2 * lxc: linux Container library
4 * (C) Copyright IBM Corp. 2007, 2008
7 * Daniel Lezcano <daniel.lezcano at free.fr>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
33 #include <sys/param.h>
34 #include <sys/prctl.h>
35 #include <sys/mount.h>
36 #include <sys/socket.h>
37 #include <sys/syscall.h>
39 #include <linux/unistd.h>
42 #ifndef HAVE_DECL_PR_CAPBSET_DROP
43 #define PR_CAPBSET_DROP 24
46 #ifndef HAVE_DECL_PR_SET_NO_NEW_PRIVS
47 #define PR_SET_NO_NEW_PRIVS 38
50 #ifndef HAVE_DECL_PR_GET_NO_NEW_PRIVS
51 #define PR_GET_NO_NEW_PRIVS 39
54 #include "namespace.h"
64 #include "lxcseccomp.h"
65 #include <lxc/lxccontainer.h>
69 #if HAVE_SYS_PERSONALITY_H
70 #include <sys/personality.h>
74 # define SOCK_CLOEXEC 02000000
82 #define MS_SLAVE (1<<19)
85 lxc_log_define(lxc_attach
, lxc
);
87 int lsm_set_label_at(int procfd
, int on_exec
, char* lsm_label
) {
95 if (strcmp(name
, "nop") == 0)
98 if (strcmp(name
, "none") == 0)
101 /* We don't support on-exec with AppArmor */
102 if (strcmp(name
, "AppArmor") == 0)
106 labelfd
= openat(procfd
, "self/attr/exec", O_RDWR
);
109 labelfd
= openat(procfd
, "self/attr/current", O_RDWR
);
113 SYSERROR("Unable to open LSM label");
118 if (strcmp(name
, "AppArmor") == 0) {
121 command
= malloc(strlen(lsm_label
) + strlen("changeprofile ") + 1);
123 SYSERROR("Failed to write apparmor profile");
128 size
= sprintf(command
, "changeprofile %s", lsm_label
);
130 SYSERROR("Failed to write apparmor profile");
135 if (write(labelfd
, command
, size
+ 1) < 0) {
136 SYSERROR("Unable to set LSM label");
141 else if (strcmp(name
, "SELinux") == 0) {
142 if (write(labelfd
, lsm_label
, strlen(lsm_label
) + 1) < 0) {
143 SYSERROR("Unable to set LSM label");
149 ERROR("Unable to restore label for unknown LSM: %s", name
);
163 static struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid
)
165 struct lxc_proc_context_info
*info
= calloc(1, sizeof(*info
));
167 char proc_fn
[MAXPATHLEN
];
169 size_t line_bufsz
= 0;
173 SYSERROR("Could not allocate memory.");
177 /* read capabilities */
178 snprintf(proc_fn
, MAXPATHLEN
, "/proc/%d/status", pid
);
180 proc_file
= fopen(proc_fn
, "r");
182 SYSERROR("Could not open %s", proc_fn
);
187 while (getline(&line
, &line_bufsz
, proc_file
) != -1) {
188 ret
= sscanf(line
, "CapBnd: %llx", &info
->capability_mask
);
189 if (ret
!= EOF
&& ret
> 0) {
199 SYSERROR("Could not read capability bounding set from %s", proc_fn
);
204 info
->lsm_label
= lsm_process_label_get(pid
);
213 static void lxc_proc_put_context_info(struct lxc_proc_context_info
*ctx
)
215 free(ctx
->lsm_label
);
217 lxc_container_put(ctx
->container
);
221 static int lxc_attach_to_ns(pid_t pid
, int which
)
223 char path
[MAXPATHLEN
];
224 /* according to <http://article.gmane.org/gmane.linux.kernel.containers.lxc.devel/1429>,
225 * the file for user namepsaces in /proc/$pid/ns will be called
226 * 'user' once the kernel supports it
228 static char *ns
[] = { "user", "mnt", "pid", "uts", "ipc", "net", "cgroup" };
229 static int flags
[] = {
230 CLONE_NEWUSER
, CLONE_NEWNS
, CLONE_NEWPID
, CLONE_NEWUTS
, CLONE_NEWIPC
,
231 CLONE_NEWNET
, CLONE_NEWCGROUP
233 static const int size
= sizeof(ns
) / sizeof(char *);
235 int i
, j
, saved_errno
;
238 snprintf(path
, MAXPATHLEN
, "/proc/%d/ns", pid
);
239 if (access(path
, X_OK
)) {
240 ERROR("Does this kernel version support 'attach' ?");
244 for (i
= 0; i
< size
; i
++) {
245 /* ignore if we are not supposed to attach to that
248 if (which
!= -1 && !(which
& flags
[i
])) {
