Commits · 983b1db09dd09be107ef1c9fa0968c01acbc2c3f · Chen Yisong / lxc

02 Feb, 2021 16 commits

authored Feb 02, 2021

This is a unified hierarchy only method which doesn't need to initialize a full
cgroup driver. Instead, it relies on the command socket to retrieve a cgroup2
file descriptor to the container's cgroup.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

983b1db0

cgroups: reorder cgroup_get() arguments · 3baf0fc8
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
3baf0fc8
lxccontainer: use cgroup_get() · a29cc280
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
a29cc280

cgroups: add cgroup_get() · b1356424

authored Feb 02, 2021

b1356424

file_utils: add lxc_read_try_buf_at() · 2b5e0b8b
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
2b5e0b8b
macro: abuse ENOMEDIUM as ENOCGROUP2 · 6de35cd9
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
6de35cd9
Merge pull request #3646 from brauner/2021-02-02/fixes · b22ae843
Stéphane Graber authored Feb 02, 2021
```
attach & cgroup hardening
```
b22ae843
cgroups: switch controller delegation to fd-only operations · ac01a9b8
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
ac01a9b8
cgroups: add unified_cgroup_fd() helper · 6d153543
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
6d153543
file_utils: harden lxc_writeat() · 3c5fa7f3
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
3c5fa7f3
file_utils: harden lxc_open_dirfd() · 87c7dbcb
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
87c7dbcb
syscall_wrappers: add PROTECT_OPEN_W_* variants · bcf9793d
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
bcf9793d
memory_utils: add close_prot_errno_mov() · 4c6c4794
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
4c6c4794

attach: move loading seccomp as late as possible · e18aba7d

authored Feb 02, 2021

We want to minimize the change that the profile blocks syscalls we need during
attach setup and has the notifier enabled.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

e18aba7d

attach: move file descriptor closing into attach_context_container() · 92466fe3

authored Feb 02, 2021

This reduces the possibility of forgetting to close the namespace file
descriptors when we change this codepath.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

92466fe3

attach: stricter lookup semantics for fdopen_at() calls · 72a19d2f
Christian Brauner authored Feb 02, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
72a19d2f

01 Feb, 2021 24 commits
- Merge pull request #3645 from brauner/2021-02-01/fixes_4 · c7d64498
  Stéphane Graber authored Feb 01, 2021
```
attach: bugfixes
```
  c7d64498
- confile_utils: use lxc_log_trace() · 4ac35afb
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  4ac35afb
- conf: use lxc_log_trace() · 62fef886
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  62fef886
- commands_utils: don't leak memory · 570e1173
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  570e1173
- attach: use correct put method · 52ed870e
  Christian Brauner authored Feb 01, 2021
```
Fixes: Coverity 1472763
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  52ed870e
- attach: prevent UAF · cd5f35ec
  Christian Brauner authored Feb 01, 2021
```
Fixes: Coverity 1472761
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  cd5f35ec
- Merge pull request #3644 from brauner/2021-02-01/fixes_3 · 32947602
  Stéphane Graber authored Feb 01, 2021
```
attach: harden open() calls
```
  32947602
- attach: file descriptor based fdinfo handling · 6f0c2cea
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  6f0c2cea
- file_utils: remove O_NOFOLLOW from open_at() defaults · 8e5d1759
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  8e5d1759
- lsm: harden read_file_at() · 6fc8a0dd
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  6fc8a0dd
- tree-wide: extend read_file_at() · 46bf13b7
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  46bf13b7
- attach: harden open calls · 5129b2d3
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  5129b2d3
- syscall_wrappers: add PROTECT_LOOKUP, PROTECT_OPEN,… · cce677d1
  Christian Brauner authored Feb 01, 2021
```
syscall_wrappers: add PROTECT_LOOKUP, PROTECT_OPEN, PROTECT_LOOKUP_WITH_SYMLINKS, PROTECT_OPEN_WITH_TRAILING_SYMLINKS
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  cce677d1
- file_utils: add open_at() · 7166ab75
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  7166ab75
- Merge pull request #3642 from brauner/2021-02-01/fixes · 42673edd
  Stéphane Graber authored Feb 01, 2021
```
attach: rework id handling
```
  42673edd
- Merge pull request #3643 from brauner/2021-02-01/fixes_2 · 2b525963
  Stéphane Graber authored Feb 01, 2021
```
cgroups: remove pointless NULL checks
```
  2b525963
- cgroups: initialize variable · ed75d76e
  Christian Brauner authored Feb 01, 2021
```
Fixes: Coverity 1472651
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  ed75d76e
- cgroups: remove pointless NULL checks · bb6dbaf0
  Christian Brauner authored Feb 01, 2021
```
We're already ensuring before that conf isn't NULL.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  bb6dbaf0
- attach: stash host uid and host gid in attach_context · 3ac4480a
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  3ac4480a
- attach: fix error checking for dup2() · 40301d48
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  40301d48
- attach: fix logging for stdfd replacement · 93b9960a
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  93b9960a
- attach: log failues to dup2() with SYSDEBUG() · a7563434
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  a7563434
- utils: use SYSTRACE() when logging stdio permission fixup failures · 7e90889d
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  7e90889d
- attach: document attach_context · 20718e39
  Christian Brauner authored Feb 01, 2021
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  20718e39