1 /* SPDX-License-Identifier: LGPL-2.1+ */
10 #include <sys/ioctl.h>
12 #include <sys/types.h>
19 #include "arguments.h"
24 #ifdef ENFORCE_MEMFD_REXEC
29 lxc_log_define(lxc_attach
, lxc
);
32 * This function will copy any binary that calls liblxc into a memory file and
33 * will use the memfd to rexecute the binary. This is done to prevent attacks
34 * through the /proc/self/exe symlink to corrupt the host binary when host and
35 * container are in the same user namespace or have set up an identity id
36 * mapping: CVE-2019-5736.
38 #ifdef ENFORCE_MEMFD_REXEC
39 __attribute__((constructor
)) static void lxc_attach_rexec(void)
41 if (!getenv("LXC_MEMFD_REXEC") && lxc_rexec("lxc-attach")) {
42 fprintf(stderr
, "Failed to re-execute lxc-attach via memory file descriptor\n");
48 static int my_parser(struct lxc_arguments
*args
, int c
, char *arg
);
49 static int add_to_simple_array(char ***array
, ssize_t
*capacity
, char *value
);
50 static bool stdfd_is_pty(void);
51 static int lxc_attach_create_log_file(const char *log_file
);
53 static unsigned int elevated_privileges
;
54 static signed long new_personality
= -1;
55 static int namespace_flags
= -1;
56 static int remount_sys_proc
;
57 static lxc_attach_env_policy_t env_policy
= LXC_ATTACH_KEEP_ENV
;
58 static char **extra_env
;
59 static ssize_t extra_env_size
;
60 static char **extra_keep
;
61 static ssize_t extra_keep_size
;
62 static char *selinux_context
= NULL
;
64 static const struct option my_longopts
[] = {
65 {"elevated-privileges", optional_argument
, 0, 'e'},
66 {"arch", required_argument
, 0, 'a'},
67 {"namespaces", required_argument
, 0, 's'},
68 {"remount-sys-proc", no_argument
, 0, 'R'},
69 /* TODO: decide upon short option names */
70 {"clear-env", no_argument
, 0, 500},
71 {"keep-env", no_argument
, 0, 501},
72 {"keep-var", required_argument
, 0, 502},
73 {"set-var", required_argument
, 0, 'v'},
74 {"pty-log", required_argument
, 0, 'L'},
75 {"rcfile", required_argument
, 0, 'f'},
76 {"uid", required_argument
, 0, 'u'},
77 {"gid", required_argument
, 0, 'g'},
78 {"context", required_argument
, 0, 'c'},
82 static struct lxc_arguments my_args
= {
83 .progname
= "lxc-attach",
85 --name=NAME [-- COMMAND]\n\
87 Execute the specified COMMAND - enter the container NAME\n\
90 -n, --name=NAME NAME of the container\n\
91 -e, --elevated-privileges=PRIVILEGES\n\
92 Use elevated privileges instead of those of the\n\
93 container. If you don't specify privileges to be\n\
94 elevated as OR'd list: CAP, CGROUP and LSM (capabilities,\n\
95 cgroup and restrictions, respectively) then all of them\n\
97 WARNING: This may leak privileges into the container.\n\
99 -a, --arch=ARCH Use ARCH for program instead of container's own\n\
101 -s, --namespaces=FLAGS\n\
102 Don't attach to all the namespaces of the container\n\
103 but just to the following OR'd list of flags:\n\
104 MOUNT, PID, UTSNAME, IPC, USER or NETWORK.\n\
105 WARNING: Using -s implies -e with all privileges\n\
106 elevated, it may therefore leak privileges into the\n\
107 container. Use with care.\n\
108 -R, --remount-sys-proc\n\
109 Remount /sys and /proc if not attaching to the\n\
110 mount namespace when using -s in order to properly\n\
111 reflect the correct namespace context. See the\n\
112 lxc-attach(1) manual page for details.\n\
113 --clear-env Clear all environment variables before attaching.\n\
114 The attached shell/program will start with only\n\
115 container=lxc set.\n\
116 --keep-env Keep all current environment variables. This\n\
117 is the current default behaviour, but is likely to\n\
118 change in the future.\n\
119 -L, --pty-log=FILE\n\
120 Log pty output to FILE\n\
121 -v, --set-var Set an additional variable that is seen by the\n\
122 attached program in the container. May be specified\n\
124 --keep-var Keep an additional environment variable. Only\n\
125 applicable if --clear-env is specified. May be used\n\
128 Load configuration file FILE\n\
129 -u, --uid=UID Execute COMMAND with UID inside the container\n\
130 -g, --gid=GID Execute COMMAND with GID inside the container\n\
131 -c, --context=context\n\
132 SELinux Context to transition into\n\
134 .options
= my_longopts
,
137 .log_priority
= "ERROR",
139 .uid
= LXC_INVALID_UID
,
140 .gid
= LXC_INVALID_GID
,
143 static int my_parser(struct lxc_arguments
*args
, int c
, char *arg
)
149 ret
= lxc_fill_elevated_privileges(arg
, &elevated_privileges
);
153 case 'R': remount_sys_proc
= 1; break;
155 ret
= lxc_config_parse_arch(arg
, &new_personality
);
157 ERROR("Invalid architecture specified: %s", arg
