Commits · 065d331af0f006e3cd1330eb6cbc064deeefcf9f · Chen Yisong / lxc

02 Dec, 2020 2 commits

Merge pull request #3589 from tych0/fix-nonet-cleanup · 065d331a
Stéphane Graber authored Dec 02, 2020
```
network: fix LXC_NET_NONE cleanup
```
065d331a

network: fix LXC_NET_NONE cleanup · 04213960

authored Dec 02, 2020

We have a case where we have a nested container with LXC_NET_NONE run
inside a container that's *also* got no network namespace (run by
lxc-usernsexec).

The "am I root" check in this function then does not suffice, since the
euid of the task is 0 but it does not have privilege over its network
namespace, and thus cannot do any of the restore operations:

lxc foo 20201201232059.271 TRACE network - network.c:lxc_restore_phys_nics_to_netns:3299 - Moving physical network devices back to parent network namespace
lxc foo 20201201232059.271 ERROR network - network.c:lxc_restore_phys_nics_to_netns:3307 - Operation not permitted - Failed to enter network namespace
lxc foo 20201201232059.271 ERROR start - start.c:__lxc_start:2045 - Failed to move physical network devices back to parent network namespace

Let's check that we indeed did clone the network namespace, and thus have
things to restore to their correct namespace before attempting to actually
restore them.

I suspect it's possible we can also get rid of some of the network namespace
preservation stuff in start.c in the LXC_NET_NONE case.
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>

04213960

21 Nov, 2020 2 commits
- Merge pull request #3586 from tenforward/japanese · 55f7e4d6
  Stéphane Graber authored Nov 21, 2020
```
doc: Add lxc.cgroup.dir.monitor.pivot to Japanese man page
```
  55f7e4d6
- doc: Add lxc.cgroup.dir.monitor.pivot to Japanese man page · 74f9fb2c
  KATOH Yasufumi authored Nov 22, 2020
```
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
```
  74f9fb2c
18 Nov, 2020 2 commits
- Merge pull request #3583 from brauner/2020-11-18/fixes · 4aa5a10e
  Stéphane Graber authored Nov 18, 2020
```
commands_utils: fix lxc-wait
```
  4aa5a10e
- commands_utils: fix lxc-wait · d2bab66f
  Christian Brauner authored Nov 18, 2020
```
Closes: #3570
Fixes: 7792a5b6 ("commands: add additional check to lxc_cmd_sock_get_state()")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  d2bab66f
17 Nov, 2020 2 commits

Merge pull request #3582 from brauner/2020-11-17/bugfixes · 2cc8d550
Stéphane Graber authored Nov 17, 2020
```
file_utils: fix config file parsing
```
2cc8d550

file_utils: fix config file parsing · 7d84e2cd

authored Nov 17, 2020

We accidently used the "bytes_to_write" variable after we've written all the
bytes at which point it is guaranteed to be 0. Let's use the "bytes_read"
variable instead.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

7d84e2cd

16 Nov, 2020 3 commits
- Merge pull request #3581 from brauner/2020-11-16/fixes · 59c6b066
  Stéphane Graber authored Nov 16, 2020
```
conf: improve mountinfo and config parsing
```
  59c6b066
- conf: switch to fd_to_fd() when copying mountinfo · a39fc34b
  Christian Brauner authored Nov 16, 2020
```
Closes: #3580.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=209971Suggested-by: Joan Bruguera <joanbrugueram@gmail.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  a39fc34b
- parse: rework config parsing routine · 26dffd82
  Christian Brauner authored Nov 16, 2020
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  26dffd82
13 Nov, 2020 2 commits
- Merge pull request #3579 from lifeng68/master · c875dc63
  Christian Brauner authored Nov 13, 2020
```
cgfsng: adjust log level to warn instead of error
```
  c875dc63
- cgfsng: adjust log level to warn instead of error · 34375fd7
  lifeng68 authored Nov 13, 2020
```
Signed-off-by: lifeng68 <lifeng68@huawei.com>
```
  34375fd7
05 Nov, 2020 4 commits
- Merge pull request #3577 from brauner/2020-11-05/bugfixes · 74294d76
  Stéphane Graber authored Nov 05, 2020
```
attach: silence stdio permission adjust warnings
```
  74294d76
- attach: silence stdio permission adjust warnings · a2c26bef
  Christian Brauner authored Nov 05, 2020
```
Closes: #3576.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  a2c26bef
- Merge pull request #3574 from Drachenfels-GmbH/seccomp-fixes · 056b6a60
  Stéphane Graber authored Nov 05, 2020
```
Add missing free for monitor_pivot_dir.
```
  056b6a60
- Add missing free for monitor_pivot_dir. · eb60b564
  Ruben Jenster authored Oct 30, 2020
```
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
```
  eb60b564
02 Nov, 2020 3 commits
- Merge pull request #3572 from brauner/2020-11-02/seccomp_nonblocking · 9f39b9e2
  Stéphane Graber authored Nov 02, 2020
```
seccomp: fixes
```
  9f39b9e2
- seccomp: log aborted system calls · 0d724ab4
  Christian Brauner authored Nov 02, 2020
```
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  0d724ab4
- seccomp: make seccomp notifier fd non-blocking · a60c98aa
  Christian Brauner authored Nov 02, 2020
```
Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  a60c98aa
28 Oct, 2020 6 commits
- Merge pull request #3568 from brauner/2020-10-28/fixes · 7fde74f3
  Stéphane Graber authored Oct 28, 2020
```
coverity fixes
```
  7fde74f3
- attach: require that LXC_ATTACH_LSM_LABEL is specified · 65129087
  Christian Brauner authored Oct 28, 2020
```
to avoid liblxc stumbling over an smaller struct passed in from an older
liblxc. In the future we should version by size but this requires a new
attach2().
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  65129087
- utils: check snprintf return value · 0dde733e
  Christian Brauner authored Oct 28, 2020
```
Fixes: Coverity 1465853
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  0dde733e
- conf: check snprint return value · 8ddf34f7
  Christian Brauner authored Oct 28, 2020
```
Fixes: Coverity 1465854
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  8ddf34f7
- utils: don't deref after NULL check · 3715d0c0
  Christian Brauner authored Oct 28, 2020
```
Fixes: Coverity 1465855
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  3715d0c0
- commands: don't deref after NULL check · ec0befee
  Christian Brauner authored Oct 28, 2020
```
Fixes: Coverity 1465657
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  ec0befee
27 Oct, 2020 11 commits

