]>
git.proxmox.com Git - mirror_lxc.git/log
Stéphane Graber [Tue, 11 Aug 2020 12:28:19 +0000 (08:28 -0400)]
Merge pull request #3517 from brauner/2020-08-10/fixes_2
lsm: rewrite
Christian Brauner [Tue, 11 Aug 2020 08:32:01 +0000 (10:32 +0200)]
lsm: use atomic in ase we're used multi-threaded
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 10 Aug 2020 21:55:13 +0000 (23:55 +0200)]
lsm: rework lsm handling
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Mon, 10 Aug 2020 18:41:00 +0000 (14:41 -0400)]
Merge pull request #3514 from brauner/2020-08-10/fixes
conf: terminal and /dev hardening
Christian Brauner [Mon, 10 Aug 2020 09:13:53 +0000 (11:13 +0200)]
terminal: harden terminal allocation
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 10 Aug 2020 09:01:42 +0000 (11:01 +0200)]
conf: move /dev setup to be file descriptor based
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Mon, 10 Aug 2020 02:39:45 +0000 (22:39 -0400)]
Merge pull request #3513 from brauner/2020-08-09/openat2
openat2() and safe mounting
Christian Brauner [Sun, 9 Aug 2020 17:35:33 +0000 (19:35 +0200)]
conf: harden lxc_fill_autodev() via save_mount_beneath_at()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 17:33:23 +0000 (19:33 +0200)]
file_utils: add exists_dir_at()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 16:55:52 +0000 (18:55 +0200)]
conf: make use of stashed container mountpoint fd in mount_autodev()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 16:55:25 +0000 (18:55 +0200)]
conf: stash file descriptor to root mountpoint in struct lxc_rootfs
This way we only need to open it _once_ per container startup.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 16:37:57 +0000 (18:37 +0200)]
utils: introduce safe_mount_beneath_at()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 13:48:35 +0000 (15:48 +0200)]
cgfsng: use safe_mount_beneath()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 13:37:31 +0000 (15:37 +0200)]
conf: switch mount_autodev() to new safe_mount_beneath() helper
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 13:24:26 +0000 (15:24 +0200)]
utils: add safe_mount_beneath() based on openat2()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sun, 9 Aug 2020 10:48:02 +0000 (12:48 +0200)]
syscalls: add openat2()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 7 Aug 2020 19:40:56 +0000 (21:40 +0200)]
Merge pull request #3512 from stgraber/master
lxc-download fixes
Stéphane Graber [Fri, 7 Aug 2020 19:10:22 +0000 (15:10 -0400)]
lxc-download: Fix retry loop
Closes #3511
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Fri, 7 Aug 2020 19:09:01 +0000 (15:09 -0400)]
Revert "templates/lxc-download.in: use GPG option --receive-keys instead of --recv-keys"
This reverts commit
409040e702f814a167aed5a0e833f4d5c67fd29d .
Testing of both options show identical behavior but receive-keys does
not exist on older releases, so let's revert this.
Closes #3510
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Thu, 6 Aug 2020 15:51:32 +0000 (11:51 -0400)]
Merge pull request #3509 from brauner/2020-08-06/fixes
api-extension: add missing seccomp_proxy_send_notify_fd extension
Christian Brauner [Thu, 6 Aug 2020 15:33:09 +0000 (17:33 +0200)]
api-extension: add missing seccomp_proxy_send_notify_fd extension
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Thu, 6 Aug 2020 13:27:31 +0000 (09:27 -0400)]
Merge pull request #3508 from brauner/2020-08-06/fixes
seccomp: add seccomp_notify_fd_active api extension
Christian Brauner [Thu, 6 Aug 2020 13:08:09 +0000 (15:08 +0200)]
seccomp: send notify fd as part of the message
Since we haven't made this official api yet: YOLO
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Thu, 6 Aug 2020 12:38:07 +0000 (14:38 +0200)]
seccomp: add seccomp_notify_fd_active api extension
which allows to retrieve an active seccomp notifier fd from a running
container.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Thu, 6 Aug 2020 12:38:06 +0000 (08:38 -0400)]
Merge pull request #3507 from brauner/2020-08-06/fixes
seccomp: don't close the mainloop, simply remove the handler
Christian Brauner [Thu, 6 Aug 2020 12:14:10 +0000 (14:14 +0200)]
seccomp: don't close the mainloop, simply remove the handler
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Wed, 5 Aug 2020 19:14:28 +0000 (15:14 -0400)]
Merge pull request #3506 from brauner/2020-08-05/safe_native_terminal_allocation
macro: define TIOCGPTPEER if missing
Christian Brauner [Wed, 5 Aug 2020 18:50:27 +0000 (20:50 +0200)]
conf: use openat() instead of open_tree()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 5 Aug 2020 14:44:53 +0000 (16:44 +0200)]
macro: define TIOCGPTPEER if missing
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Wed, 5 Aug 2020 14:10:52 +0000 (10:10 -0400)]
Merge pull request #3505 from brauner/2020-08-05/safe_native_terminal_allocation
terminal: safely allocate pts devices from inside the container
Christian Brauner [Wed, 5 Aug 2020 10:03:41 +0000 (12:03 +0200)]
terminal: safely allocate pts devices from inside the container
This was a year long journey which seems to finally have come to an end.
