container.conf: Add option to disable session keyring creation

lxc set's up a new session keyring for every container by default.
There might be valid use-cases where this is not wanted / needed
(e.g. systemd by default creates a new session keyring anyway).

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index bc0119bd1ba866f840a0654343a00aff5faabc11..9678fe7bf236689be62fa135c464757c949c1580 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2743,6 +2743,7 @@ struct lxc_conf *lxc_conf_init(void)
        lxc_list_init(&new->lsm_aa_raw);
        new->lsm_se_context = NULL;
        new->lsm_se_keyring_context = NULL;
+       new->keyring_disable_session = false;
        new->tmp_umount_proc = false;
        new->tmp_umount_proc = 0;
        new->shmount.path_host = NULL;
@@ -3550,15 +3551,17 @@ int lxc_setup(struct lxc_handler *handler)
                }
        }
 
-       if (lxc_conf->lsm_se_keyring_context) {
-               keyring_context = lxc_conf->lsm_se_keyring_context;
-       } else if (lxc_conf->lsm_se_context) {
-               keyring_context = lxc_conf->lsm_se_context;
-       }
+       if (!lxc_conf->keyring_disable_session) {
+               if (lxc_conf->lsm_se_keyring_context) {
+                       keyring_context = lxc_conf->lsm_se_keyring_context;
+               } else if (lxc_conf->lsm_se_context) {
+                       keyring_context = lxc_conf->lsm_se_context;
+               }
 
-       ret = lxc_setup_keyring(keyring_context);
-       if (ret < 0)
-               return -1;
+               ret = lxc_setup_keyring(keyring_context);
+               if (ret < 0)
+                       return -1;
+       }
 
        if (handler->ns_clone_flags & CLONE_NEWNET) {
                ret = lxc_setup_network_in_child_namespaces(lxc_conf,

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index d916f94dc024f94d9f2daa2b01d695bd4c42098f..5b6fb9a13561e2c79c08786f3009fa2be119a0fb 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -299,6 +299,7 @@ struct lxc_conf {
        struct lxc_list lsm_aa_raw;
        char *lsm_se_context;
        char *lsm_se_keyring_context;
+       bool keyring_disable_session;
        bool tmp_umount_proc;
        struct lxc_seccomp seccomp;
        int maincmd_fd;

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 69466648c7f91efcba12283cd4946259ad21e7bc..ae28163bb108010a6e268e3849ca935a728803cd 100644 (file)
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -89,6 +89,7 @@ lxc_config_define(init_cmd);
 lxc_config_define(init_cwd);
 lxc_config_define(init_gid);
 lxc_config_define(init_uid);
+lxc_config_define(keyring_session);
 lxc_config_define(log_file);
 lxc_config_define(log_level);
 lxc_config_define(log_syslog);
@@ -188,6 +189,7 @@ static struct lxc_config_t config_jump_table[] = {
        { "lxc.init.gid",                  set_config_init_gid,                    get_config_init_gid,                    clr_config_init_gid,                  },
        { "lxc.init.uid",                  set_config_init_uid,                    get_config_init_uid,                    clr_config_init_uid,                  },
        { "lxc.init.cwd",                  set_config_init_cwd,                    get_config_init_cwd,                    clr_config_init_cwd,                  },
+       { "lxc.keyring.session",           set_config_keyring_session,             get_config_keyring_session,             clr_config_keyring_session            },
        { "lxc.log.file",                  set_config_log_file,                    get_config_log_file,                    clr_config_log_file,                  },
        { "lxc.log.level",                 set_config_log_level,                   get_config_log_level,                   clr_config_log_level,                 },
        { "lxc.log.syslog",                set_config_log_syslog,                  get_config_log_syslog,                  clr_config_log_syslog,                },
@@ -1477,6 +1479,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
        return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
 }
 
+static int set_config_keyring_session(const char *key, const char *value,
+                                     struct lxc_conf *lxc_conf, void *data)
+{
+       return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
+}
+
 static int set_config_log_file(const char *key, const char *value,
                              struct lxc_conf *c, void *data)
 {
@@ -2547,26 +2555,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
 static int set_config_rootfs_managed(const char *key, const char *value,
                                     struct lxc_conf *lxc_conf, void *data)
 {
-       unsigned int val = 0;
-
-       if (lxc_config_value_empty(value)) {
-               lxc_conf->rootfs.managed = true;
-               return 0;
-       }
-
-       if (lxc_safe_uint(value, &val) < 0)
-               return -EINVAL;
-
-       switch (val) {
-       case 0:
-               lxc_conf->rootfs.managed = false;
-               return 0;
-       case 1:
-               lxc_conf->rootfs.managed = true;
-               return 0;
-       }
-
-       return -EINVAL;
+       return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
 }
 
 static int set_config_rootfs_mount(const char *key, const char *value,
@@ -3553,6 +3542,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
        return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
 }
 
+static int get_config_keyring_session(const char *key, char *retv, int inlen,
+                                     struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
+}
+
 
 /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
  * just the value(s) will be printed. Since there still could be more than one,
@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
        return 0;
 }
 
+static inline int clr_config_keyring_session(const char *key,
+                                            struct lxc_conf *c, void *data)
+{
+       c->keyring_disable_session = false;
+       return 0;
+}
+
 static inline int clr_config_cgroup_controller(const char *key,
                                               struct lxc_conf *c, void *data)
 {
@@ -6015,6 +6017,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
                strprint(retv, inlen, "order\n");
        } else if (!strcmp(key, "lxc.monitor")) {
                strprint(retv, inlen, "unshare\n");
+       } else if (!strcmp(key, "lxc.keyring")) {
+               strprint(retv, inlen, "session\n");
        } else {
                fulllen = -1;
        }

diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
index b5a9f1c1ee4d08cf5cfc8835651cf64a01c6279f..ff4ae768848c069285badd6dd29705c717879575 100644 (file)
--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -649,6 +649,30 @@ int set_config_path_item(char **conf_item, const char *value)
        return set_config_string_item_max(conf_item, value, PATH_MAX);
 }
 
+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
+{
+       unsigned int val = 0;
+
+       if (lxc_config_value_empty(value)) {
+               *conf_item = empty_conf_action;
+               return 0;
+       }
+
+       if (lxc_safe_uint(value, &val) < 0)
+               return -EINVAL;
+
+       switch (val) {
+       case 0:
+               *conf_item = false;
+               return 0;
+       case 1:
+               *conf_item = true;
+               return 0;
+       }
+
+       return -EINVAL;
+}
+
 int config_ip_prefix(struct in_addr *addr)
 {
        if (IN_CLASSA(addr->s_addr))

diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
index 172aa71649421cffc1308fb5f1c5bf1f88f71226..62990e98c42bdd0952fa730895f1e5c32d7b3fc7 100644 (file)
--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
@@ -51,6 +51,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
 extern int set_config_string_item_max(char **conf_item, const char *value,
                                      size_t max);
 extern int set_config_path_item(char **conf_item, const char *value);
+extern int set_config_bool_item(bool *conf_item, const char *value,
+                                bool empty_conf_action);
 extern int config_ip_prefix(struct in_addr *addr);
 extern int network_ifname(char *valuep, const char *value, size_t size);
 extern void rand_complete_hwaddr(char *hwaddr);