Merge pull request #1639 from brauner/2017-06-23/lxc_2_1_preparations

confile: prepare for 2.1.

Merge pull request #1639 from brauner/2017-06-23/lxc_2_1_preparations
c949f5cc · Serge Hallyn · GitHub · a3711f52 · 39b8f404 · c949f5cc
Commit c949f5cc authored Jun 26, 2017 by Serge Hallyn Committed by GitHub Jun 26, 2017
13 changed files
--- a/config/templates/common.conf.in
+++ b/config/templates/common.conf.in
@@ -12,9 +12,6 @@ lxc.tty = 4
 # Drop some harmful capabilities
 lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio
-# Set the pivot directory
-lxc.pivotdir = lxc_putold
 # Ensure hostname is changed on clone
 lxc.hook.clone = @LXCHOOKDIR@/clonehostname

--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -792,25 +792,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
    </refsect2>
    <refsect2>
-      <title>Enable kmsg symlink</title>
-      <para>
-        Enable creating /dev/kmsg as symlink to /dev/console.  This defaults to 0.
-      </para>
-      <variablelist>
-    <varlistentry>
-      <term>
-        <option>lxc.kmsg</option>
-      </term>
-      <listitem>
-        <para>
-          Set this to 1 to enable /dev/kmsg symlinking.
-        </para>
-      </listitem>
-    </varlistentry>
-      </variablelist>
-    </refsect2>
-    <refsect2>
      <title>Mount points</title>
      <para>
        The mount points section specifies the different places to be

--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -21,7 +21,7 @@ noinst_HEADERS = \
 	caps.h \
 	conf.h \
 	confile.h \
-	confile_network_legacy.h \
+	confile_legacy.h \
 	confile_utils.h \
 	console.h \
 	error.h \
@@ -104,7 +104,7 @@ liblxc_la_SOURCES = \
 	namespace.h namespace.c \
 	conf.c conf.h \
 	confile.c confile.h \
-	confile_network_legacy.c confile_network_legacy.h \
+	confile_legacy.c confile_legacy.h \
 	confile_utils.c confile_utils.h \
 	list.h \
 	state.c state.h \

--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1455,6 +1455,7 @@ static int lxc_setup_dev_console(const struct lxc_rootfs *rootfs,
 		} else {
 			DEBUG("cleared all (%d) mounts from \"%s\"", ret, path);
 		}
 		ret = unlink(path);
 		if (ret < 0) {
 			SYSERROR("error unlinking %s", path);
@@ -1631,33 +1632,6 @@ static int lxc_setup_console(const struct lxc_rootfs *rootfs,
 	return lxc_setup_ttydir_console(rootfs, console, ttydir);
 }
-static int setup_kmsg(const struct lxc_rootfs *rootfs,
-		       const struct lxc_console *console)
-{
-	char kpath[MAXPATHLEN];
-	int ret;
-	if (!rootfs->path)
-		return 0;
-	ret = snprintf(kpath, sizeof(kpath), "%s/dev/kmsg", rootfs->mount);
-	if (ret < 0 || ret >= sizeof(kpath))
-		return -1;
-	ret = unlink(kpath);
-	if (ret && errno != ENOENT) {
-		SYSERROR("error unlinking %s", kpath);
-		return -1;
-	}
-	ret = symlink("console", kpath);
-	if (ret) {
-		SYSERROR("failed to create symlink for kmsg");
-		return -1;
-	}
-	return 0;
-}
 static void parse_mntopt(char *opt, unsigned long *flags, char **data)
 {
 	struct mount_opt *mo;
@@ -2666,7 +2640,6 @@ struct lxc_conf *lxc_conf_init(void)
 		free(new);
 		return NULL;
 	}
-	new->kmsg = 0;
 	new->logfd = -1;
 	lxc_list_init(&new->cgroup);
 	lxc_list_init(&new->network);
@@ -4205,11 +4178,6 @@ int lxc_setup(struct lxc_handler *handler)
 		return -1;
 	}
-	if (lxc_conf->kmsg) {
-		if (setup_kmsg(&lxc_conf->rootfs, &lxc_conf->console))  // don't fail
-			ERROR("failed to setup kmsg for '%s'", name);
-	}
 	if (!lxc_conf->is_execute && setup_dev_symlinks(&lxc_conf->rootfs)) {
 		ERROR("failed to setup /dev symlinks for '%s'", name);
 		return -1;

--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -285,7 +285,6 @@ enum {
 /*
 * Defines the global container configuration
 * @rootfs     : root directory to run the container
- * @pivotdir   : pivotdir path, if not set default will be used
 * @mount      : list of mount points
 * @tty        : numbers of tty
 * @pts        : new pts instance
@@ -351,7 +350,6 @@ struct lxc_conf {
 	int haltsignal; // signal used to halt container
 	int rebootsignal; // signal used to reboot container
 	int stopsignal; // signal used to hard stop container
-	unsigned int kmsg;  // if 1, create /dev/kmsg symlink
 	char *rcfile;	// Copy of the top level rcfile we read
 	// Logfile and logleve can be set in a container config file.