253 snprintf(path
, MAXPATHLEN
, "/proc/%d/ns/%s", pid
, ns
[i
]);
254 fd
[i
] = open(path
, O_RDONLY
| O_CLOEXEC
);
258 /* close all already opened file descriptors before
259 * we return an error, so we don't leak them
261 for (j
= 0; j
< i
; j
++)
265 SYSERROR("failed to open '%s'", path
);
270 for (i
= 0; i
< size
; i
++) {
271 if (fd
[i
] >= 0 && setns(fd
[i
], 0) != 0) {
274 for (j
= i
; j
< size
; j
++)
278 SYSERROR("failed to set namespace '%s'", ns
[i
]);
288 static int lxc_attach_remount_sys_proc(void)
292 ret
= unshare(CLONE_NEWNS
);
294 SYSERROR("failed to unshare mount namespace");
298 if (detect_shared_rootfs()) {
299 if (mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
)) {
300 SYSERROR("Failed to make / rslave");
301 ERROR("Continuing...");
305 /* assume /proc is always mounted, so remount it */
306 ret
= umount2("/proc", MNT_DETACH
);
308 SYSERROR("failed to unmount /proc");
312 ret
= mount("none", "/proc", "proc", 0, NULL
);
314 SYSERROR("failed to remount /proc");
318 /* try to umount /sys - if it's not a mount point,
319 * we'll get EINVAL, then we ignore it because it
320 * may not have been mounted in the first place
322 ret
= umount2("/sys", MNT_DETACH
);
323 if (ret
< 0 && errno
!= EINVAL
) {
324 SYSERROR("failed to unmount /sys");
326 } else if (ret
== 0) {
328 ret
= mount("none", "/sys", "sysfs", 0, NULL
);
330 SYSERROR("failed to remount /sys");
338 static int lxc_attach_drop_privs(struct lxc_proc_context_info
*ctx
)
340 int last_cap
= lxc_caps_last_cap();
343 for (cap
= 0; cap
<= last_cap
; cap
++) {
344 if (ctx
->capability_mask
& (1LL << cap
))
347 if (prctl(PR_CAPBSET_DROP
, cap
, 0, 0, 0)) {
348 SYSERROR("failed to remove capability id %d", cap
);
356 static int lxc_attach_set_environment(enum lxc_attach_env_policy_t policy
, char** extra_env
, char** extra_keep
)
358 if (policy
== LXC_ATTACH_CLEAR_ENV
) {
359 char **extra_keep_store
= NULL
;
365 for (count
= 0; extra_keep
[count
]; count
++);
367 extra_keep_store
= calloc(count
, sizeof(char *));
368 if (!extra_keep_store
) {
369 SYSERROR("failed to allocate memory for storing current "
370 "environment variable values that will be kept");
373 for (i
= 0; i
< count
; i
++) {
374 char *v
= getenv(extra_keep
[i
]);
376 extra_keep_store
[i
] = strdup(v
);
377 if (!extra_keep_store
[i
]) {
378 SYSERROR("failed to allocate memory for storing current "
379 "environment variable values that will be kept");
381 free(extra_keep_store
[--i
]);
382 free(extra_keep_store
);
385 if (strcmp(extra_keep
[i
], "PATH") == 0)
388 /* calloc sets entire array to zero, so we don't
395 SYSERROR("failed to clear environment");
396 if (extra_keep_store
) {
397 for (p
= extra_keep_store
; *p
; p
++)
399 free(extra_keep_store
);
404 if (extra_keep_store
) {
406 for (i
= 0; extra_keep
[i
]; i
++) {
407 if (extra_keep_store
[i
]) {
408 if (setenv(extra_keep
[i
], extra_keep_store
[i
], 1) < 0)
409 SYSERROR("Unable to set environment variable");
411 free(extra_keep_store
[i
]);
413 free(extra_keep_store
);
416 /* always set a default path; shells and execlp tend
417 * to be fine without it, but there is a disturbing
418 * number of C programs out there that just assume
419 * that getenv("PATH") is never NULL and then die a
420 * painful segfault death. */
422 setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 1);
425 if (putenv("container=lxc")) {
426 SYSERROR("failed to set environment variable");
430 /* set extra environment variables */
432 for (; *extra_env
; extra_env
++) {
