]> git.proxmox.com Git - mirror_lxc.git/blob - src/lxc/tools/lxc_attach.c
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
github: Update for main branch
[mirror_lxc.git] / src / lxc / tools / lxc_attach.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include "config.h"
4
5 #include <errno.h>
6 #include <fcntl.h>
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <string.h>
10 #include <sys/ioctl.h>
11 #include <sys/stat.h>
12 #include <sys/types.h>
13 #include <sys/wait.h>
14 #include <termios.h>
15 #include <unistd.h>
16
17 #include "lxc.h"
18
19 #include "arguments.h"
20 #include "attach.h"
21 #include "caps.h"
22 #include "confile.h"
23 #include "log.h"
24 #ifdef ENFORCE_MEMFD_REXEC
25 #include "rexec.h"
26 #endif
27 #include "utils.h"
28
29 lxc_log_define(lxc_attach, lxc);
30
31 /**
32 * This function will copy any binary that calls liblxc into a memory file and
33 * will use the memfd to rexecute the binary. This is done to prevent attacks
34 * through the /proc/self/exe symlink to corrupt the host binary when host and
35 * container are in the same user namespace or have set up an identity id
36 * mapping: CVE-2019-5736.
37 */
38 #ifdef ENFORCE_MEMFD_REXEC
39 __attribute__((constructor)) static void lxc_attach_rexec(void)
40 {
41 if (!getenv("LXC_MEMFD_REXEC") && lxc_rexec("lxc-attach")) {
42 fprintf(stderr, "Failed to re-execute lxc-attach via memory file descriptor\n");
43 _exit(EXIT_FAILURE);
44 }
45 }
46 #endif
47
48 static int my_parser(struct lxc_arguments *args, int c, char *arg);
49 static int add_to_simple_array(char ***array, ssize_t *capacity, char *value);
50 static bool stdfd_is_pty(void);
51 static int lxc_attach_create_log_file(const char *log_file);
52
53 static unsigned int elevated_privileges;
54 static signed long new_personality = -1;
55 static int namespace_flags = -1;
56 static int remount_sys_proc;
57 static lxc_attach_env_policy_t env_policy = LXC_ATTACH_KEEP_ENV;
58 static char **extra_env;
59 static ssize_t extra_env_size;
60 static char **extra_keep;
61 static ssize_t extra_keep_size;
62 static char *selinux_context = NULL;
63
64 static const struct option my_longopts[] = {
65 {"elevated-privileges", optional_argument, 0, 'e'},
66 {"arch", required_argument, 0, 'a'},
67 {"namespaces", required_argument, 0, 's'},
68 {"remount-sys-proc", no_argument, 0, 'R'},
69 /* TODO: decide upon short option names */
70 {"clear-env", no_argument, 0, 500},
71 {"keep-env", no_argument, 0, 501},
72 {"keep-var", required_argument, 0, 502},
73 {"set-var", required_argument, 0, 'v'},
74 {"pty-log", required_argument, 0, 'L'},
75 {"rcfile", required_argument, 0, 'f'},
76 {"uid", required_argument, 0, 'u'},
77 {"gid", required_argument, 0, 'g'},
78 {"context", required_argument, 0, 'c'},
79 LXC_COMMON_OPTIONS
80 };
81
82 static struct lxc_arguments my_args = {
83 .progname = "lxc-attach",
84 .help = "\
85 --name=NAME [-- COMMAND]\n\
86 \n\
87 Execute the specified COMMAND - enter the container NAME\n\
88 \n\
89 Options :\n\
90 -n, --name=NAME NAME of the container\n\
91 -e, --elevated-privileges=PRIVILEGES\n\
92 Use elevated privileges instead of those of the\n\
93 container. If you don't specify privileges to be\n\
94 elevated as OR'd list: CAP, CGROUP and LSM (capabilities,\n\
95 cgroup and restrictions, respectively) then all of them\n\
96 will be elevated.\n\
97 WARNING: This may leak privileges into the container.\n\
98 Use with care.\n\
99 -a, --arch=ARCH Use ARCH for program instead of container's own\n\
100 architecture.\n\
101 -s, --namespaces=FLAGS\n\
102 Don't attach to all the namespaces of the container\n\
103 but just to the following OR'd list of flags:\n\
104 MOUNT, PID, UTSNAME, IPC, USER or NETWORK.\n\
105 WARNING: Using -s implies -e with all privileges\n\
106 elevated, it may therefore leak privileges into the\n\
107 container. Use with care.\n\
108 -R, --remount-sys-proc\n\
