Skip to content

L
lxc
Switch branch/tag
  1. 10 Apr, 2017 2 commits
  3. 04 Apr, 2017 4 commits
    • Merge pull request #1386 from brauner/2017-01-16/fix_CVE-2016-10124_stable-1.0 · 3196b9ac
      Stéphane Graber authored 
      stable-1.0: backport fixes for CVE-2016-10124
    • lxc_setup_tios(): Ignore SIGTTOU and SIGTTIN signals · 6aae6d02
      Thomas Jarosch authored 
      Prevent an endless loop while executing lxc-attach in the background:

The kernel might fire SIGTTOU while an ioctl() in tcsetattr()
is executed. When the ioctl() is resumed and retries,
the signal handler interrupts it again.

We can't configure the TTY to stop sending
the signals in the first place since that
is a modification/write to the TTY already.

Still we clear the TOSTOP flag to prevent further signals.

Command to reproduce the hang:
----------------------------
cat > lxc_hang.sh << EOF
/usr/bin/timeout 5s /usr/bin/lxc-attach -n SOMECONTAINER -- /bin/true
EOF
sh lxc_hang.sh    # hangs
----------------------------
Signed-off-by: 's avatarThomas Jarosch <thomas.jarosch@intra2net.com>
    • CVE-2016-10124: make lxc-attach use a pty · 99e98d9a
      Christian Brauner authored 
      Previous versions of lxc-attach simply attached to the specified namespaces of
a container and ran a shell or the specified command without first allocating a
pseudo terminal. This made them vulnerable to input faking via a TIOCSTI ioctl
call after switching between userspace execution contexts with different
privilege levels. Newer versions of lxc-attach will try to allocate a pseudo
terminal master/slave pair on the host and attach any standard file descriptors
which refer to a terminal to the slave side of the pseudo terminal before
executing a shell or command. Note, that if none of the standard file
descriptors refer to a  terminal lxc-attach will not try to allocate a pseudo
terminal. Instead it will simply attach to the containers namespaces and run a
shell or the specified command.

(This is a backport of a series of patches fixing CVE-2016-10124.)
Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
    • CVE-2016-10124: backport new console backend · d6704216
      Christian Brauner authored 
      - Make escape sequence to exit tty optional since we want to reuse
  lxc_console_cb_tty_stdin() in lxc_attach.c.
- Export the following functions since they can be reused in other modules:
  - lxc_console_cb_tty_stdin()
  - lxc_console_cb_tty_master()
  - lxc_setup_tios(int fd, struct termios *oldtios);
  - lxc_console_winsz(int srcfd, int dstfd);
  - lxc_console_cb_sigwinch_fd(int fd, uint32_t events, void *cbdata, struct lxc_epoll_descr *descr);
  - lxc_tty_state *lxc_console_sigwinch_init(int srcfd, int dstfd);
  - lxc_console_sigwinch_fini(struct lxc_tty_state *ts);
- rewrite lxc_console_set_stdfds()
  - Make lxc_console_set_stdfds useable by other callers that do not have
    access to lxc_handler.
- Use ssh settings for ptys.
- Remove all asserts from console.{c,h}.
- Adapt start.c to changes.
Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
  5. 22 Mar, 2017 3 commits
  7. 20 Mar, 2017 9 commits
  9. 07 Mar, 2017 1 commit
  11. 27 Feb, 2017 1 commit
  13. 27 Jan, 2017 1 commit
    • Make lxc-start-ephemeral Python 3.2-compatible · 70cd3b8f
      Colin Watson authored 
      On Ubuntu 12.04 LTS with Python 3.2, `lxc-start-ephemeral` breaks as
follows:

    Traceback (most recent call last):
      File "/usr/bin/lxc-start-ephemeral", line 371, in attach_as_user
      File "/usr/lib/python3.2/subprocess.py", line 515, in check_output
      File "/usr/lib/python3.2/subprocess.py", line 732, in __init__
    LookupError: unknown encoding: ANSI_X3.4-1968

This is because `universal_newlines=True` causes `subprocess` to use
`io.TextIOWrapper`, and in versions of Python earlier than 3.3 that
fetched the preferred encoding using `locale.getpreferredencoding()`
rather than `locale.getpreferredencoding(False)`, thereby changing the
locale and causing codecs to be reloaded.  However, `attach_as_user`
runs inside the container and thus can't rely on having access to the
same Python standard library on disk.

The workaround is to decode by hand instead, avoiding the temporary
change of locale.
Signed-off-by: 's avatarColin Watson <cjwatson@ubuntu.com>
  15. 23 Jan, 2017 1 commit
  17. 03 Jan, 2017 4 commits
  19. 15 Dec, 2016 4 commits
  21. 09 Dec, 2016 1 commit
  23. 08 Dec, 2016 3 commits
  25. 01 Dec, 2016 3 commits
  27. 23 Nov, 2016 2 commits
    • change version to 1.0.9 in configure.ac · 7b483176
      Stéphane Graber authored 
      Signed-off-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
    • attach: do not send procfd to attached process · 9f27a410
      Christian Brauner authored 
      So far, we opened a file descriptor refering to proc on the host inside the
host namespace and handed that fd to the attached process in
attach_child_main(). This was done to ensure that LSM labels were correctly
setup. However, by exploiting a potential kernel bug, ptrace could be used to
prevent the file descriptor from being closed which in turn could be used by an
unprivileged container to gain access to the host namespace. Aside from this
needing an upstream kernel fix, we should make sure that we don't pass the fd
for proc itself to the attached process. However, we cannot completely prevent
this, as the attached process needs to be able to change its apparmor profile
by writing to /proc/self/attr/exec or /proc/self/attr/current. To minimize the
attack surface, we only send the fd for /proc/self/attr/exec or
/proc/self/attr/current to the attached process. To do this we introduce a
little more IPC between the child and parent:

	 * IPC mechanism: (X is receiver)
	 *   initial process        intermediate          attached
	 *        X           <---  send pid of
	 *                          attached proc,
	 *                          then exit
	 *    send 0 ------------------------------------>    X
	 *                                              [do initialization]
	 *        X  <------------------------------------  send 1
	 *   [add to cgroup, ...]
	 *    send 2 ------------------------------------>    X
	 *						[set LXC_ATTACH_NO_NEW_PRIVS]
	 *        X  <------------------------------------  send 3
	 *   [open LSM label fd]
	 *    send 4 ------------------------------------>    X
	 *   						[set LSM label]
	 *   close socket                                 close socket
	 *                                                run program

The attached child tells the parent when it is ready to have its LSM labels set
up. The parent then opens an approriate fd for the child PID to
/proc/<pid>/attr/exec or /proc/<pid>/attr/current and sends it via SCM_RIGHTS
to the child. The child can then set its LSM laben. Both sides then close the
socket fds and the child execs the requested process.
Signed-off-by: 's avatarChristian Brauner <christian.brauner@canonical.com>
  29. 22 Nov, 2016 1 commit