return last_cap;
}
-/*
- * check if we have the caps needed to start a container. returns 1 on
- * success, 0 on error. (I'd prefer this be a bool, but am afraid that
- * might fail to build on some distros).
- */
-int lxc_caps_check(void)
-{
- uid_t uid = getuid();
- cap_t caps;
- cap_flag_value_t value;
- int i, ret;
-
- cap_value_t needed_caps[] = { CAP_SYS_ADMIN, CAP_NET_ADMIN, CAP_SETUID, CAP_SETGID };
-
-#define NUMCAPS ((int) (sizeof(needed_caps) / sizeof(cap_t)))
-
- if (!uid)
- return 1;
-
- caps = cap_get_proc();
- if (!caps) {
- ERROR("failed to cap_get_proc: %m");
- return 0;
- }
-
- for (i=0; i<NUMCAPS; i++) {
- ret = cap_get_flag(caps, needed_caps[i], CAP_EFFECTIVE, &value);
- if (ret) {
- ERROR("Failed to cap_get_flag: %m");
- return 0;
- }
- if (!value) {
- return 0;
- }
- }
-
- return 1;
-}
#endif
extern int lxc_caps_down(void);
extern int lxc_caps_up(void);
extern int lxc_caps_init(void);
-extern int lxc_caps_check(void);
extern int lxc_caps_last_cap(void);
#else
static inline int lxc_caps_init(void) {
return 0;
}
-static inline int lxc_caps_check(void) {
- return 1;
-}
static inline int lxc_caps_last_cap(void) {
return 0;
return -1;
}
-extern int lxc_caps_check(void);
-
struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const char *lxcpath)
{
struct lxc_handler *handler;
- if (!lxc_caps_check()) {
- ERROR("Not running with sufficient privilege");
- return NULL;
- }
-
handler = malloc(sizeof(*handler));
if (!handler)
return NULL;
return 0;
}
-static int must_drop_cap_sys_boot(void)
+static int must_drop_cap_sys_boot(struct lxc_conf *conf)
{
FILE *f = fopen("/proc/sys/kernel/ctrl-alt-del", "r");
- int ret, cmd, v;
+ int ret, cmd, v, flags;
long stack_size = 4096;
void *stack = alloca(stack_size);
int status;
}
cmd = v ? LINUX_REBOOT_CMD_CAD_ON : LINUX_REBOOT_CMD_CAD_OFF;
+ flags = CLONE_NEWPID | SIGCHLD;
+ if (!lxc_list_empty(&conf->id_map))
+ flags |= CLONE_NEWUSER;
+
#ifdef __ia64__
- pid = __clone2(container_reboot_supported, stack, stack_size, CLONE_NEWPID | SIGCHLD, &cmd);
+ pid = __clone2(container_reboot_supported, stack, stack_size, flags, &cmd);
#else
stack += stack_size;
- pid = clone(container_reboot_supported, stack, CLONE_NEWPID | SIGCHLD, &cmd);
+ pid = clone(container_reboot_supported, stack, flags, &cmd);
#endif
if (pid < 0) {
SYSERROR("failed to clone\n");
curcgroup = alloca(len);
if (lxc_curcgroup(curcgroup, len) <= 1)
curcgroup = NULL;
+ FILE *f = fopen("/tmp/a", "a");
+ fprintf(f, "curcgroup is %s\n", curcgroup);
+ fclose(f);
}
if ((handler->cgroup = lxc_cgroup_path_create(curcgroup, name)) == NULL)
goto out_delete_net;
handler->ops = ops;
handler->data = data;
- if (must_drop_cap_sys_boot()) {
+ if (must_drop_cap_sys_boot(handler->conf)) {
#if HAVE_SYS_CAPABILITY_H
DEBUG("Dropping cap_sys_boot\n");
#else