109 Remount /sys and /proc if not attaching to the\n\
110 mount namespace when using -s in order to properly\n\
111 reflect the correct namespace context. See the\n\
112 lxc-attach(1) manual page for details.\n\
113 --clear-env Clear all environment variables before attaching.\n\
114 The attached shell/program will start with only\n\
115 container=lxc set.\n\
116 --keep-env Keep all current environment variables. This\n\
117 is the current default behaviour, but is likely to\n\
118 change in the future.\n\
119 -L, --pty-log=FILE\n\
120 Log pty output to FILE\n\
121 -v, --set-var Set an additional variable that is seen by the\n\
122 attached program in the container. May be specified\n\
123 multiple times.\n\
124 --keep-var Keep an additional environment variable. Only\n\
125 applicable if --clear-env is specified. May be used\n\
126 multiple times.\n\
127 -f, --rcfile=FILE\n\
128 Load configuration file FILE\n\
129 -u, --uid=UID Execute COMMAND with UID inside the container\n\
130 -g, --gid=GID Execute COMMAND with GID inside the container\n\
131 -c, --context=context\n\
132 SELinux Context to transition into\n\
133 ",
134 .options = my_longopts,
135 .parser = my_parser,
136 .checker = NULL,
137 .log_priority = "ERROR",
138 .log_file = "none",
139 .uid = LXC_INVALID_UID,
140 .gid = LXC_INVALID_GID,
141 };
142
143 static int my_parser(struct lxc_arguments *args, int c, char *arg)
144 {
145 int ret;
146
147 switch (c) {
148 case 'e':
149 ret = lxc_fill_elevated_privileges(arg, &elevated_privileges);
150 if (ret)
151 return -1;
152 break;
153 case 'R': remount_sys_proc = 1; break;
154 case 'a':
155 ret = lxc_config_parse_arch(arg, &new_personality);
156 if (ret < 0) {
157 ERROR("Invalid architecture specified: %s", arg);
158 return -1;
159 }
160 break;
161 case 's':
162 namespace_flags = 0;
163
164 if (lxc_namespace_2_std_identifiers(arg) < 0)
165 return -1;
166
167 ret = lxc_fill_namespace_flags(arg, &namespace_flags);
168 if (ret)
169 return -1;
170
171 /* -s implies -e */
172 lxc_fill_elevated_privileges(NULL, &elevated_privileges);
173 break;
174 case 500: /* clear-env */
175 env_policy = LXC_ATTACH_CLEAR_ENV;
176 break;
177 case 501: /* keep-env */
178 env_policy = LXC_ATTACH_KEEP_ENV;
179 break;
180 case 502: /* keep-var */
181 ret = add_to_simple_array(&extra_keep, &extra_keep_size, arg);
182 if (ret < 0) {
183 ERROR("Failed to alloc memory");
184 return -1;
185 }
186 break;
187 case 'v':
188 ret = add_to_simple_array(&extra_env, &extra_env_size, arg);
189 if (ret < 0) {
190 ERROR("Failed to alloc memory");
191 return -1;
192 }
193 break;
194 case 'L':
195 args->console_log = arg;
196 break;
197 case 'f':
198 args->rcfile = arg;
199 break;
200 case 'u':
201 if (lxc_safe_uint(arg, &args->uid) < 0)
202 return -1;
203 break;
204 case 'g':
205 if (lxc_safe_uint(arg, &args->gid) < 0)
206 return -1;
207 break;
208 case 'c':
209 selinux_context = arg;
210 break;
211 }
212
213 return 0;
214 }
215
216 static int add_to_simple_array(char ***array, ssize_t *capacity, char *value)
217 {
218 ssize_t count = 0;
219
220 if (!array)
221 return -1;
222
223 if (*array)
224 for (; (*array)[count]; count++);
225
226 /* we have to reallocate */
227 if (count >= *capacity - 1) {
228 ssize_t new_capacity = ((count + 1) / 32 + 1) * 32;
229
230 char **new_array = realloc((void*)*array, sizeof(char *) * new_capacity);
231 if (!new_array)
232 return -1;
233
234 memset(&new_array[count], 0, sizeof(char*)*(new_capacity - count));
235
236 *array = new_array;
237 *capacity = new_capacity;
238 }
239
240 if (!(*array))
241 return -1;
242
243 (*array)[count] = value;
244 return 0;
245 }
246
247 static bool stdfd_is_pty(void)
248 {
249 if (isatty(STDIN_FILENO))
250 return true;
251
252 if (isatty(STDOUT_FILENO))
253 return true;
254
255 if (isatty(STDERR_FILENO))
256 return true;
257
258 return false;
259 }
260
261 static int lxc_attach_create_log_file(const char *log_file)
262 {
263 int fd;
264
