- 29 Jul, 2018 18 commits
-
-
Christian Brauner authored
Signed-off-by:Christian Brauner <christian.brauner@ubuntu.com>
-
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
nl: avoid NULL pointer dereference
-
Rafał Miłecki authored
It's a valid case to call nla_put() with NULL data and 0 len. It's done e.g. in the nla_put_attr(). There has to be a check for data in nla_put() as passing NULL to the memcpy() is not allowed. Even if length is 0, both pointers have to be valid. For a reference see C99 standard (7.21.1/2), it says: "pointer arguments on such a call shall still have valid values". Reported-by:
Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us> Signed-off-by:
Rafał Miłecki <rafal@milecki.pl> [christian.brauner@ubuntu.com: adapted commit message] Signed-off-by:
-
Stéphane Graber authored
Fix license of the nvidia hook
-
Felix Abecassis authored
Fixes: #2494 Signed-off-by:Felix Abecassis <fabecassis@nvidia.com>
-
- 26 Jul, 2018 17 commits
-
-
Stéphane Graber authored
utils: add lxc_iterate_parts(), compile with -Wvla and -std=gnu11
-
Christian Brauner authored
We can't really support anything less than gcc-4.8 anyway. Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Christian Brauner authored
Signed-off-by: -
Serge Hallyn authored
RFC: Generated Apparmor profiles, namespaces, stacking
-
- 25 Jul, 2018 5 commits
-
-
Wolfgang Bumiller authored
Signed-off-by:Wolfgang Bumiller <w.bumiller@proxmox.com>
-
Wolfgang Bumiller authored
For generated profiles with apparmor namespaces we get profile names with slashes in them. To match those, we need to allow changing to lxc-**, not just lxc-*. Signed-off-by: -
Wolfgang Bumiller authored
This copies lxd's apparmor profile generation. This tries to detect features such as cgroup namespaces, apparmor namespaces and stacking support, and has profile parts conditionally for unprivileged containers. This introduces the following changes to the configuration: lxc.apparmor.profile = generated The fixed value 'generated' will cause this functionality to be used, otherwise there should be no functional changes happening unless specifically requested with the next key: lxc.apparmor.allow_nesting This is a boolean which, if enabled, causes the following changes: When generated apparmor profiles are used, they will contain the necessary changes to allow creating a nested container. In addition to the usual mount points, /dev/.lxc/proc and /dev/.lxc/sys will contain procfs and sysfs mount points without the lxcfs overlays, which, if generated apparmor profiles are being used, will not be read/writable directly. lxc.apparmor.raw A list of raw apparmor profile lines to append to the profile. Only valid when using generated profiles. The following apparmor profile lines have not been copied from lxd: mount /var/lib/lxd/shmounts/ -> /var/lib/lxd/shmounts/, mount none -> /var/lib/lxd/shmounts/, mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**, They should be added via lxc.apparmor.raw entries by lxd. In order for apparmor_parser's cache to be of use, this adds a --with-apparmor-cache-dir ./configure option. Signed-off-by: -
Wolfgang Bumiller authored
remove cgmanager rules and add fstype=cgroup2 variants for the existing fstype=cgroup rules Signed-off-by: -
Wolfgang Bumiller authored
Signed-off-by:
-
