X-Git-Url: http://git.onelab.eu/?p=lxc-userspace.git;a=blobdiff_plain;f=setns.c;h=84116d951b9aa4561c793fe1ea7c049b3effee60;hp=e562cd67f1d07e8b6f0e351997eedf4c79d431d9;hb=HEAD;hpb=599fef7a8160912979226e6b2ddfdc373aad9fdf

diff --git a/setns.c b/setns.c
index e562cd6..84116d9 100644
--- a/setns.c
+++ b/setns.c
@@ -3,11 +3,30 @@
 #include <stdio.h>
 #include <asm/unistd.h>
 #include <sys/mount.h>
+#include <errno.h>
+#include <sys/prctl.h>
+#include <linux/capability.h>
+
+static PyObject *
+drop_caps(PyObject *self, PyObject *args)
+{
+	unsigned int to_drop[128]
+		= {CAP_NET_ADMIN, CAP_SYS_ADMIN, CAP_SYS_BOOT,
+			CAP_MKNOD, CAP_MAC_ADMIN, CAP_SYS_MODULE};
+	unsigned int i;
+	for (i = 0; i<6 ; i++) {
+		if (prctl(PR_CAPBSET_DROP, to_drop[i], 0, 0, 0) == -1) {
+			perror("prctl");
+			return Py_BuildValue("i", 2);
+		}
+	}
+	return Py_BuildValue("i", 0);
+}
 
 static PyObject *
 proc_mount(PyObject *self, PyObject *args)
 {
-    int sts; 
+    int sts;
     sts = mount("none","/proc","proc",0,NULL);
 
     return Py_BuildValue("i", sts);
@@ -16,11 +35,10 @@ proc_mount(PyObject *self, PyObject *args)
 static PyObject *
 proc_umount(PyObject *self, PyObject *args)
 {
-    int sts; 
+    int sts;
     sts = umount("/proc");
 
     return Py_BuildValue("i", sts);
-
 }
 
 static PyObject *
@@ -34,14 +52,15 @@ chfscontext(PyObject *self, PyObject *args)
 
     int fd = open(filepath, O_RDONLY);
     if (fd < 0) {
-        sts = -1;
+        sts = -errno;
         goto out;
     }
-    
+
     if (setns(fd, 0)) {
-        sts = -1;
+        sts = -errno;
     }
     close(fd);
+    sts = 0;
 
 out:
     return Py_BuildValue("i", sts);
@@ -58,14 +77,15 @@ chcontext(PyObject *self, PyObject *args)
 
     int fd = open(filepath, O_RDONLY);
     if (fd < 0) {
-        sts = -1;
+        sts = -errno;
         goto out;
     }
-    
+
     if (setns(fd, 0)) {
-        sts = -1;
+        sts = -errno;
     }
     close(fd);
+    sts = 0;
 
 out:
     return Py_BuildValue("i", sts);
@@ -73,16 +93,29 @@ out:
 
 static PyMethodDef SetnsMethods[] =
 {
-         {"proc_mount", proc_mount, METH_VARARGS, "Mount a volume via the mount system call."},
-         {"proc_umount", proc_umount, METH_VARARGS, "Umount a volume via the umount system call."},
-         {"chcontext", chcontext, METH_VARARGS, "Switch into an lxc container."},
-         {"chfscontext", chfscontext, METH_VARARGS, "Switch into an lxc container."},
-              {NULL, NULL, 0, NULL}
+	{"proc_mount", proc_mount, METH_VARARGS, "Mount a volume via the mount system call."},
+	{"proc_umount", proc_umount, METH_VARARGS, "Umount a volume via the umount system call."},
+	{"chcontext", chcontext, METH_VARARGS, "Switch into an lxc container."},
+	{"drop_caps", drop_caps, METH_VARARGS, "Drop dangerous capabilities."},
+	{"chfscontext", chfscontext, METH_VARARGS, "Switch into an lxc container."},
+	{NULL, NULL, 0, NULL}
 };
- 
-PyMODINIT_FUNC
- 
-initsetns(void)
-{
-         (void) Py_InitModule("setns", SetnsMethods);
+
+static struct PyModuleDef moduledef = {
+	PyModuleDef_HEAD_INIT,
+	"setns",
+	"http://git.onelab.eu/?p=lxc-userspace.git;a=summary",
+	-1,
+	SetnsMethods,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
+PyObject *PyInit_setns(void){
+	PyObject *module = PyModule_Create(&moduledef);
+    if (module == NULL)
+        return NULL;
+	return module;
 }