--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
--- a/src/lxc/confile_network_legacy.c
+++ b/src/lxc/confile_network_legacy.c
@@ -46,7 +46,7 @@
 #include "config.h"
 #include "confile.h"
 #include "confile_utils.h"
-#include "confile_network_legacy.h"
+#include "confile_legacy.h"
 #include "utils.h"
 #include "log.h"
 #include "conf.h"
@@ -59,7 +59,7 @@
 #include <../include/ifaddrs.h>
 #endif
-lxc_log_define(lxc_confile_network_legacy, lxc);
+lxc_log_define(lxc_confile_legacy, lxc);
 /*
 * Config entry is something like "lxc.network.0.ipv4" the key 'lxc.network.'
@@ -1003,3 +1003,79 @@ inline int clr_config_network_legacy(const char *key, struct lxc_conf *c, void *
 {
 	return lxc_clear_config_network(c);
 }
+inline int clr_config_lsm_aa_profile(const char *key, struct lxc_conf *c,
+				     void *data)
+{
+	free(c->lsm_aa_profile);
+	c->lsm_aa_profile = NULL;
+	return 0;
+}
+inline int clr_config_lsm_aa_incomplete(const char *key, struct lxc_conf *c,
+					void *data)
+{
+	c->lsm_aa_allow_incomplete = 0;
+	return 0;
+}
+int get_config_lsm_aa_profile(const char *key, char *retv, int inlen,
+			      struct lxc_conf *c, void *data)
+{
+	return lxc_get_conf_str(retv, inlen, c->lsm_aa_profile);
+}
+int get_config_lsm_aa_incomplete(const char *key, char *retv, int inlen,
+				 struct lxc_conf *c, void *data)
+{
+	return lxc_get_conf_int(c, retv, inlen,
+				c->lsm_aa_allow_incomplete);
+}
+int set_config_lsm_aa_profile(const char *key, const char *value,
+			      struct lxc_conf *lxc_conf, void *data)
+{
+	return set_config_string_item(&lxc_conf->lsm_aa_profile, value);
+}
+int set_config_lsm_aa_incomplete(const char *key, const char *value,
+				 struct lxc_conf *lxc_conf, void *data)
+{
+	/* Set config value to default. */
+	if (lxc_config_value_empty(value)) {
+		lxc_conf->lsm_aa_allow_incomplete = 0;
+		return 0;
+	}
+	/* Parse new config value. */
+	if (lxc_safe_uint(value, &lxc_conf->lsm_aa_allow_incomplete) < 0)
+		return -1;
+	if (lxc_conf->lsm_aa_allow_incomplete > 1) {
+		ERROR("Wrong value for lxc.lsm_aa_allow_incomplete. Can only "
+		      "be set to 0 or 1");
+		return -1;
+	}
+	return 0;
+}
+int set_config_lsm_se_context(const char *key, const char *value,
+			      struct lxc_conf *lxc_conf, void *data)
+{
+	return set_config_string_item(&lxc_conf->lsm_se_context, value);
+}
+int get_config_lsm_se_context(const char *key, char *retv, int inlen,
+			      struct lxc_conf *c, void *data)
+{
+	return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
+}
+inline int clr_config_lsm_se_context(const char *key, struct lxc_conf *c,
+				     void *data)
+{
+	free(c->lsm_se_context);
+	c->lsm_se_context = NULL;
+	return 0;
+}
--- a/src/lxc/confile_network_legacy.h
+++ b/src/lxc/confile_network_legacy.h
@@ -21,8 +21,8 @@
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */
-#ifndef __LXC_CONFILE_NETWORK_LEGACY_H
+#ifndef __LXC_CONFILE_LEGACY_H
-#define __LXC_CONFILE_NETWORK_LEGACY_H
+#define __LXC_CONFILE_LEGACY_H
 #include <stdio.h>
 #include <lxc/attach_options.h>
@@ -78,4 +78,23 @@ extern int lxc_list_nicconfigs_legacy(struct lxc_conf *c, const char *key,
 extern int lxc_listconfigs(char *retv, int inlen);
 extern bool network_new_hwaddrs(struct lxc_conf *conf);
-#endif
+extern int set_config_lsm_aa_profile(const char *, const char *,
+				     struct lxc_conf *, void *);
+extern int get_config_lsm_aa_profile(const char *, char *, int,
+				     struct lxc_conf *, void *);
+extern int clr_config_lsm_aa_profile(const char *, struct lxc_conf *, void *);
+extern int set_config_lsm_aa_incomplete(const char *, const char *,
+ 				struct lxc_conf *, void *);
+extern int get_config_lsm_aa_incomplete(const char *, char *, int,
+ 				struct lxc_conf *, void *);
+extern int clr_config_lsm_aa_incomplete(const char *, struct lxc_conf *,
+					void *);
+extern int set_config_lsm_se_context(const char *, const char *,
+         		     struct lxc_conf *, void *);
+extern int get_config_lsm_se_context(const char *, char *, int,
+         		     struct lxc_conf *, void *);
+extern int clr_config_lsm_se_context(const char *, struct lxc_conf *, void *);
+#endif /* __LXC_CONFILE_LEGACY_H */
--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -582,3 +582,23 @@ bool new_hwaddr(char *hwaddr)
 	return true;
 }
+int lxc_get_conf_str(char *retv, int inlen, const char *value)
+{
+	if (!value)
+		return 0;
+	if (retv && inlen >= strlen(value) + 1)
+		strncpy(retv, value, strlen(value) + 1);
+	return strlen(value);
+}
+int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v)
+{
+	if (!retv)
+		inlen = 0;
+	else
+		memset(retv, 0, inlen);
+	return snprintf(retv, inlen, "%d", v);
+}
--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
@@ -81,5 +81,7 @@ extern int network_ifname(char **valuep, const char *value);
 extern int rand_complete_hwaddr(char *hwaddr);
 extern void update_hwaddr(const char *line);
 extern bool new_hwaddr(char *hwaddr);
+extern int lxc_get_conf_str(char *retv, int inlen, const char *value);
+extern int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v);
 #endif /* __LXC_CONFILE_UTILS_H */
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -47,7 +47,7 @@
 #include "config.h"
 #include "commands.h"
 #include "confile.h"
-#include "confile_network_legacy.h"
+#include "confile_legacy.h"
 #include "console.h"
 #include "criu.h"
 #include "log.h"