Merge pull request #3567 from blenk92/lxc-attach-selinux · bf0b9c1e
Christian Brauner authored Oct 27, 2020
```
lxc-attach: Enable setting the SELinux context
```
bf0b9c1e
Merge pull request #3563 from Drachenfels-GmbH/cgroup-fixes · a093bb0f
Christian Brauner authored Oct 27, 2020
```
cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination
```
a093bb0f
Merge pull request #3562 from Drachenfels-GmbH/seccomp-fixes · 5fd31e37
Christian Brauner authored Oct 27, 2020
```
seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing
```
5fd31e37
Merge pull request #3565 from Drachenfels-GmbH/test-fixes · 10397a80
Christian Brauner authored Oct 27, 2020
```
tests: Fix compilation with appamor enabled.
```
10397a80
Merge pull request #3564 from Drachenfels-GmbH/fixes · dd8d5509
Christian Brauner authored Oct 27, 2020
```
lxccontainer: fix lxc_config_item_is_supported
```
dd8d5509

lxc-attach: Enable setting the SELinux context · 8455e39e

authored Oct 27, 2020

Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

8455e39e

tests: Fix compilation with appamor enabled. · beff9939
Ruben Jenster authored Oct 23, 2020
```
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
```
beff9939

lxccontainer: fix lxc_config_item_is_supported · 6eb516a7

authored Oct 23, 2020

Use exact match instead of longest prefix match
to check whether a config item is supported.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

6eb516a7

Introduce lxc.cgroup.dir.monitor.pivot · 7696c1f9

authored Oct 23, 2020

On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir).
because only empty cgroups can be removed.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

7696c1f9

seccomp: Avoid duplicate processing of rules for host native arch. · 15044cd1
Ruben Jenster authored Oct 23, 2020
```
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
```
15044cd1
seccomp: Fix handling of pseudo syscalls and improve logging for rule processing. · 0ff0d23e
Ruben Jenster authored Oct 22, 2020
```
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>
```
0ff0d23e

24 Oct, 2020 2 commits
- Merge pull request #3561 from tenforward/japanese · c8fe1155
  Stéphane Graber authored Oct 24, 2020
```
Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2
```
  c8fe1155
- Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2 · bf73687a
  KATOH Yasufumi authored Oct 25, 2020
```
Update for commit b87ed83bSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
```
  bf73687a
20 Oct, 2020 1 commit
- Merge pull request #3559 from brauner/2020-10-20/fixes · c639f45e
  Stéphane Graber authored Oct 20, 2020
```
conf: account for early return when sending devpts fd
```
  c639f45e