433 /* duplicate the string, just to be on
434 * the safe side, because putenv does not
436 char *p
= strdup(*extra_env
);
437 /* we just assume the user knows what they
438 * are doing, so we don't do any checks */
440 SYSERROR("failed to allocate memory for additional environment "
451 static char *lxc_attach_getpwshell(uid_t uid
)
453 /* local variables */
460 /* we need to fork off a process that runs the
461 * getent program, and we need to capture its
462 * output, so we use a pipe for that purpose
479 size_t line_bufsz
= 0;
485 pipe_f
= fdopen(pipes
[0], "r");
486 while (getline(&line
, &line_bufsz
, pipe_f
) != -1) {
488 char *saveptr
= NULL
;
493 /* if we already found something, just continue
494 * to read until the pipe doesn't deliver any more
495 * data, but don't modify the existing data
501 /* trim line on the right hand side */
502 for (i
= strlen(line
); i
> 0 && (line
[i
- 1] == '\n' || line
[i
- 1] == '\r'); --i
)
505 /* split into tokens: first user name */
506 token
= strtok_r(line
, ":", &saveptr
);
509 /* next: dummy password field */
510 token
= strtok_r(NULL
, ":", &saveptr
);
514 token
= strtok_r(NULL
, ":", &saveptr
);
515 value
= token
? strtol(token
, &endptr
, 10) : 0;
516 if (!token
|| !endptr
|| *endptr
|| value
== LONG_MIN
|| value
== LONG_MAX
)
518 /* dummy sanity check: user id matches */
519 if ((uid_t
) value
!= uid
)
521 /* skip fields: gid, gecos, dir, go to next field 'shell' */
522 for (i
= 0; i
< 4; i
++) {
523 token
= strtok_r(NULL
, ":", &saveptr
);
530 result
= strdup(token
);
532 /* sanity check that there are no fields after that */
533 token
= strtok_r(NULL
, ":", &saveptr
);
543 if (waitpid(pid
, &status
, 0) < 0) {
549 /* some sanity checks: if anything even hinted at going
550 * wrong: we can't be sure we have a valid result, so
554 if (!WIFEXITED(status
))
557 if (WEXITSTATUS(status
) != 0)
567 char *arguments
[] = {
576 /* we want to capture stdout */
580 /* get rid of stdin/stderr, so we try to associate it
583 fd
= open("/dev/null", O_RDWR
);
593 /* finish argument list */
594 ret
= snprintf(uid_buf
, sizeof(uid_buf
), "%ld", (long) uid
);
598 /* try to run getent program */
599 (void) execvp("getent", arguments
);
604 static void lxc_attach_get_init_uidgid(uid_t
* init_uid
, gid_t
* init_gid
)
607 char proc_fn
[MAXPATHLEN
];
609 size_t line_bufsz
= 0;
612 uid_t uid
= (uid_t
)-1;
613 gid_t gid
= (gid_t
)-1;
615 /* read capabilities */
616 snprintf(proc_fn
, MAXPATHLEN
, "/proc/%d/status", 1);
618 proc_file
= fopen(proc_fn
, "r");
622 while (getline(&line
, &line_bufsz
, proc_file
) != -1) {
623 /* format is: real, effective, saved set user, fs
624 * we only care about real uid
626 ret
= sscanf(line
, "Uid: %ld", &value
);
627 if (ret
!= EOF
&& ret
> 0) {
630 ret
= sscanf(line
, "Gid: %ld", &value
);
631 if (ret
!= EOF
&& ret
> 0)
634 if (uid
!= (uid_t
)-1 && gid
!= (gid_t
)-1)
641 /* only override arguments if we found something */
642 if (uid
!= (uid_t
)-1)
644 if (gid
!= (gid_t
)-1)
647 /* TODO: we should also parse supplementary groups and use
648 * setgroups() to set them */
651 struct attach_clone_payload
{
653 lxc_attach_options_t
* options
;
654 struct lxc_proc_context_info
* init_ctx
;
655 lxc_attach_exec_t exec_function
;
660 static int attach_child_main(void* data
);
662 /* help the optimizer along if it doesn't know that exit always exits */
663 #define rexit(c) do { int __c = (c); _exit(__c); return __c; } while(0)
665 /* define default options if no options are supplied by the user */
