capabilities are reseted just after the filesystem is mounted.
lxc_setup_fs() is moved up, before the process is forked.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install libcap-devel.]),
[#include <sys/types.h>
#include <sys/capability.h>])
+AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
+AC_MSG_CHECKING([linux capabilities])
+if test "x$caplib" = "xyes" ; then
+ CAP_LIBS="-lcap"
+ AC_MSG_RESULT([$CAP_LIBS])
+else
+ AC_MSG_ERROR([not found])
+fi
+AC_SUBST([CAP_LIBS])
# Some systems lack PR_CAPBSET_DROP definition => HAVE_DECL_PR_CAPBSET_DROP
AC_CHECK_DECLS([PR_CAPBSET_DROP], [], [], [#include <sys/prctl.h>])
lxc_freeze_SOURCES = lxc_freeze.c
lxc_info_SOURCES = lxc_info.c
lxc_init_SOURCES = lxc_init.c
+lxc_init_LDADD = $(LDADD) @CAP_LIBS@
lxc_monitor_SOURCES = lxc_monitor.c
lxc_restart_SOURCES = lxc_restart.c
lxc_start_SOURCES = lxc_start.c
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
+#include <sys/capability.h>
#define _GNU_SOURCE
#include <getopt.h>
static int was_interrupted = 0;
+static int cap_reset(void)
+{
+ cap_t cap = cap_init();
+ int ret = 0;
+
+ if (!cap) {
+ ERROR("cap_init() failed : %m");
+ return -1;
+ }
+
+ if (cap_set_proc(cap)) {
+ ERROR("cap_set_proc() failed : %m");
+ ret = -1;
+ }
+
+ cap_free(cap);
+ return ret;
+}
+
int main(int argc, char *argv[])
{
sigaction(i, &act, NULL);
}
+ if (lxc_setup_fs())
+ exit(err);
+
+ if (cap_reset())
+ exit(err);
+
pid = fork();
if (pid < 0)
signal(i, SIG_DFL);
sigprocmask(SIG_SETMASK, &omask, NULL);
- if (lxc_setup_fs())
- exit(err);
-
NOTICE("about to exec '%s'", aargv[0]);
execvp(aargv[0], aargv);
- ERROR("failed to exec: '%s' : %s", aargv[0], strerror(errno));
+ ERROR("failed to exec: '%s' : %m", aargv[0]);
exit(err);
}
projects / mirror_lxc.git / commitdiff