--- a/src/tests/parse_config_file.c
+++ b/src/tests/parse_config_file.c
@@ -321,27 +321,54 @@ int main(int argc, char *argv[])
 		goto non_test_error;
 	}
-	/* lxc.kmsg */
+	/* REMOVE IN LXC 3.0
-	if (set_get_compare_clear_save_load(c, "lxc.kmsg", "1", tmpf, true) <
+	   legacy security keys
-	    0) {
+	 */
-		lxc_error("%s\n", "lxc.kmsg");
-		goto non_test_error;
-	}
-	/* lxc.aa_profile */
 	if (set_get_compare_clear_save_load(c, "lxc.aa_profile", "unconfined",
 					    tmpf, true) < 0) {
 		lxc_error("%s\n", "lxc.aa_profile");
 		goto non_test_error;
 	}
-	/* lxc.aa_allow_incomplete */
+	/* REMOVE IN LXC 3.0
+	   legacy security keys
+	 */
 	if (set_get_compare_clear_save_load(c, "lxc.aa_allow_incomplete", "1",
 					    tmpf, true) < 0) {
 		lxc_error("%s\n", "lxc.aa_allow_incomplete");
 		goto non_test_error;
 	}
+	/* REMOVE IN LXC 3.0
+	   legacy security keys
+	 */
+	if (set_get_compare_clear_save_load(c, "lxc.se_context", "system_u:system_r:lxc_t:s0:c22",
+					    tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.apparmor.se_context");
+		goto non_test_error;
+	}
+	/* lxc.apparmor.profile */
+	if (set_get_compare_clear_save_load(c, "lxc.apparmor.profile", "unconfined",
+					    tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.apparmor.profile");
+		goto non_test_error;
+	}
+	/* lxc.apparmor.allow_incomplete */
+	if (set_get_compare_clear_save_load(c, "lxc.apparmor.allow_incomplete", "1",
+					    tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.apparmor.allow_incomplete");
+		goto non_test_error;
+	}
+	/* lxc.selinux.context */
+	if (set_get_compare_clear_save_load(c, "lxc.selinux.context", "system_u:system_r:lxc_t:s0:c22",
+					    tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.apparmor.selinux.context");
+		goto non_test_error;
+	}
 	/* lxc.cgroup.cpuset.cpus */
 	if (set_get_compare_clear_save_load(c, "lxc.cgroup.cpuset.cpus",
 					    "1-100", tmpf, false) < 0) {

--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -119,7 +119,6 @@ cat >> "$path/config" <<EOF
 # Template used to create this container: cirros
 lxc.rootfs = $rootfs
-lxc.pivotdir = lxc_putold
 lxc.tty = 4
 lxc.pts = 1024