#include "lxcpp/namespace.hpp"
#include "lxcpp/capability.hpp"
#include "lxcpp/environment.hpp"
+#include "lxcpp/credentials.hpp"
#include "utils/exception.hpp"
Attach::Attach(lxcpp::ContainerImpl& container,
Container::AttachCall& userCall,
+ const uid_t uid,
+ const gid_t gid,
+ const std::vector<gid_t>& supplementaryGids,
const int capsToKeep,
const std::string& workDirInContainer,
const std::vector<std::string>& envToKeep,
const std::vector<std::pair<std::string, std::string>>& envToSet)
: mContainer(container),
mUserCall(userCall),
+ mUid(uid),
+ mGid(gid),
+ mSupplementaryGids(supplementaryGids),
mCapsToKeep(capsToKeep),
mWorkDirInContainer(workDirInContainer),
mEnvToKeep(envToKeep),
Call call = std::bind(&Attach::child,
mUserCall,
+ mUid,
+ mGid,
+ mSupplementaryGids,
mCapsToKeep,
mEnvToKeep,
mEnvToSet);
}
int Attach::child(const Container::AttachCall& call,
+ const uid_t uid,
+ const gid_t gid,
+ const std::vector<gid_t>& supplementaryGids,
const int capsToKeep,
const std::vector<std::string>& envToKeep,
const std::vector<std::pair<std::string, std::string>>& envToSet)
{
- // Setup capabilities
- dropCapsFromBoundingExcept(capsToKeep);
-
// Setup /proc /sys mount
setupMountPoints();
+ // Setup capabilities
+ dropCapsFromBoundingExcept(capsToKeep);
+
// Setup environment variables
clearenvExcept(envToKeep);
setenv(envToSet);
+ // Set uid/gids
+ lxcpp::setgid(gid);
+ setgroups(supplementaryGids);
+
+ lxcpp::setuid(uid);
+
// Run user's code
return call();
}
#include "lxcpp/container-impl.hpp"
#include "utils/channel.hpp"
+#include <sys/types.h>
+
#include <string>
namespace lxcpp {
*
* @param container container to which it attaches
* @param userCall user's function to run
+ * @param uid uid in the container
+ * @param gid gid in the container
+ * @param supplementaryGids supplementary groups in container
* @param capsToKeep capabilities that will be kept
* @param workDirInContainer work directory set for the new process
* @param envToKeep environment variables that will be kept
*/
Attach(lxcpp::ContainerImpl& container,
Container::AttachCall& userCall,
+ const uid_t uid,
+ const gid_t gid,
+ const std::vector<gid_t>& supplementaryGids,
const int capsToKeep,
const std::string& workDirInContainer,
const std::vector<std::string>& envToKeep,
private:
const lxcpp::ContainerImpl& mContainer;
const Container::AttachCall& mUserCall;
+ const uid_t mUid;
+ const gid_t mGid;
+ const std::vector<gid_t>& mSupplementaryGids;
const int mCapsToKeep;
const std::string& mWorkDirInContainer;
const std::vector<std::string>& mEnvToKeep;
// Methods for different stages of setting up the attachment
static int child(const Container::AttachCall& call,
+ const uid_t uid,
+ const gid_t gid,
+ const std::vector<gid_t>& supplementaryGids,
const int capsToKeep,
const std::vector<std::string>& envToKeep,
const std::vector<std::pair<std::string, std::string>>& envToSet);
{
Attach attach(*this,
call,
+ /*uid in container*/ 0,
+ /*gid in container*/ 0,
+ /*supplementary gids in container*/ {},
/*capsToKeep*/ 0,
cwdInContainer,
/*envToKeep*/ {},
--- /dev/null
+/*
+ * Copyright (C) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2.1 as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/**
+ * @file
+ * @author Jan Olszak (j.olszak@samsung.com)
+ * @brief Process credentials handling
+ */
+
+#include "lxcpp/credentials.hpp"
+#include "lxcpp/exception.hpp"
+
+#include "logger/logger.hpp"
+#include "utils/exception.hpp"
+
+#include <unistd.h>
+#include <grp.h>
+
+namespace lxcpp {
+
+void setgroups(const std::vector<gid_t>& gids)
+{
+ if(-1 == ::setgroups(gids.size(), gids.data())) {
+ const std::string msg = "setgroups() failed: " +
+ utils::getSystemErrorMessage();
+ LOGE(msg);
+ throw CredentialSetupException(msg);
+ }
+}
+
+void setgid(const gid_t gid)
+{
+ if(-1 == ::setgid(gid)) {
+ const std::string msg = "setgid() failed: " +
+ utils::getSystemErrorMessage();
+ LOGE(msg);
+ throw CredentialSetupException(msg);
+ }
+}
+
+void setuid(const uid_t uid)
+{
+ if(-1 == ::setuid(uid)) {
+ const std::string msg = "setuid() failed: " +
+ utils::getSystemErrorMessage();
+ LOGE(msg);
+ throw CredentialSetupException(msg);
+ }
+}
+
+} // namespace lxcpp
+
--- /dev/null
+/*
+ * Copyright (C) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2.1 as published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+/**
+ * @file
+ * @author Jan Olszak (j.olszak@samsung.com)
+ * @brief Process credentials handling
+ */
+
+#ifndef LXCPP_CREDENTIALS_HPP
+#define LXCPP_CREDENTIALS_HPP
+
+#include <sys/types.h>
+
+#include <vector>
+
+namespace lxcpp {
+
+void setgroups(const std::vector<gid_t>& groups);
+
+void setgid(const gid_t gid);
+
+void setuid(const uid_t uid);
+
+
+
+} // namespace lxcpp
+
+#endif // LXCPP_CREDENTIALS_HPP
\ No newline at end of file
: Exception(message) {}
};
+struct CredentialSetupException: public Exception {
+ CredentialSetupException(const std::string& message = "Error during handling environment variables")
+ : Exception(message) {}
+};
+
struct CapabilitySetupException: public Exception {
CapabilitySetupException(const std::string& message = "Error during a capability operation")
: Exception(message) {}
projects / platform / core / security / vasum.git / commitdiff