attach: Add groups option to keep additional group IDs.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
lxc · Feb 5, 2021 · 8caac58 · 8caac58
1 parent bf31b33
commit 8caac58
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 12 deletions.
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
@@ -277,11 +277,6 @@ static int userns_setup_ids(struct attach_context *ctx,
 	if (ctx->setup_ns_gid == LXC_INVALID_UID)
 		ctx->setup_ns_gid = init_ns_gid;
 
-	/*
-	 * TODO: we should also parse supplementary groups and use
-	 * setgroups() to set them.
-	 */
-
 	return 0;
 }
 
@@ -360,11 +355,6 @@ static int parse_init_status(struct attach_context *ctx, lxc_attach_options_t *o
 		return log_error_errno(ret, errno, "Failed to get setup ids");
 	userns_target_ids(ctx, options);
 
-	/*
-	 * TODO: we should also parse supplementary groups and use
-	 * setgroups() to set them.
-	 */
-
 	return 0;
 }
 
@@ -1214,8 +1204,13 @@ __noreturn static void do_attach(struct attach_payload *ap)
 			goto on_error;
 	}
 
-	if (!lxc_drop_groups() && errno != EPERM)
-		goto on_error;
+	if (options->attach_flags & LXC_ATTACH_SETGROUPS && options->groups.size > 0) {
+		if (!lxc_setgroups(options->groups.list, options->groups.size))
+			goto on_error;
+	} else {
+		if (!lxc_drop_groups() && errno != EPERM)
+			goto on_error;
+	}
 
 	if (options->namespaces & CLONE_NEWUSER)
 		if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid))

diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
@@ -31,6 +31,7 @@ enum {
 	LXC_ATTACH_NO_NEW_PRIVS		 = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
 	LXC_ATTACH_TERMINAL              = 0x00080000, /*!< Allocate new terminal for attached process. */
 	LXC_ATTACH_LSM_LABEL             = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */
+	LXC_ATTACH_SETGROUPS             = 0x00200000, /*!< Set additional group ids specified in @groups. */
 
 	/* We have 16 bits for things that are on by default and 16 bits that
 	 * are off by default, that should be sufficient to keep binary
@@ -52,6 +53,11 @@ enum {
  */
 typedef int (*lxc_attach_exec_t)(void* payload);
 
+typedef struct lxc_groups_t {
+	int size;
+	gid_t *list;
+} lxc_groups_t;
+
 /*!
  * LXC attach options for \ref lxc_container \c attach().
  */
@@ -117,6 +123,13 @@ typedef struct lxc_attach_options_t {
 
 	/*! lsm label to set. */
 	char *lsm_label;
+
+	/*! The additional group GIDs to run with.
+	 *
+	 * If unset all additional groups are dropped.
+	 */
+	lxc_groups_t groups;
+
 } lxc_attach_options_t;
 
 /*! Default attach options to use */