1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Date: Thu, 30 Jan 2020 19:21:10 +0100
Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
creation
lxc set's up a new session keyring for every container by default.
There might be valid use-cases where this is not wanted / needed
(e.g. systemd by default creates a new session keyring anyway).
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
---
src/lxc/conf.c | 19 ++++++++++--------
src/lxc/conf.h | 1 +
src/lxc/confile.c | 44 ++++++++++++++++++++++-------------------
src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
src/lxc/confile_utils.h | 2 ++
5 files changed, 62 insertions(+), 28 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index b06fbf047..be4761a54 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
lxc_list_init(&new->lsm_aa_raw);
new->lsm_se_context = NULL;
new->lsm_se_keyring_context = NULL;
+ new->keyring_disable_session = false;
new->tmp_umount_proc = false;
new->tmp_umount_proc = 0;
new->shmount.path_host = NULL;
@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
}
}
- if (lxc_conf->lsm_se_keyring_context) {
- keyring_context = lxc_conf->lsm_se_keyring_context;
- } else if (lxc_conf->lsm_se_context) {
- keyring_context = lxc_conf->lsm_se_context;
- }
+ if (!lxc_conf->keyring_disable_session) {
+ if (lxc_conf->lsm_se_keyring_context) {
+ keyring_context = lxc_conf->lsm_se_keyring_context;
+ } else if (lxc_conf->lsm_se_context) {
+ keyring_context = lxc_conf->lsm_se_context;
+ }
- ret = lxc_setup_keyring(keyring_context);
- if (ret < 0)
- return -1;
+ ret = lxc_setup_keyring(keyring_context);
+ if (ret < 0)
+ return -1;
+ }
if (handler->ns_clone_flags & CLONE_NEWNET) {
ret = lxc_setup_network_in_child_namespaces(lxc_conf,
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index bb47b720e..b81786838 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -296,6 +296,7 @@ struct lxc_conf {
struct lxc_list lsm_aa_raw;
char *lsm_se_context;
char *lsm_se_keyring_context;
+ bool keyring_disable_session;
bool tmp_umount_proc;
struct lxc_seccomp seccomp;
int maincmd_fd;
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index df184af73..fd8b3aaba 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
lxc_config_define(init_cwd);
lxc_config_define(init_gid);
lxc_config_define(init_uid);
+lxc_config_define(keyring_session);
lxc_config_define(log_file);
lxc_config_define(log_level);
lxc_config_define(log_syslog);
@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
{ "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, },
{ "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, },
{ "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, },
+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session },
{ "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, },
{ "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, },
{ "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, },
@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
}
+static int set_config_keyring_session(const char *key, const char *value,
+ struct lxc_conf *lxc_conf, void *data)
+{
+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
+}
+
static int set_config_log_file(const char *key, const char *value,
struct lxc_conf *c, void *data)
{
@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
static int set_config_rootfs_managed(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
- unsigned int val = 0;
-
- if (lxc_config_value_empty(value)) {
- lxc_conf->rootfs.managed = true;
- return 0;
- }
-
- if (lxc_safe_uint(value, &val) < 0)
- return -EINVAL;
-
- switch (val) {
- case 0:
- lxc_conf->rootfs.managed = false;
- return 0;
- case 1:
- lxc_conf->rootfs.managed = true;
- return 0;
- }
-
- return -EINVAL;
+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
}
static int set_config_rootfs_mount(const char *key, const char *value,
@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
}
+static int get_config_keyring_session(const char *key, char *retv, int inlen,
+ struct lxc_conf *c, void *data)
+{
+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
+}
+
/* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
* just the value(s) will be printed. Since there still could be more than one,
@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
return 0;
}
+static inline int clr_config_keyring_session(const char *key,
+ struct lxc_conf *c, void *data)
+{
+ c->keyring_disable_session = false;
+ return 0;
+}
+
static inline int clr_config_cgroup_controller(const char *key,
struct lxc_conf *c, void *data)
{
@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
strprint(retv, inlen, "order\n");
} else if (!strcmp(key, "lxc.monitor")) {
strprint(retv, inlen, "unshare\n");
+ } else if (!strcmp(key, "lxc.keyring")) {
+ strprint(retv, inlen, "session\n");
} else {
fulllen = -1;
}
diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
index 6941f4026..02e48454b 100644
--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
return set_config_string_item_max(conf_item, value, PATH_MAX);
}
+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
+{
+ unsigned int val = 0;
+
+ if (lxc_config_value_empty(value)) {
+ *conf_item = empty_conf_action;
+ return 0;
+ }
+
+ if (lxc_safe_uint(value, &val) < 0)
+ return -EINVAL;
+
+ switch (val) {
+ case 0:
+ *conf_item = false;
+ return 0;
+ case 1:
+ *conf_item = true;
+ return 0;
+ }
+
+ return -EINVAL;
+}
+
int config_ip_prefix(struct in_addr *addr)
{
if (IN_CLASSA(addr->s_addr))
diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
index f68f9604f..83d49bace 100644
--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
extern int set_config_string_item_max(char **conf_item, const char *value,
size_t max);
extern int set_config_path_item(char **conf_item, const char *value);
+extern int set_config_bool_item(bool *conf_item, const char *value,
+ bool empty_conf_action);
extern int config_ip_prefix(struct in_addr *addr);
extern int network_ifname(char *valuep, const char *value, size_t size);
extern void rand_complete_hwaddr(char *hwaddr);
--
2.24.1
|