Closes: #1620.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Tue, 4 Aug 2020 00:53:01 +0000 (20:53 -0400)]
Merge pull request #3504 from brauner/2020-08-04/fixes
conf: ensure that the idmap pointer itself is freed
Christian Brauner [Mon, 3 Aug 2020 22:05:05 +0000 (00:05 +0200)]
conf: ensure that the idmap pointer itself is freed
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 28 Jul 2020 11:25:48 +0000 (13:25 +0200)]
Merge pull request #3501 from ffontaine/master
syscall: don't fail if __NR_signalfd is not defined
Fabrice Fontaine [Tue, 28 Jul 2020 10:31:31 +0000 (12:31 +0200)]
syscall: don't fail if __NR_signalfd is not defined
lxc fails to build if __NR_signalfd is not defined since version 4.0.0
and
https://github.com/lxc/lxc/commit/
bed09c9cc0bec7bbd2442fcce4a2a0f03994cb09
However, some architectures don't define __NR_signalfd but only
__NR_signalfd4. This is the case for example for nios2 or csky:
https://github.com/bminor/glibc/blob/
f9ac84f92f151e07586c55e14ed628d493a5929d /sysdeps/unix/sysv/linux/nios2/arch-syscall.h
https://github.com/bminor/glibc/blob/
f9ac84f92f151e07586c55e14ed628d493a5929d /sysdeps/unix/sysv/linux/csky/arch-syscall.h
Fixes:
- http://autobuild.buildroot.org/results/
75096a48d2dbda57459523db3ed0952e63f93535
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Stéphane Graber [Mon, 27 Jul 2020 16:02:48 +0000 (12:02 -0400)]
Merge pull request #3500 from brauner/2020-07-27/seccomp_notify_cleanup
seccomp: add missing header
Christian Brauner [Mon, 27 Jul 2020 15:26:42 +0000 (17:26 +0200)]
seccomp: add missing header
Fixes: https://launchpadlibrarian.net/490341075/buildlog_snap_ubuntu_bionic_amd64_lxd-latest-edge_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Mon, 27 Jul 2020 12:16:30 +0000 (08:16 -0400)]
Merge pull request #3499 from brauner/2020-07-27/seccomp_notify_cleanup
seccomp: remove seccomp fd from event loop after task exited
Christian Brauner [Mon, 27 Jul 2020 08:12:16 +0000 (10:12 +0200)]
seccomp: remove seccomp fd from event loop after task exited
Linux v5.8 will land my patch where seccomp notifies when a filter goes unused,
i.e. when the last task using a given seccomp filter has exited. This wasn't
possible before and so we accumulated file descriptors in the container's event
loop whenever we attached to the container.
I'm not sure whether the task exiting before we could handle its syscall should
cause us to report and error or not. For now, let's simply close the event loop
and not report an error.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Sat, 25 Jul 2020 16:49:14 +0000 (12:49 -0400)]
Merge pull request #3498 from brauner/master
selinux: remove security_context_t usage as it's deprecated
Christian Brauner [Sat, 25 Jul 2020 09:36:46 +0000 (11:36 +0200)]
selinux: remove security_context_t usage as it's deprecated
Link: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1888705
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Thu, 23 Jul 2020 16:52:37 +0000 (12:52 -0400)]
Merge pull request #3497 from brauner/2020-07-23/fix_snap_compilation
autotools: fix Makefile
Stéphane Graber [Thu, 23 Jul 2020 14:34:36 +0000 (10:34 -0400)]
Merge pull request #3496 from brauner/2020-07-18/mount_pid
new mount api support: basics
Christian Brauner [Thu, 23 Jul 2020 08:33:33 +0000 (10:33 +0200)]
Makefile: fix Makefile
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 22 Jul 2020 10:04:52 +0000 (12:04 +0200)]
log: don't break logging by hiding symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 22 Jul 2020 09:47:21 +0000 (11:47 +0200)]
attach: use new mount api
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 22 Jul 2020 09:45:15 +0000 (11:45 +0200)]
mount_utils: add mount_filesystem() helper
that translates between the two mount apis.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 22 Jul 2020 09:32:28 +0000 (11:32 +0200)]
mount_utils: add mount utils
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 22 Jul 2020 09:02:33 +0000 (11:02 +0200)]
syscalls: add fsmount()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 22 Jul 2020 08:59:49 +0000 (10:59 +0200)]
syscalls: add fsconfig()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 22 Jul 2020 08:54:12 +0000 (10:54 +0200)]
syscalls: add fspick()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Wed, 22 Jul 2020 08:50:20 +0000 (10:50 +0200)]
syscalls: add fsopen()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Wed, 22 Jul 2020 18:39:53 +0000 (14:39 -0400)]
Merge pull request #3492 from brauner/2020-07-18/visibility_hidden
tree-wide: hide unnecessary symbols
Stéphane Graber [Wed, 22 Jul 2020 17:05:49 +0000 (13:05 -0400)]
Merge pull request #3495 from siv0/boot_id_remount_apparmor_fix
apparmor: Allow ro remount of boot_id
Stoiko Ivanov [Wed, 22 Jul 2020 10:17:24 +0000 (12:17 +0200)]
apparmor: Allow ro remount of boot_id
The rule added in
863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
necessary mount calls for /proc/sys/kernel/random/boot_id