666 static lxc_attach_options_t attach_static_default_options
= LXC_ATTACH_OPTIONS_DEFAULT
;
668 static bool fetch_seccomp(struct lxc_proc_context_info
*i
,
669 lxc_attach_options_t
*options
)
671 struct lxc_container
*c
;
674 if (!(options
->namespaces
& CLONE_NEWNS
) || !(options
->attach_flags
& LXC_ATTACH_LSM
))
679 /* Remove current setting. */
680 if (!c
->set_config_item(c
, "lxc.seccomp", "")) {
684 /* Fetch the current profile path over the cmd interface */
685 path
= c
->get_running_config_item(c
, "lxc.seccomp");
690 /* Copy the value into the new lxc_conf */
691 if (!c
->set_config_item(c
, "lxc.seccomp", path
)) {
697 /* Attempt to parse the resulting config */
698 if (lxc_read_seccomp_config(c
->lxc_conf
) < 0) {
699 ERROR("Error reading seccomp policy");
703 INFO("Retrieved seccomp policy.");
707 static bool no_new_privs(struct lxc_proc_context_info
*ctx
,
708 lxc_attach_options_t
*options
)
710 struct lxc_container
*c
;
715 /* Remove current setting. */
716 if (!c
->set_config_item(c
, "lxc.no_new_privs", "")) {
720 /* Retrieve currently active setting. */
721 val
= c
->get_running_config_item(c
, "lxc.no_new_privs");
723 INFO("Failed to get running config item for lxc.no_new_privs.");
727 /* Set currently active setting. */
728 if (!c
->set_config_item(c
, "lxc.no_new_privs", val
)) {
737 static signed long get_personality(const char *name
, const char *lxcpath
)
739 char *p
= lxc_cmd_get_config_item(name
, "lxc.arch", lxcpath
);
744 ret
= lxc_config_parse_arch(p
);
749 int lxc_attach(const char* name
, const char* lxcpath
, lxc_attach_exec_t exec_function
, void* exec_payload
, lxc_attach_options_t
* options
, pid_t
* attached_process
)
752 pid_t init_pid
, pid
, attached_pid
, expected
;
753 struct lxc_proc_context_info
*init_ctx
;
758 signed long personality
;
761 options
= &attach_static_default_options
;
763 init_pid
= lxc_cmd_get_init_pid(name
, lxcpath
);
765 ERROR("failed to get the init pid");
769 init_ctx
= lxc_proc_get_context_info(init_pid
);
771 ERROR("failed to get context of the init process, pid = %ld", (long)init_pid
);
775 personality
= get_personality(name
, lxcpath
);
776 if (init_ctx
->personality
< 0) {
777 ERROR("Failed to get personality of the container");
778 lxc_proc_put_context_info(init_ctx
);
781 init_ctx
->personality
= personality
;
783 init_ctx
->container
= lxc_container_new(name
, lxcpath
);
784 if (!init_ctx
->container
)
787 if (!fetch_seccomp(init_ctx
, options
))
788 WARN("Failed to get seccomp policy");
790 if (!no_new_privs(init_ctx
, options
))
791 WARN("Could not determine whether PR_SET_NO_NEW_PRIVS is set.");
793 cwd
= getcwd(NULL
, 0);
795 /* determine which namespaces the container was created with
796 * by asking lxc-start, if necessary
798 if (options
->namespaces
== -1) {
799 options
->namespaces
= lxc_cmd_get_clone_flags(name
, lxcpath
);
801 if (options
->namespaces
== -1) {
802 ERROR("failed to automatically determine the "
803 "namespaces which the container unshared");
805 lxc_proc_put_context_info(init_ctx
);
810 /* create a socket pair for IPC communication; set SOCK_CLOEXEC in order
811 * to make sure we don't irritate other threads that want to fork+exec away
813 * IMPORTANT: if the initial process is multithreaded and another call
814 * just fork()s away without exec'ing directly after, the socket fd will
815 * exist in the forked process from the other thread and any close() in
816 * our own child process will not really cause the socket to close properly,
817 * potentiall causing the parent to hang.
