Commits · f994bc87afda7112e0cebe5ff67f37af673dfe06 · Chen Yisong / lxc

26 Jul, 2018 14 commits
- tests: remove VLAs · f994bc87
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  f994bc87
- Makefile: add missing lxctest.h · b84eb74f
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  b84eb74f
- utils: s/strtok_r()/lxc_iterate_parts()/g · 84c5549b
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  84c5549b
- tools: s/strtok_r()/lxc_iterate_parts()/g · 7de8e0a9
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  7de8e0a9
- storage: s/strtok_r()/lxc_iterate_parts()/g · eb29852f
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  eb29852f
- state: s/strtok_r()/lxc_iterate_parts()/g · 89aca5a5
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  89aca5a5
- parse: s/strtok_r()/lxc_iterate_parts()/g · 834027f1
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  834027f1
- namespace: s/strtok_r()/lxc_iterate_parts()/g · 803fd7bf
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  803fd7bf
- lxccontainer: s/strtok_r()/lxc_iterate_parts()/g · 3c1f04cd
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  3c1f04cd
- confile: s/strtok_r()/lxc_iterate_parts()/g · 62dd965e
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  62dd965e
- conf: s/strtok_r()/lxc_iterate_parts()/g · 8db9d26f
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  8db9d26f
- cgroups: s/strtok_r()/lxc_iterate_parts() · 0be0d78f
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  0be0d78f
- utils: add lxc_iterate_parts() · 521b4771
  Christian Brauner authored Jul 26, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  521b4771
- Merge pull request #2479 from Blub/apparmor-profiles · 40008155
  Serge Hallyn authored Jul 25, 2018
```
RFC: Generated Apparmor profiles, namespaces, stacking
```
  40008155
25 Jul, 2018 6 commits

tests: add test for generated apparmor profiles · e7311a84
Wolfgang Bumiller authored Jul 24, 2018
```
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
```
e7311a84

apparmor: allow start-container to change to lxc-** · 242a9fa7

authored Jul 24, 2018

For generated profiles with apparmor namespaces we get
profile names with slashes in them. To match those, we need
to allow changing to lxc-**, not just lxc-*.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

242a9fa7

apparmor: profile generation · 1800f924

authored Jul 25, 2018

This copies lxd's apparmor profile generation. This tries to
detect features such as cgroup namespaces, apparmor
namespaces and stacking support, and has profile parts
conditionally for unprivileged containers.

This introduces the following changes to the configuration:
  lxc.apparmor.profile = generated
    The fixed value 'generated' will cause this
    functionality to be used, otherwise there should be no
    functional changes happening unless specifically
    requested with the next key:
  lxc.apparmor.allow_nesting
    This is a boolean which, if enabled, causes the
    following changes: When generated apparmor profiles are
    used, they will contain the necessary changes to allow
    creating a nested container. In addition to the usual
    mount points, /dev/.lxc/proc and /dev/.lxc/sys will
    contain procfs and sysfs mount points without the lxcfs
    overlays, which, if generated apparmor profiles are
    being used, will not be read/writable directly.
  lxc.apparmor.raw
    A list of raw apparmor profile lines to append to the
    profile. Only valid when using generated profiles.

The following apparmor profile lines have not been copied
from lxd:

  mount /var/lib/lxd/shmounts/ -> /var/lib/lxd/shmounts/,
  mount none -> /var/lib/lxd/shmounts/,
  mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**,

They should be added via lxc.apparmor.raw entries by lxd.