);
164 if (lxc_namespace_2_std_identifiers(arg
) < 0)
167 ret
= lxc_fill_namespace_flags(arg
, &namespace_flags
);
172 lxc_fill_elevated_privileges(NULL
, &elevated_privileges
);
174 case 500: /* clear-env */
175 env_policy
= LXC_ATTACH_CLEAR_ENV
;
177 case 501: /* keep-env */
178 env_policy
= LXC_ATTACH_KEEP_ENV
;
180 case 502: /* keep-var */
181 ret
= add_to_simple_array(&extra_keep
, &extra_keep_size
, arg
);
183 ERROR("Failed to alloc memory");
188 ret
= add_to_simple_array(&extra_env
, &extra_env_size
, arg
);
190 ERROR("Failed to alloc memory");
195 args
->console_log
= arg
;
201 if (lxc_safe_uint(arg
, &args
->uid
) < 0)
205 if (lxc_safe_uint(arg
, &args
->gid
) < 0)
209 selinux_context
= arg
;
216 static int add_to_simple_array(char ***array
, ssize_t
*capacity
, char *value
)
224 for (; (*array
)[count
]; count
++);
226 /* we have to reallocate */
227 if (count
>= *capacity
- 1) {
228 ssize_t new_capacity
= ((count
+ 1) / 32 + 1) * 32;
230 char **new_array
= realloc((void*)*array
, sizeof(char *) * new_capacity
);
234 memset(&new_array
[count
], 0, sizeof(char*)*(new_capacity
- count
));
237 *capacity
= new_capacity
;
243 (*array
)[count
] = value
;
247 static bool stdfd_is_pty(void)
249 if (isatty(STDIN_FILENO
))
252 if (isatty(STDOUT_FILENO
))
255 if (isatty(STDERR_FILENO
))
261 static int lxc_attach_create_log_file(const char *log_file
)
265 fd
= open(log_file
, O_CLOEXEC
| O_RDWR
| O_CREAT
| O_APPEND
, 0600);
267 ERROR("Failed to open log file \"%s\"", log_file
);
274 int __attribute__((weak
, alias("lxc_attach_main"))) main(int argc
, char *argv
[]);
275 int lxc_attach_main(int argc
, char *argv
[])
279 lxc_attach_options_t attach_options
= LXC_ATTACH_OPTIONS_DEFAULT
;
280 lxc_attach_command_t command
= (lxc_attach_command_t
){.program
= NULL
};
282 struct lxc_container
*c
;
288 if (lxc_arguments_parse(&my_args
, argc
, argv
))
291 log
.name
= my_args
.name
;
292 log
.file
= my_args
.log_file
;
293 log
.level
= my_args
.log_priority
;
294 log
.prefix
= my_args
.progname
;
295 log
.quiet
= my_args
.quiet
;
296 log
.lxcpath
= my_args
.lxcpath
[0];
298 if (lxc_log_init(&log
))
302 if (access(my_args
.lxcpath
[0], O_RDONLY
) < 0) {
303 ERROR("You lack access to %s", my_args
.lxcpath
[0]);
307 c
= lxc_container_new(my_args
.name
, my_args
.lxcpath
[0]);
311 if (my_args
.rcfile
) {
313 if (!c
->load_config(c
, my_args
.rcfile
)) {
314 ERROR("Failed to load rcfile");
315 lxc_container_put(c
);
319 c
->configfile
= strdup(my_args
.rcfile
);
320 if (!c
->configfile
) {
321 ERROR("Out of memory setting new config filename");
322 lxc_container_put(c
);
327 if (!c
->may_control(c
)) {
328 ERROR("Insufficent privileges to control %s", c
->name
);
329 lxc_container_put(c
);
333 if (remount_sys_proc
)
334 attach_options
.attach_flags
|= LXC_ATTACH_REMOUNT_PROC_SYS
;
336 if (elevated_privileges
) {
337 if ((elevated_privileges
& LXC_ATTACH_LSM_EXEC
)) {
338 if (selinux_context
) {
339 ERROR("Cannot combine elevated LSM privileges while requesting LSM profile");
344 * While most LSM flags are off by default let's still
345 * make sure they are stripped when elevated LSM
346 * privileges are requested.
348 elevated_privileges
|= LXC_ATTACH_LSM
;
351 attach_options
.attach_flags
&= ~(elevated_privileges
);
355 attach_options
.attach_flags
|= LXC_ATTACH_TERMINAL
;
357 attach_options
.namespaces
= namespace_flags
;
358 attach_options
.personality
= new_personality
;
359 attach_options
.env_policy
= env_policy
;
360 attach_options
.extra_env_vars
= extra_env
;
361 attach_options
.extra_keep_env
= extra_keep
;
363 if (my_args
.argc
> 0) {
364 command
.program
= my_args
.argv
[0];
365 command
.argv
= (char**)my_args
.argv
;
368 if (my_args
.console_log
) {
369 attach_options
.log_fd
= lxc_attach_create_log_file(my_args
.console_log
);
370 if (attach_options
.log_fd
< 0)
374 if (my_args
.uid
!= LXC_INVALID_UID
)
375 attach_options
.uid
= my_args
.uid
;
377 if (my_args
.gid
!= LXC_INVALID_GID
)
378 attach_options
.gid
= my_args
.gid
;
380 // selinux_context will be NULL if not set
381 if (selinux_context
) {
382 attach_options
.attach_flags
|= LXC_ATTACH_LSM_LABEL
;
383 attach_options
.lsm_label
= selinux_context
;
386 if (command
.program
) {
387 ret
= c
->attach_run_wait(c
, &attach_options
, command
.program
,
388 (const char **)command
.argv
);
392 ret
= c
->attach(c
, lxc_attach_run_shell
, NULL
, &attach_options
, &pid
);
396 ret
= lxc_wait_for_pid_status(pid
);
401 wexit
= WEXITSTATUS(ret
);
402 else if (WIFSIGNALED(ret
))
403 wexit
= WTERMSIG(ret
) + 128;
406 lxc_container_put(c
);