819 * For this reason, while IPC is still active, we have to use shutdown()
820 * if the child exits prematurely in order to signal that the socket
821 * is closed and cannot assume that the child exiting will automatically
824 * IPC mechanism: (X is receiver)
825 * initial process intermediate attached
829 * send 0 ------------------------------------> X
830 * [do initialization]
831 * X <------------------------------------ send 1
832 * [add to cgroup, ...]
833 * send 2 ------------------------------------> X
834 * close socket close socket
837 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, ipc_sockets
);
839 SYSERROR("could not set up required IPC mechanism for attaching");
841 lxc_proc_put_context_info(init_ctx
);
845 /* create intermediate subprocess, three reasons:
846 * 1. runs all pthread_atfork handlers and the
847 * child will no longer be threaded
848 * (we can't properly setns() in a threaded process)
849 * 2. we can't setns() in the child itself, since
850 * we want to make sure we are properly attached to
852 * 3. also, the initial thread has to put the attached
853 * process into the cgroup, which we can only do if
854 * we didn't already setns() (otherwise, user
855 * namespaces will hate us)
860 SYSERROR("failed to create first subprocess");
862 lxc_proc_put_context_info(init_ctx
);
867 pid_t to_cleanup_pid
= pid
;
869 /* initial thread, we close the socket that is for the
872 close(ipc_sockets
[1]);
875 /* attach to cgroup, if requested */
876 if (options
->attach_flags
& LXC_ATTACH_MOVE_TO_CGROUP
) {
877 if (!cgroup_attach(name
, lxcpath
, pid
))
881 /* Let the child process know to go ahead */
883 ret
= lxc_write_nointr(ipc_sockets
[0], &status
, sizeof(status
));
885 ERROR("error using IPC to notify attached process for initialization (0)");
889 /* get pid from intermediate process */
890 ret
= lxc_read_nointr_expect(ipc_sockets
[0], &attached_pid
, sizeof(attached_pid
), NULL
);
893 ERROR("error using IPC to receive pid of attached process");
897 /* ignore SIGKILL (CTRL-C) and SIGQUIT (CTRL-\) - issue #313 */
898 if (options
->stdin_fd
== 0) {
899 signal(SIGINT
, SIG_IGN
);
900 signal(SIGQUIT
, SIG_IGN
);
903 /* reap intermediate process */
904 ret
= wait_for_pid(pid
);
908 /* we will always have to reap the grandchild now */
909 to_cleanup_pid
= attached_pid
;
911 /* tell attached process it may start initializing */
913 ret
= lxc_write_nointr(ipc_sockets
[0], &status
, sizeof(status
));
915 ERROR("error using IPC to notify attached process for initialization (0)");
919 /* wait for the attached process to finish initializing */
921 ret
= lxc_read_nointr_expect(ipc_sockets
[0], &status
, sizeof(status
), &expected
);
924 ERROR("error using IPC to receive notification from attached process (1)");
928 /* tell attached process we're done */
930 ret
= lxc_write_nointr(ipc_sockets
[0], &status
, sizeof(status
));
932 ERROR("error using IPC to notify attached process for initialization (2)");
936 /* now shut down communication with child, we're done */
937 shutdown(ipc_sockets
[0], SHUT_RDWR
);
938 close(ipc_sockets
[0]);
939 lxc_proc_put_context_info(init_ctx
);
941 /* we're done, the child process should now execute whatever
942 * it is that the user requested. The parent can now track it
943 * with waitpid() or similar.