In order for apparmor_parser's cache to be of use, this adds
a --with-apparmor-cache-dir ./configure option.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

1800f924

apparmor: update current profiles · 6e6aca3e

authored Jul 25, 2018

remove cgmanager rules and add fstype=cgroup2 variants for
the existing fstype=cgroup rules
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

6e6aca3e

utils: add must_concat helper · eb5c2e6a
Wolfgang Bumiller authored Jul 18, 2018
```
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
```
eb5c2e6a
apparmor: use fopen_cloexec · 7e556d18
Wolfgang Bumiller authored Jul 25, 2018
```
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
```
7e556d18

24 Jul, 2018 5 commits

Merge pull request #2492 from brauner/2018-07-14/fix_indendation · 434381b0
Stéphane Graber authored Jul 24, 2018
```
lxccontainer: fix indendation
```
434381b0
lxccontainer: fix indendation · 095b5c7d
Christian Brauner authored Jul 24, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
095b5c7d

lsm: fixup lsm_process_label_set_at return values · c68d5b0d

authored Jul 12, 2018

Always return -1 on error (some code paths returned -1, some
returned negative error codes), don't assume 'errno' is set
afterwards, as the function already prints errors and not
all code paths will have a usable errno value.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

c68d5b0d

tests: lxc-test-apparmor-mount: check environment early · 39e2cbec

authored Jul 24, 2018

don't kill all my processes when running it as user...
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

39e2cbec

tests: lxc-test-apparmor-mount: show a log on error · d6523915
Wolfgang Bumiller authored Jul 23, 2018
```
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
```
d6523915

22 Jul, 2018 15 commits
- Merge pull request #2489 from 2xsec/bugfix · 023d07ee
  Christian Brauner authored Jul 22, 2018
```
change log macro of error case from lxc_ambient_caps_up/down
```
  023d07ee
- Merge pull request #2300 from LizaTretyakova/mount_injection · 9ddc6b44
  Christian Brauner authored Jul 22, 2018
```
Mount injection API 
```
  9ddc6b44
- confile: add missing header · 54fc984b
  Christian Brauner authored Jul 22, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  54fc984b
- start: coding style fixes · ea0e06dd
  Christian Brauner authored Jul 22, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  ea0e06dd
- conf: coding style fixes · 6b741397
  Christian Brauner authored Jul 22, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  6b741397
- confile: add strdup failure check · fd14fdb8
  Liza Tretyakova authored May 19, 2018
```
Signed-off-by: Liza Tretyakova <elizabet.tretyakova@gmail.com>
[christian.brauner@ubuntu.com: coding style]
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  fd14fdb8
- conf, lxccontainer: fix length checks in snprintf · 60534030
  Liza Tretyakova authored May 19, 2018
```
Signed-off-by: Liza Tretyakova <elizabet.tretyakova@gmail.com>
```
  60534030
- conf, confile, lxccontainer, start: nonfunctional changes · 7a41e857
  Liza Tretyakova authored May 19, 2018
```
Signed-off-by: Liza Tretyakova <elizabet.tretyakova@gmail.com>
```
  7a41e857
- lxccontainer: reword create_mount_target() · 1f5a90f9
  Christian Brauner authored May 15, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  1f5a90f9
- lxccontainer: do_lxcapi_mount() coding-style · 3340f441
  Christian Brauner authored May 15, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  3340f441
- tests: add filesystem and char device tests · 117deb70
  Liza Tretyakova authored May 15, 2018
```
Signed-off-by: Liza Tretyakova <elizabet.tretyakova@gmail.com>
```
  117deb70
- lxccontainer: add handling of file mounts · c6885c3f
  Liza Tretyakova authored May 15, 2018
```
Signed-off-by: Liza Tretyakova <elizabet.tretyakova@gmail.com>
```
  c6885c3f
- tests: tweak mount injection tests · 643bcac9
  Christian Brauner authored May 13, 2018
```
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  643bcac9
- tests: add tests for umount · c8c568c8
  Liza Tretyakova authored May 12, 2018
```
Signed-off-by: Liza Tretyakova <elizabet.tretyakova@gmail.com>
```
  c8c568c8
- lxccontainer: add the umount API function · d83da817
  Liza Tretyakova authored May 12, 2018
```
Signed-off-by: Liza Tretyakova <elizabet.tretyakova@gmail.com>
[christian@brauner.io: minor coding-style changes]
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
```
  d83da817