X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=setns.c;h=aa907b03a323f460af10e1df74a66a17d5d7b0c9;hb=40a15e7c54fd27fa4465aa9db57368964b638738;hp=7d82d53cec46bc163b7c6ac9b6e25a19a4295abf;hpb=e31c61c5ffecd28042d95979fb32f49bf96ad2fb;p=lxc-userspace.git

diff --git a/setns.c b/setns.c
index 7d82d53..aa907b0 100644
--- a/setns.c
+++ b/setns.c
@@ -1,32 +1,24 @@
 #include <Python.h>
 #include <fcntl.h>
 #include <stdio.h>
-#include <asm-generic/unistd.h>
+#include <asm/unistd.h>
 #include <sys/mount.h>
+#include <errno.h>
+#include <sys/prctl.h>
+#include <linux/capability.h>
 
 static PyObject *
-chfscontext(PyObject *self, PyObject *args)
+drop_caps(PyObject *self, PyObject *args)
 {
-    const char *filepath;
-    int sts;
-
-    if (!PyArg_ParseTuple(args, "s", &filepath))
-        return NULL;
-
-    int fd = open(filepath, O_RDONLY);
-    if (fd < 0) {
-	    //printf("Could not open ns file\n");
-        sts = -1;
-        goto out;
-    }
-    
-    if (setns(fd, 666)) {
-        sts = -1;
-    }
-    close(fd);
-
-out:
-    return Py_BuildValue("i", sts);
+	unsigned int to_drop[128] = {CAP_NET_ADMIN,CAP_SYS_ADMIN,CAP_SYS_BOOT,CAP_MKNOD,CAP_MAC_ADMIN,CAP_SYS_MODULE};
+	unsigned int i;
+	for (i = 0;i<6;i++) {
+		if (prctl(PR_CAPBSET_DROP, to_drop[i], 0, 0, 0) == -1) {
+			perror("prctl");
+			return Py_BuildValue("i", 2);
+		}
+	}
+	return Py_BuildValue("i", 0);
 }
 
 static PyObject *
@@ -45,7 +37,31 @@ proc_umount(PyObject *self, PyObject *args)
     sts = umount("/proc");
 
     return Py_BuildValue("i", sts);
+}
+
+static PyObject *
+chfscontext(PyObject *self, PyObject *args)
+{
+    const char *filepath;
+    int sts;
 
+    if (!PyArg_ParseTuple(args, "s", &filepath))
+        return NULL;
+
+    int fd = open(filepath, O_RDONLY);
+    if (fd < 0) {
+        sts = -errno;
+        goto out;
+    }
+    
+    if (setns(fd, 0)) {
+        sts = -errno;
+    }
+    close(fd);
+    sts = 0;
+
+out:
+    return Py_BuildValue("i", sts);
 }
 
 static PyObject *
@@ -59,15 +75,15 @@ chcontext(PyObject *self, PyObject *args)
 
     int fd = open(filepath, O_RDONLY);
     if (fd < 0) {
-//	printf("Could not open ns file\n");
-        sts = -1;
+        sts = -errno;
         goto out;
     }
     
     if (setns(fd, 0)) {
-        sts = -1;
+        sts = -errno;
     }
     close(fd);
+    sts = 0;
 
 out:
     return Py_BuildValue("i", sts);
@@ -78,6 +94,7 @@ static PyMethodDef SetnsMethods[] =
          {"proc_mount", proc_mount, METH_VARARGS, "Mount a volume via the mount system call."},
          {"proc_umount", proc_umount, METH_VARARGS, "Umount a volume via the umount system call."},
          {"chcontext", chcontext, METH_VARARGS, "Switch into an lxc container."},
+         {"drop_caps", drop_caps, METH_VARARGS, "Drop dangerous capabilities."},
          {"chfscontext", chfscontext, METH_VARARGS, "Switch into an lxc container."},
               {NULL, NULL, 0, NULL}
 };