946 *attached_process
= attached_pid
;
950 /* first shut down the socket, then wait for the pid,
951 * otherwise the pid we're waiting for may never exit
953 shutdown(ipc_sockets
[0], SHUT_RDWR
);
954 close(ipc_sockets
[0]);
956 (void) wait_for_pid(to_cleanup_pid
);
957 lxc_proc_put_context_info(init_ctx
);
961 /* first subprocess begins here, we close the socket that is for the
964 close(ipc_sockets
[0]);
966 /* Wait for the parent to have setup cgroups */
969 ret
= lxc_read_nointr_expect(ipc_sockets
[1], &status
, sizeof(status
), &expected
);
971 ERROR("error communicating with child process");
972 shutdown(ipc_sockets
[1], SHUT_RDWR
);
976 if ((options
->attach_flags
& LXC_ATTACH_MOVE_TO_CGROUP
) && cgns_supported())
977 options
->namespaces
|= CLONE_NEWCGROUP
;
979 procfd
= open("/proc", O_DIRECTORY
| O_RDONLY
);
981 SYSERROR("Unable to open /proc");
982 shutdown(ipc_sockets
[1], SHUT_RDWR
);
986 /* attach now, create another subprocess later, since pid namespaces
987 * only really affect the children of the current process
989 ret
= lxc_attach_to_ns(init_pid
, options
->namespaces
);
991 ERROR("failed to enter the namespace");
992 shutdown(ipc_sockets
[1], SHUT_RDWR
);
996 /* attach succeeded, try to cwd */
997 if (options
->initial_cwd
)
998 new_cwd
= options
->initial_cwd
;
1001 ret
= chdir(new_cwd
);
1003 WARN("could not change directory to '%s'", new_cwd
);
1006 /* now create the real child process */
1008 struct attach_clone_payload payload
= {
1009 .ipc_socket
= ipc_sockets
[1],
1011 .init_ctx
= init_ctx
,
1012 .exec_function
= exec_function
,
1013 .exec_payload
= exec_payload
,
1016 /* We use clone_parent here to make this subprocess a direct child of
1017 * the initial process. Then this intermediate process can exit and
1018 * the parent can directly track the attached process.
1020 pid
= lxc_clone(attach_child_main
, &payload
, CLONE_PARENT
);
1023 /* shouldn't happen, clone() should always return positive pid */
1025 SYSERROR("failed to create subprocess");
1026 shutdown(ipc_sockets
[1], SHUT_RDWR
);
1030 /* tell grandparent the pid of the pid of the newly created child */
1031 ret
= lxc_write_nointr(ipc_sockets
[1], &pid
, sizeof(pid
));
1032 if (ret
!= sizeof(pid
)) {
1033 /* if this really happens here, this is very unfortunate, since the
1034 * parent will not know the pid of the attached process and will
1035 * not be able to wait for it (and we won't either due to CLONE_PARENT)
1036 * so the parent won't be able to reap it and the attached process
1037 * will remain a zombie
1039 ERROR("error using IPC to notify main process of pid of the attached process");
1040 shutdown(ipc_sockets
[1], SHUT_RDWR
);
1044 /* the rest is in the hands of the initial and the attached process */
1048 static int attach_child_main(void* data
)
1050 struct attach_clone_payload
* payload
= (struct attach_clone_payload
*)data
;
1051 int ipc_socket
= payload
->ipc_socket
;
1052 int procfd
= payload
->procfd
;
1053 lxc_attach_options_t
* options
= payload
->options
;
1054 struct lxc_proc_context_info
* init_ctx
= payload
->init_ctx
;
1055 #if HAVE_SYS_PERSONALITY_H
1056 long new_personality
;
1066 /* wait for the initial thread to signal us that it's ready
1067 * for us to start initializing
1071 ret
= lxc_read_nointr_expect(ipc_socket
, &status
, sizeof(status
), &expected
);
1073 ERROR("error using IPC to receive notification from initial process (0)");
1074 shutdown(ipc_socket
, SHUT_RDWR
);
1078 /* A description of the purpose of this functionality is
1079 * provided in the lxc-attach(1) manual page. We have to
1080 * remount here and not in the parent process, otherwise
1081 * /proc may not properly reflect the new pid namespace.
