if (options
->stdin_fd
&& isatty(options
->stdin_fd
)) {
1203 SYSERROR("Unable to setsid.");
1204 shutdown(ipc_socket
, SHUT_RDWR
);
1208 if (ioctl(options
->stdin_fd
, TIOCSCTTY
, (char *)NULL
) < 0) {
1209 SYSERROR("Unable to set TIOCSTTY.");
1210 shutdown(ipc_socket
, SHUT_RDWR
);
1215 /* Try to set the {u,g}id combination. */
1216 if ((new_gid
!= 0 || options
->namespaces
& CLONE_NEWUSER
)) {
1217 if (setgid(new_gid
) || setgroups(0, NULL
)) {
1218 SYSERROR("Switching to container gid.");
1219 shutdown(ipc_socket
, SHUT_RDWR
);
1223 if ((new_uid
!= 0 || options
->namespaces
& CLONE_NEWUSER
) && setuid(new_uid
)) {
1224 SYSERROR("Switching to container uid.");
1225 shutdown(ipc_socket
, SHUT_RDWR
);
1229 /* Tell initial process it may now put us into cgroups. */
1231 ret
= lxc_write_nointr(ipc_socket
, &status
, sizeof(status
));
1232 if (ret
!= sizeof(status
)) {
1233 ERROR("Intended to send sequence number 1: %s.", strerror(errno
));
1234 shutdown(ipc_socket
, SHUT_RDWR
);
1238 /* Wait for the initial thread to signal us that it has done everything
1239 * for us when it comes to cgroups etc.
1243 ret
= lxc_read_nointr_expect(ipc_socket
, &status
, sizeof(status
), &expected
);
1245 ERROR("Expected to receive sequence number 2: %s", strerror(errno
));
1246 shutdown(ipc_socket
, SHUT_RDWR
);
1250 if ((init_ctx
->container
&& init_ctx
->container
->lxc_conf
&&
1251 init_ctx
->container
->lxc_conf
->no_new_privs
) ||
1252 (options
->attach_flags
& LXC_ATTACH_NO_NEW_PRIVS
)) {
1253 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0) {
1254 SYSERROR("PR_SET_NO_NEW_PRIVS could not be set. "
1255 "Process can use execve() gainable "
1257 shutdown(ipc_socket
, SHUT_RDWR
);
1260 INFO("PR_SET_NO_NEW_PRIVS is set. Process cannot use execve() "
1261 "gainable privileges.");
1264 /* Tell the (grand)parent to send us LSM label fd. */
1266 ret
= lxc_write_nointr(ipc_socket
, &status
, sizeof(status
));
1268 ERROR("Intended to send sequence number 3: %s.", strerror(errno
));
1269 shutdown(ipc_socket
, SHUT_RDWR
);
1273 if ((options
->namespaces
& CLONE_NEWNS
) && (options
->attach_flags
& LXC_ATTACH_LSM
) && init_ctx
->lsm_label
) {
1275 /* Receive fd for LSM security module. */
1276 ret
= lxc_abstract_unix_recv_fd(ipc_socket
, &lsm_labelfd
, NULL
, 0);
1278 ERROR("Expected to receive file descriptor: %s.", strerror(errno
));
1279 shutdown(ipc_socket
, SHUT_RDWR
);
1283 /* Change into our new LSM profile. */
1284 on_exec
= options
->attach_flags
& LXC_ATTACH_LSM_EXEC
? 1 : 0;
1285 if (lsm_set_label_at(lsm_labelfd
, on_exec
, init_ctx
->lsm_label
) < 0) {
1286 SYSERROR("Failed to set LSM label.");
1287 shutdown(ipc_socket
, SHUT_RDWR
);
1294 if (init_ctx
->container
&& init_ctx
->container
->lxc_conf
&&
1295 init_ctx
->container
->lxc_conf
->seccomp
&&
1296 (lxc_seccomp_load(init_ctx
->container
->lxc_conf
) != 0)) {
1297 ERROR("Failed to load seccomp policy.");
1298 shutdown(ipc_socket
, SHUT_RDWR
);
1302 shutdown(ipc_socket
, SHUT_RDWR
);
1304 lxc_proc_put_context_info(init_ctx
);
1306 /* The following is done after the communication socket is shut down.
1307 * That way, all errors that might (though unlikely) occur up until this
1308 * point will have their messages printed to the original stderr (if
1309 * logging is so configured) and not the fd the user supplied, if any.
1312 /* Fd handling for stdin, stdout and stderr; ignore errors here, user
1313 * may want to make sure the fds are closed, for example.
1315 if (options
->stdin_fd
>= 0 && options
->stdin_fd
!= 0)
1316 dup2(options
->stdin_fd
, 0);
1317 if (options
->stdout_fd
>= 0 && options
->stdout_fd
!= 1)
1318 dup2(options
->stdout_fd
, 1);
1319 if (options
->stderr_fd
>= 0 && options
->stderr_fd
!= 2)
1320 dup2(options
->stderr_fd
, 2);
1322 /* close the old fds */
1323 if (options
->stdin_fd
> 2)
1324 close(options
->stdin_fd
);
1325 if (options
->stdout_fd
> 2)
1326 close(options
->stdout_fd
);
1327 if (options
->stderr_fd
> 2)
1328 close(options
->stderr_fd
);
1330 /* Try to remove FD_CLOEXEC flag from stdin/stdout/stderr, but also
1331 * here, ignore errors.
1333 for (fd
= 0; fd
<= 2; fd
++) {
1334 flags
= fcntl(fd
, F_GETFL
);
1337 if (flags
& FD_CLOEXEC
)
1338 if (fcntl(fd
, F_SETFL
, flags
& ~FD_CLOEXEC
) < 0)
1339 SYSERROR("Unable to clear FD_CLOEXEC from file descriptor.");
1342 /* We're done, so we can now do whatever the user intended us to do. */
1343 rexit(payload
->exec_function(payload
->exec_payload
));
1346 int lxc_attach_run_command(void* payload
)
1348 lxc_attach_command_t
* cmd
= (lxc_attach_command_t
*)payload
;
1350 execvp(cmd
->program
, cmd
->argv
);
1351 SYSERROR("Failed to exec \"%s\".", cmd
->program
);
1355 int lxc_attach_run_shell(void* payload
)
1358 struct passwd
*passwd
;
1361 /* Ignore payload parameter. */
1365 passwd
= getpwuid(uid
);
1367 /* This probably happens because of incompatible nss implementations in
1368 * host and container (remember, this code is still using the host's
1369 * glibc but our mount namespace is in the container) we may try to get
1370 * the information by spawning a [getent passwd uid] process and parsing
1374 user_shell
= lxc_attach_getpwshell(uid
);
1376 user_shell
= passwd
->pw_shell
;
1379 execlp(user_shell
, user_shell
, (char *)NULL
);
1381 /* Executed if either no passwd entry or execvp fails, we will fall back
1382 * on /bin/sh as a default shell.
1384 execlp("/bin/sh", "/bin/sh", (char *)NULL
);
1385 SYSERROR("Failed to exec shell.");