Merge pull request lxc#2266 from brauner/2018-04-09/attach_drop_suppl…

…_groups attach: always drop supplementary groups
vpsfreecz · Apr 10, 2018 · 3d43596 · 3d43596
2 parents e456a1e + 9e32062
commit 3d43596
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 4 deletions.
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
@@ -870,12 +870,12 @@ static int attach_child_main(struct attach_clone_payload *payload)
 		ret = lxc_switch_uid_gid(new_uid, new_gid);
 		if (ret < 0)
 			goto on_error;
-
-		ret = lxc_setgroups(0, NULL);
-		if (ret < 0)
-			goto on_error;
 	}
 
+	ret = lxc_setgroups(0, NULL);
+	if (ret < 0)
+		goto on_error;
+
 	if ((init_ctx->container && init_ctx->container->lxc_conf &&
 	     init_ctx->container->lxc_conf->no_new_privs) ||
 	    (options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {

diff --git a/src/lxc/utils.h b/src/lxc/utils.h
@@ -115,6 +115,22 @@ extern char *get_rundir(void);
 #endif
 #endif
 
+#if !defined(__NR_setns) && !defined(__NR_set_ns)
+	#if defined(__x86_64__)
+		#define __NR_setns 308
+	#elif defined(__i386__)
+		#define __NR_setns 346
+	#elif defined(__arm__)
+		#define __NR_setns 375
+	#elif defined(__aarch64__)
+		#define __NR_setns 375
+	#elif defined(__powerpc__)
+		#define __NR_setns 350
+	#elif defined(__s390__)
+		#define __NR_setns 339
+	#endif
+#endif
+
 /* Define setns() if missing from the C library */
 #ifndef HAVE_SETNS
 static inline int setns(int fd, int nstype)