From 83cb7362189f122ce8820021d65c6fe182952950 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 12 Apr 2021 09:44:40 +0200 Subject: [PATCH 1/2] conf: simplify idmaptool_on_path_and_privileged() Signed-off-by: Christian Brauner --- src/lxc/conf.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 11c177b865..37918dac78 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2789,18 +2789,16 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap) int ret; struct stat st; - errno = EINVAL; if (cap != CAP_SETUID && cap != CAP_SETGID) - return -1; + return ret_errno(EINVAL); - errno = ENOENT; path = on_path(binary, NULL); if (!path) - return -1; + return ret_errno(ENOENT); ret = stat(path, &st); if (ret < 0) - return -1; + return -errno; /* Check if the binary is setuid. */ if (st.st_mode & S_ISUID) @@ -2819,7 +2817,8 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap) lxc_file_cap_is_set(path, CAP_SETGID, CAP_PERMITTED)) return log_debug(1, "The binary \"%s\" has CAP_SETGID in its CAP_EFFECTIVE and CAP_PERMITTED sets", path); #else - /* If we cannot check for file capabilities we need to give the benefit + /* + * If we cannot check for file capabilities we need to give the benefit * of the doubt. Otherwise we might fail even though all the necessary * file capabilities are set. */ From a864a2e10537310c0455f843f4bfaff8dd90d222 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 12 Apr 2021 09:47:59 +0200 Subject: [PATCH 2/2] conf: don't report success when idmaptools lack all privilege Fixes: #3777 Signed-off-by: Christian Brauner --- src/lxc/conf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 37918dac78..6a0d54b838 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2816,6 +2816,8 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap) lxc_file_cap_is_set(path, CAP_SETGID, CAP_EFFECTIVE) && lxc_file_cap_is_set(path, CAP_SETGID, CAP_PERMITTED)) return log_debug(1, "The binary \"%s\" has CAP_SETGID in its CAP_EFFECTIVE and CAP_PERMITTED sets", path); + + return 0; #else /* * If we cannot check for file capabilities we need to give the benefit @@ -2823,9 +2825,8 @@ static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap) * file capabilities are set. */ DEBUG("Cannot check for file capabilities as full capability support is missing. Manual intervention needed"); -#endif - return 1; +#endif } static int lxc_map_ids_exec_wrapper(void *args)