1083 if (!(options
->namespaces
& CLONE_NEWNS
) && (options
->attach_flags
& LXC_ATTACH_REMOUNT_PROC_SYS
)) {
1084 ret
= lxc_attach_remount_sys_proc();
1086 shutdown(ipc_socket
, SHUT_RDWR
);
1091 /* now perform additional attachments*/
1092 #if HAVE_SYS_PERSONALITY_H
1093 if (options
->personality
< 0)
1094 new_personality
= init_ctx
->personality
;
1096 new_personality
= options
->personality
;
1098 if (options
->attach_flags
& LXC_ATTACH_SET_PERSONALITY
) {
1099 ret
= personality(new_personality
);
1101 SYSERROR("could not ensure correct architecture");
1102 shutdown(ipc_socket
, SHUT_RDWR
);
1108 if (options
->attach_flags
& LXC_ATTACH_DROP_CAPABILITIES
) {
1109 ret
= lxc_attach_drop_privs(init_ctx
);
1111 ERROR("could not drop privileges");
1112 shutdown(ipc_socket
, SHUT_RDWR
);
1117 /* always set the environment (specify (LXC_ATTACH_KEEP_ENV, NULL, NULL) if you want this to be a no-op) */
1118 ret
= lxc_attach_set_environment(options
->env_policy
, options
->extra_env_vars
, options
->extra_keep_env
);
1120 ERROR("could not set initial environment for attached process");
1121 shutdown(ipc_socket
, SHUT_RDWR
);
1125 /* set user / group id */
1128 /* ignore errors, we will fall back to root in that case
1129 * (/proc was not mounted etc.)
1131 if (options
->namespaces
& CLONE_NEWUSER
)
1132 lxc_attach_get_init_uidgid(&new_uid
, &new_gid
);
1134 if (options
->uid
!= (uid_t
)-1)
1135 new_uid
= options
->uid
;
1136 if (options
->gid
!= (gid_t
)-1)
1137 new_gid
= options
->gid
;
1139 /* setup the control tty */
1140 if (options
->stdin_fd
&& isatty(options
->stdin_fd
)) {
1142 SYSERROR("unable to setsid");
1143 shutdown(ipc_socket
, SHUT_RDWR
);
1147 if (ioctl(options
->stdin_fd
, TIOCSCTTY
, (char *)NULL
) < 0) {
1148 SYSERROR("unable to TIOCSTTY");
1149 shutdown(ipc_socket
, SHUT_RDWR
);
1154 /* try to set the uid/gid combination */
1155 if ((new_gid
!= 0 || options
->namespaces
& CLONE_NEWUSER
)) {
1156 if (setgid(new_gid
) || setgroups(0, NULL
)) {
1157 SYSERROR("switching to container gid");
1158 shutdown(ipc_socket
, SHUT_RDWR
);
1162 if ((new_uid
!= 0 || options
->namespaces
& CLONE_NEWUSER
) && setuid(new_uid
)) {
1163 SYSERROR("switching to container uid");
1164 shutdown(ipc_socket
, SHUT_RDWR
);
1168 /* tell initial process it may now put us into the cgroups */
1170 ret
= lxc_write_nointr(ipc_socket
, &status
, sizeof(status
));
1171 if (ret
!= sizeof(status
)) {
1172 ERROR("error using IPC to notify initial process for initialization (1)");
1173 shutdown(ipc_socket
, SHUT_RDWR
);
1177 /* wait for the initial thread to signal us that it has done
1178 * everything for us when it comes to cgroups etc.