265 fd = open(log_file, O_CLOEXEC | O_RDWR | O_CREAT | O_APPEND, 0600);
266 if (fd < 0) {
267 ERROR("Failed to open log file \"%s\"", log_file);
268 return -1;
269 }
270
271 return fd;
272 }
273
274 int __attribute__((weak, alias("lxc_attach_main"))) main(int argc, char *argv[]);
275 int lxc_attach_main(int argc, char *argv[])
276 {
277 int ret = -1;
278 int wexit = 0;
279 lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;
280 lxc_attach_command_t command = (lxc_attach_command_t){.program = NULL};
281 pid_t pid;
282 struct lxc_container *c;
283 struct lxc_log log;
284
285 if (lxc_caps_init())
286 exit(EXIT_FAILURE);
287
288 if (lxc_arguments_parse(&my_args, argc, argv))
289 exit(EXIT_FAILURE);
290
291 log.name = my_args.name;
292 log.file = my_args.log_file;
293 log.level = my_args.log_priority;
294 log.prefix = my_args.progname;
295 log.quiet = my_args.quiet;
296 log.lxcpath = my_args.lxcpath[0];
297
298 if (lxc_log_init(&log))
299 exit(EXIT_FAILURE);
300
301 if (geteuid())
302 if (access(my_args.lxcpath[0], O_RDONLY) < 0) {
303 ERROR("You lack access to %s", my_args.lxcpath[0]);
304 exit(EXIT_FAILURE);
305 }
306
307 c = lxc_container_new(my_args.name, my_args.lxcpath[0]);
308 if (!c)
309 exit(EXIT_FAILURE);
310
311 if (my_args.rcfile) {
312 c->clear_config(c);
313 if (!c->load_config(c, my_args.rcfile)) {
314 ERROR("Failed to load rcfile");
315 lxc_container_put(c);
316 exit(EXIT_FAILURE);
317 }
318
319 c->configfile = strdup(my_args.rcfile);
320 if (!c->configfile) {
321 ERROR("Out of memory setting new config filename");
322 lxc_container_put(c);
323 exit(EXIT_FAILURE);
324 }
325 }
326
327 if (!c->may_control(c)) {
328 ERROR("Insufficent privileges to control %s", c->name);
329 lxc_container_put(c);
330 exit(EXIT_FAILURE);
331 }
332
333 if (remount_sys_proc)
334 attach_options.attach_flags |= LXC_ATTACH_REMOUNT_PROC_SYS;
335
336 if (elevated_privileges) {
337 if ((elevated_privileges & LXC_ATTACH_LSM_EXEC)) {
338 if (selinux_context) {
339 ERROR("Cannot combine elevated LSM privileges while requesting LSM profile");
340 goto out;
341 }
342
343 /*
344 * While most LSM flags are off by default let's still
345 * make sure they are stripped when elevated LSM
346 * privileges are requested.
347 */
348 elevated_privileges |= LXC_ATTACH_LSM;
349 }
350
351 attach_options.attach_flags &= ~(elevated_privileges);
352 }
353
354 if (stdfd_is_pty())
355 attach_options.attach_flags |= LXC_ATTACH_TERMINAL;
356
357 attach_options.namespaces = namespace_flags;
358 attach_options.personality = new_personality;
359 attach_options.env_policy = env_policy;
360 attach_options.extra_env_vars = extra_env;
361 attach_options.extra_keep_env = extra_keep;
362
363 if (my_args.argc > 0) {
364 command.program = my_args.argv[0];
365 command.argv = (char**)my_args.argv;
366 }
367
368 if (my_args.console_log) {
369 attach_options.log_fd = lxc_attach_create_log_file(my_args.console_log);
370 if (attach_options.log_fd < 0)
371 goto out;
372 }
373
374 if (my_args.uid != LXC_INVALID_UID)
375 attach_options.uid = my_args.uid;
376
377 if (my_args.gid != LXC_INVALID_GID)
378 attach_options.gid = my_args.gid;
379
380 // selinux_context will be NULL if not set
381 if (selinux_context) {
382 attach_options.attach_flags |= LXC_ATTACH_LSM_LABEL;
383 attach_options.lsm_label = selinux_context;
384 }
385
386 if (command.program) {
387 ret = c->attach_run_wait(c, &attach_options, command.program,
388 (const char **)command.argv);
389 if (ret < 0)
390 goto out;
391 } else {
392 ret = c->attach(c, lxc_attach_run_shell, NULL, &attach_options, &pid);
393 if (ret < 0)
394 goto out;
395
396 ret = lxc_wait_for_pid_status(pid);
397 if (ret < 0)
398 goto out;
399 }
400 if (WIFEXITED(ret))
401 wexit = WEXITSTATUS(ret);
402 else if (WIFSIGNALED(ret))
403 wexit = WTERMSIG(ret) + 128;
404
405 out:
406 lxc_container_put(c);
407 if (ret >= 0)
408 exit(wexit);
409
410 exit(EXIT_FAILURE);
411 }
LXC mirror