bool needs_lsm = (options->namespaces & CLONE_NEWNS) &&
(options->attach_flags & LXC_ATTACH_LSM) &&
init_ctx->lsm_label;
+ char *lsm_label = NULL;
/* A description of the purpose of this functionality is provided in the
* lxc-attach(1) manual page. We have to remount here and not in the
/* Change into our new LSM profile. */
on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
-
+ lsm_label = options->lsm_label ? options->lsm_label : init_ctx->lsm_label;
ret = init_ctx->lsm_ops->process_label_set_at(init_ctx->lsm_ops, lsm_fd,
- init_ctx->lsm_label, on_exec);
+ lsm_label, on_exec);
close(lsm_fd);
if (ret < 0)
goto on_error;
static ssize_t extra_env_size;
static char **extra_keep;
static ssize_t extra_keep_size;
+static char *selinux_context = NULL;
static const struct option my_longopts[] = {
{"elevated-privileges", optional_argument, 0, 'e'},
{"rcfile", required_argument, 0, 'f'},
{"uid", required_argument, 0, 'u'},
{"gid", required_argument, 0, 'g'},
+ {"context", required_argument, 0, 'c'},
LXC_COMMON_OPTIONS
};
Load configuration file FILE\n\
-u, --uid=UID Execute COMMAND with UID inside the container\n\
-g, --gid=GID Execute COMMAND with GID inside the container\n\
+ -c, --context=context\n\
+ SELinux Context to transition into\n\
",
.options = my_longopts,
.parser = my_parser,
if (lxc_safe_uint(arg, &args->gid) < 0)
return -1;
break;
+ case 'c':
+ selinux_context = arg;
+ break;
}
return 0;
if (my_args.gid != LXC_INVALID_GID)
attach_options.gid = my_args.gid;
+ // selinux_context will be NULL if not set
+ attach_options.lsm_label = selinux_context;
+
if (command.program) {
ret = c->attach_run_wait(c, &attach_options, command.program,
(const char **)command.argv);