1182 ret
= lxc_read_nointr_expect(ipc_socket
, &status
, sizeof(status
), &expected
);
1184 ERROR("error using IPC to receive final notification from initial process (2)");
1185 shutdown(ipc_socket
, SHUT_RDWR
);
1189 shutdown(ipc_socket
, SHUT_RDWR
);
1192 if ((init_ctx
->container
&& init_ctx
->container
->lxc_conf
&&
1193 init_ctx
->container
->lxc_conf
->no_new_privs
) ||
1194 (options
->attach_flags
& LXC_ATTACH_NO_NEW_PRIVS
)) {
1195 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0) {
1196 SYSERROR("PR_SET_NO_NEW_PRIVS could not be set. "
1197 "Process can use execve() gainable "
1201 INFO("PR_SET_NO_NEW_PRIVS is set. Process cannot use execve() "
1202 "gainable privileges.");
1205 /* set new apparmor profile/selinux context */
1206 if ((options
->namespaces
& CLONE_NEWNS
) && (options
->attach_flags
& LXC_ATTACH_LSM
) && init_ctx
->lsm_label
) {
1209 on_exec
= options
->attach_flags
& LXC_ATTACH_LSM_EXEC
? 1 : 0;
1210 if (lsm_set_label_at(procfd
, on_exec
, init_ctx
->lsm_label
) < 0) {
1215 if (init_ctx
->container
&& init_ctx
->container
->lxc_conf
&&
1216 lxc_seccomp_load(init_ctx
->container
->lxc_conf
) != 0) {
1217 ERROR("Loading seccomp policy");
1220 lxc_proc_put_context_info(init_ctx
);
1222 /* The following is done after the communication socket is
1223 * shut down. That way, all errors that might (though
1224 * unlikely) occur up until this point will have their messages
1225 * printed to the original stderr (if logging is so configured)
1226 * and not the fd the user supplied, if any.
1229 /* fd handling for stdin, stdout and stderr;
1230 * ignore errors here, user may want to make sure
1231 * the fds are closed, for example */
1232 if (options
->stdin_fd
>= 0 && options
->stdin_fd
!= 0)
1233 dup2(options
->stdin_fd
, 0);
1234 if (options
->stdout_fd
>= 0 && options
->stdout_fd
!= 1)
1235 dup2(options
->stdout_fd
, 1);
1236 if (options
->stderr_fd
>= 0 && options
->stderr_fd
!= 2)
1237 dup2(options
->stderr_fd
, 2);
1239 /* close the old fds */
1240 if (options
->stdin_fd
> 2)
1241 close(options
->stdin_fd
);
1242 if (options
->stdout_fd
> 2)
1243 close(options
->stdout_fd
);
1244 if (options
->stderr_fd
> 2)
1245 close(options
->stderr_fd
);
1247 /* try to remove CLOEXEC flag from stdin/stdout/stderr,
1248 * but also here, ignore errors */
1249 for (fd
= 0; fd
<= 2; fd
++) {
1250 flags
= fcntl(fd
, F_GETFL
);
1253 if (flags
& FD_CLOEXEC
) {
1254 if (fcntl(fd
, F_SETFL
, flags
& ~FD_CLOEXEC
) < 0) {
1255 SYSERROR("Unable to clear CLOEXEC from fd");
1260 /* we don't need proc anymore */
1263 /* we're done, so we can now do whatever the user intended us to do */
1264 rexit(payload
->exec_function(payload
->exec_payload
));
1267 int lxc_attach_run_command(void* payload
)
1269 lxc_attach_command_t
* cmd
= (lxc_attach_command_t
*)payload
;
1271 execvp(cmd
->program
, cmd
->argv
);
1272 SYSERROR("failed to exec '%s'", cmd
->program
);
1276 int lxc_attach_run_shell(void* payload
)
1279 struct passwd
*passwd
;
1282 /* ignore payload parameter */
1286 passwd
= getpwuid(uid
);
1288 /* this probably happens because of incompatible nss
1289 * implementations in host and container (remember, this
1290 * code is still using the host's glibc but our mount
1291 * namespace is in the container)
1292 * we may try to get the information by spawning a
1293 * [getent passwd uid] process and parsing the result
1296 user_shell
= lxc_attach_getpwshell(uid
);
1298 user_shell
= passwd
->pw_shell
;
1301 execlp(user_shell
, user_shell
, (char *)NULL
);
1303 /* executed if either no passwd entry or execvp fails,
1304 * we will fall back on /bin/sh as a default shell
1306 execlp("/bin/sh", "/bin/sh", (char *)NULL
);
1307 SYSERROR("failed to exec shell");