#include <Python.h>
#include <fcntl.h>
#include <stdio.h>
-#include <asm-generic/unistd.h>
+#include <asm/unistd.h>
#include <sys/mount.h>
+#include <errno.h>
+#include <sys/prctl.h>
+#include <linux/capability.h>
static PyObject *
-chfscontext(PyObject *self, PyObject *args)
+drop_caps(PyObject *self, PyObject *args)
{
- const char *filepath;
- int sts;
-
- if (!PyArg_ParseTuple(args, "s", &filepath))
- return NULL;
-
- int fd = open(filepath, O_RDONLY);
- if (fd < 0) {
- sts = -1;
- goto out;
- }
-
- if (setns(fd, 0)) {
- sts = -1;
- }
- close(fd);
-
-out:
- return Py_BuildValue("i", sts);
+ unsigned int to_drop[128]
+ = {CAP_NET_ADMIN, CAP_SYS_ADMIN, CAP_SYS_BOOT,
+ CAP_MKNOD, CAP_MAC_ADMIN, CAP_SYS_MODULE};
+ unsigned int i;
+ for (i = 0; i<6 ; i++) {
+ if (prctl(PR_CAPBSET_DROP, to_drop[i], 0, 0, 0) == -1) {
+ perror("prctl");
+ return Py_BuildValue("i", 2);
+ }
+ }
+ return Py_BuildValue("i", 0);
}
static PyObject *
proc_mount(PyObject *self, PyObject *args)
{
- int sts;
+ int sts;
sts = mount("none","/proc","proc",0,NULL);
return Py_BuildValue("i", sts);
static PyObject *
proc_umount(PyObject *self, PyObject *args)
{
- int sts;
+ int sts;
sts = umount("/proc");
return Py_BuildValue("i", sts);
+}
+
+static PyObject *
+chfscontext(PyObject *self, PyObject *args)
+{
+ const char *filepath;
+ int sts;
+
+ if (!PyArg_ParseTuple(args, "s", &filepath))
+ return NULL;
+ int fd = open(filepath, O_RDONLY);
+ if (fd < 0) {
+ sts = -errno;
+ goto out;
+ }
+
+ if (setns(fd, 0)) {
+ sts = -errno;
+ }
+ close(fd);
+ sts = 0;
+
+out:
+ return Py_BuildValue("i", sts);
}
static PyObject *
int fd = open(filepath, O_RDONLY);
if (fd < 0) {
- sts = -1;
+ sts = -errno;
goto out;
}
-
+
if (setns(fd, 0)) {
- sts = -1;
+ sts = -errno;
}
close(fd);
+ sts = 0;
out:
return Py_BuildValue("i", sts);
static PyMethodDef SetnsMethods[] =
{
- {"proc_mount", proc_mount, METH_VARARGS, "Mount a volume via the mount system call."},
- {"proc_umount", proc_umount, METH_VARARGS, "Umount a volume via the umount system call."},
- {"chcontext", chcontext, METH_VARARGS, "Switch into an lxc container."},
- {"chfscontext", chfscontext, METH_VARARGS, "Switch into an lxc container."},
- {NULL, NULL, 0, NULL}
+ {"proc_mount", proc_mount, METH_VARARGS, "Mount a volume via the mount system call."},
+ {"proc_umount", proc_umount, METH_VARARGS, "Umount a volume via the umount system call."},
+ {"chcontext", chcontext, METH_VARARGS, "Switch into an lxc container."},
+ {"drop_caps", drop_caps, METH_VARARGS, "Drop dangerous capabilities."},
+ {"chfscontext", chfscontext, METH_VARARGS, "Switch into an lxc container."},
+ {NULL, NULL, 0, NULL}
};
-
-PyMODINIT_FUNC
-
-initsetns(void)
-{
- (void) Py_InitModule("setns", SetnsMethods);
+
+static struct PyModuleDef moduledef = {
+ PyModuleDef_HEAD_INIT,
+ "setns",
+ "http://git.onelab.eu/?p=lxc-userspace.git;a=summary",
+ -1,
+ SetnsMethods,
+ NULL,
+ NULL,
+ NULL,
+ NULL
+};
+
+PyObject *PyInit_setns(void){
+ PyObject *module = PyModule_Create(&moduledef);
+ if (module == NULL)
+ return NULL;
+ return module;
}
git://git.onelab.eu / lxc-userspace.git / blobdiff