diff --git a/src/lxc/attach.c b/src/lxc/attach.c index edddfc5659..0c26419548 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -277,11 +277,6 @@ static int userns_setup_ids(struct attach_context *ctx, if (ctx->setup_ns_gid == LXC_INVALID_UID) ctx->setup_ns_gid = init_ns_gid; - /* - * TODO: we should also parse supplementary groups and use - * setgroups() to set them. - */ - return 0; } @@ -360,11 +355,6 @@ static int parse_init_status(struct attach_context *ctx, lxc_attach_options_t *o return log_error_errno(ret, errno, "Failed to get setup ids"); userns_target_ids(ctx, options); - /* - * TODO: we should also parse supplementary groups and use - * setgroups() to set them. - */ - return 0; } @@ -1214,8 +1204,13 @@ __noreturn static void do_attach(struct attach_payload *ap) goto on_error; } - if (!lxc_drop_groups() && errno != EPERM) - goto on_error; + if (options->attach_flags & LXC_ATTACH_SETGROUPS && options->groups.size > 0) { + if (!lxc_setgroups(options->groups.list, options->groups.size)) + goto on_error; + } else { + if (!lxc_drop_groups() && errno != EPERM) + goto on_error; + } if (options->namespaces & CLONE_NEWUSER) if (!lxc_switch_uid_gid(ctx->setup_ns_uid, ctx->setup_ns_gid)) diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h index d4fbb43e63..d2be6e6ee1 100644 --- a/src/lxc/attach_options.h +++ b/src/lxc/attach_options.h @@ -31,6 +31,7 @@ enum { LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */ LXC_ATTACH_TERMINAL = 0x00080000, /*!< Allocate new terminal for attached process. */ LXC_ATTACH_LSM_LABEL = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */ + LXC_ATTACH_SETGROUPS = 0x00200000, /*!< Set additional group ids specified in @groups. */ /* We have 16 bits for things that are on by default and 16 bits that * are off by default, that should be sufficient to keep binary @@ -52,6 +53,11 @@ enum { */ typedef int (*lxc_attach_exec_t)(void* payload); +typedef struct lxc_groups_t { + int size; + gid_t *list; +} lxc_groups_t; + /*! * LXC attach options for \ref lxc_container \c attach(). */ @@ -117,6 +123,13 @@ typedef struct lxc_attach_options_t { /*! lsm label to set. */ char *lsm_label; + + /*! The additional group GIDs to run with. + * + * If unset all additional groups are dropped. + */ + lxc_groups_t groups; + } lxc_attach_options_t; /*! Default attach options to use */