- 23 Nov, 2016 2 commits
-
-
Stéphane Graber authored
Signed-off-by:Stéphane Graber <stgraber@ubuntu.com>
-
Christian Brauner authored
So far, we opened a file descriptor refering to proc on the host inside the host namespace and handed that fd to the attached process in attach_child_main(). This was done to ensure that LSM labels were correctly setup. However, by exploiting a potential kernel bug, ptrace could be used to prevent the file descriptor from being closed which in turn could be used by an unprivileged container to gain access to the host namespace. Aside from this needing an upstream kernel fix, we should make sure that we don't pass the fd for proc itself to the attached process. However, we cannot completely prevent this, as the attached process needs to be able to change its apparmor profile by writing to /proc/self/attr/exec or /proc/self/attr/current. To minimize the attack surface, we only send the fd for /proc/self/attr/exec or /proc/self/attr/current to the attached process. To do this we introduce a little more IPC between the child and parent: * IPC mechanism: (X is receiver) * initial process intermediate attached * X <--- send pid of * attached proc, * then exit * send 0 ------------------------------------> X * [do initialization] * X <------------------------------------ send 1 * [add to cgroup, ...] * send 2 ------------------------------------> X * [set LXC_ATTACH_NO_NEW_PRIVS] * X <------------------------------------ send 3 * [open LSM label fd] * send 4 ------------------------------------> X * [set LSM label] * close socket close socket * run program The attached child tells the parent when it is ready to have its LSM labels set up. The parent then opens an approriate fd for the child PID to /proc/<pid>/attr/exec or /proc/<pid>/attr/current and sends it via SCM_RIGHTS to the child. The child can then set its LSM laben. Both sides then close the socket fds and the child execs the requested process. Signed-off-by:Christian Brauner <christian.brauner@canonical.com>
-
- 22 Nov, 2016 2 commits
-
-
Stéphane Graber authored
tree-wide: replace readdir_r() with readdir()
-
Christian Brauner authored
Signed-off-by:
-
- 18 Nov, 2016 24 commits
-
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
This package doesn't exist in stretch anymore, and it's unclear why we were depending on a library to begin with (as opposed to having it brought by whatever needs it). Signed-off-by: -
Christian Brauner authored
This is a GNU extension and some libcs might be missing it. Signed-off-by: -
Evgeni Golov authored
Signed-off-by:Evgeni Golov <evgeni@debian.org>
-
Po-Hsu Lin authored
Add squashfs format file support for lxc-ubuntu-cloud.in Signed-off-by:Po-Hsu Lin <po-hsu.lin@canonical.com>
-
Christian Brauner authored
Somehow this implementation of a cgroupfs backend decided to use the hierarchy numbers it detects in /proc/cgroups and /proc/self/cgroups as indices for the hierarchy struct. Controller numbering usually starts at 1 but may start at 0 if: a) the controller is not mounted on a cgroups v1 hierarchy; b) the controller is bound to the cgroups v2 single unified hierarchy; or c) the controller is disabled To avoid having to rework our fallback backend significantly, we should explicitly check for each controller if hierarchy[i] != NULL. Signed-off-by: -
mgariepy authored
this patch create /var/run link to point to /run. This will fix various issue present when /var/run is persistent. Signed-off-by:Marc Gariepy <gariepy.marc@gmail.com>
-
Wolfgang Bumiller authored
On shutdown we move physical network interfaces back to the host namespace and rename them afterwards as well as in the later lxc_network_delete() step. However, if the device had a name which already exists in the host namespace then the moving fails and so do the subsequent rename attempts. When the namespace ceases to exist the devices finally end up in the host namespace named 'dev<ID>' by the kernel. In order to avoid this, we do the moving and renaming in a single step (lxc_netdev_move_by_*()'s move & rename happen in a single netlink transaction). Signed-off-by:Wolfgang Bumiller <w.bumiller@proxmox.com>
-
Christian Brauner authored
When the container is already running our manpage promises to exit with 2. Let's make it so. Signed-off-by: -
Christian Brauner authored
If cgroupv2 is enabled either alone or together with legacy hierarchies /proc/self/cgroup can contain entries of the form: 0::/ These entries need to be skipped. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
And let's be on the safe side by NULLing free()ed variables. Signed-off-by: -
Evgeni Golov authored
Closes: #502 Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
There are no personalities for s390x, so don't list itself as one. Signed-off-by: -
Jafar Al-Gharaibeh authored
lxc_strerror() was dropped long time ago, in 2009 to be exact. Related commit: https://github.com/lxc/lxc/commit/7cee8789514fb42d6a48d50b904e24284f5526e3Signed-off-by:
Jafar Al-Gharaibeh <to.jafar@gmail.com>
-
Stéphane Graber authored
Signed-off-by: -
Stéphane Graber authored
Signed-off-by: -
Lans Zhang authored
The returned value from snprintf() should be checked carefully. This bug can be leveraged to execute arbitrary code through carefully constructing the payload, e.g, lxc-freeze -n `python -c "print 'AAAAAAAA' + 'B'*959"` -P PADPAD -o /tmp/log This command running on Ubuntu 14.04 (x86-64) can cause a segment fault. Signed-off-by:Lans Zhang <jia.zhang@windriver.com>
-
Evgeni Golov authored
this allows running them also under Python2, which otherwise would choke on Stéphane's name and error out with SyntaxError: Non-ASCII character '\xc3' in file … Signed-off-by: -
Roman Mueller authored
Signed-off-by:Roman Mueller <roman.mueller@gmail.com>
-
Christian Brauner authored
Make sure we don't return uninitialized memory. Signed-off-by: -
Thierry Fauck authored
Template catches arch from uname -m, but for ppc64el system, arch reports ppc64le which doesn't match image repo. Signed-off-by:
Thierry Fauck <tfauck@free.fr> Signed-off-by:
Serge Hallyn <serge@hallyn.com>
-
Lukas Pirl authored
Signed-off-by:Lukas Pirl <git@lukas-pirl.de>
-
- 17 Nov, 2016 12 commits
-
-
Christian Brauner authored
- We expect destroy to fail in zfs_clone() so try to silence it so users are not irritated when they create zfs snapshots. - Add -r recursive to zfs_destroy(). This code is only hit when a) the container has no snapshots or b) the user calls destroy with snapshots. So this should be safe. Without -r snapshots will remain. Signed-off-by: -
Christian Brauner authored
lxc_console is used with lxc_console.c Signed-off-by:Christian Brauner <christian.brauner@mailbox.org>
-
Evgeni Golov authored
otherwise the generated docs have the full build path in them and nonbody cares that the files were built in /build/lxc-_BVY2u/lxc-2.0.4/src/lxc/ Signed-off-by: -
Elan Ruusamäe authored
/usr/share/lxc/templates/lxc-fedora: line 1078: openssl: command not found Signed-off-by:Elan Ruusamäe <glen@delfi.ee>
-
Christian Brauner authored
- log more errnos - adapt coding style Signed-off-by:Christian Brauner <cbrauner@suse.de>
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
James Cowgill authored
Signed-off-by:James Cowgill <james410@cowgill.org.uk>
-
James Cowgill authored
Fixes "unsupported personality" warnings when starting containers. Signed-off-by: -
James Cowgill authored
MIPS processors implement 3 ABIs: o32, n64 and n32 (similar to x32). The kernel treats each ABI separately so syscalls disallowed on "all" arches should be added to all three seccomp sets. This is implemented by expanding compat_arch and compat_ctx to accept two compat architectures. After this, the MIPS hostarch detection code and config section code is added. Signed-off-by: -
James Cowgill authored
Signed-off-by:
-