(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Christian Brauner [Wed, 22 Jul 2020 08:46:05 +0000 (10:46 +0200)]
start: simplify gotos
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 12:50:38 +0000 (14:50 +0200)]
tree-wide: hide further unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 11:57:16 +0000 (13:57 +0200)]
storage: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 11:45:37 +0000 (13:45 +0200)]
arguments: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 11:40:57 +0000 (13:40 +0200)]
lsm: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 11:28:08 +0000 (13:28 +0200)]
cgroups: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 11:19:03 +0000 (13:19 +0200)]
uuid: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 11:15:25 +0000 (13:15 +0200)]
utils: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 10:44:09 +0000 (12:44 +0200)]
terminal: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 10:37:28 +0000 (12:37 +0200)]
sync: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 10:30:53 +0000 (12:30 +0200)]
state: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Tue, 21 Jul 2020 10:24:45 +0000 (12:24 +0200)]
start: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 16:49:55 +0000 (18:49 +0200)]
ringbuf: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 16:46:13 +0000 (18:46 +0200)]
rexec: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 16:45:02 +0000 (18:45 +0200)]
process_utils: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 16:38:05 +0000 (18:38 +0200)]
parse: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 16:25:57 +0000 (18:25 +0200)]
network: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 16:11:02 +0000 (18:11 +0200)]
namespace: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 16:09:19 +0000 (18:09 +0200)]
monitor: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 15:47:58 +0000 (17:47 +0200)]
mainloop: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 15:26:12 +0000 (17:26 +0200)]
lxcseccomp: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 15:22:31 +0000 (17:22 +0200)]
lxclock: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 14:45:34 +0000 (16:45 +0200)]
log: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 14:32:52 +0000 (16:32 +0200)]
initutils: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 14:21:38 +0000 (16:21 +0200)]
file_utils: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 14:11:48 +0000 (16:11 +0200)]
error: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 14:11:14 +0000 (16:11 +0200)]
criu: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Mon, 20 Jul 2020 14:10:28 +0000 (16:10 +0200)]
confile_utils: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Sat, 18 Jul 2020 17:07:31 +0000 (19:07 +0200)]
confile: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Sat, 18 Jul 2020 15:09:46 +0000 (11:09 -0400)]
Merge pull request #3490 from brauner/master
lxc-ls: bugfixes
Christian Brauner [Sat, 18 Jul 2020 11:27:14 +0000 (13:27 +0200)]
lxc-ls: bugfixes
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Stéphane Graber [Fri, 17 Jul 2020 23:03:59 +0000 (19:03 -0400)]
Makefile.am: Fix typo
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Stéphane Graber [Fri, 17 Jul 2020 22:30:47 +0000 (18:30 -0400)]
Merge pull request #3488 from brauner/2020-07-17/fixes
hide unnecessary symbols I
Christian Brauner [Fri, 17 Jul 2020 21:50:55 +0000 (23:50 +0200)]
conf: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 21:31:33 +0000 (23:31 +0200)]
commands_utils: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 21:26:52 +0000 (23:26 +0200)]
commands: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 21:17:00 +0000 (23:17 +0200)]
caps: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 21:16:08 +0000 (23:16 +0200)]
attach: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 21:14:38 +0000 (23:14 +0200)]
af_unix: hide unnecessary symbols
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 21:12:28 +0000 (23:12 +0200)]
string_utils: make all helpers hidden
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 20:50:51 +0000 (22:50 +0200)]
compiler: add and use __hidden visbility
Closes: #3485.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 20:18:26 +0000 (22:18 +0200)]
network: remove unused variable
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Christian Brauner [Fri, 17 Jul 2020 12:13:26 +0000 (14:13 +0200)]
Merge pull request #3487 from samboyles1/master
Improve efficiency of lxc_ifname_alnum_case_sensitive
Sam Boyles [Fri, 17 Jul 2020 02:26:51 +0000 (14:26 +1200)]
Improve efficiency of lxc_ifname_alnum_case_sensitive
To detect if a newly generated interface name is a duplicate of an existing interface lxc_ifname_alnum_case_sensitive() currently gets a list of all interfaces using netns_getifaddrs(). When the system has a small number of interfaces this works fine, however when there are thousands or tens of thousands of interfaces this quickly becomes less than optimal.
As we only need to check if an interface name exists, and do not need the detailed information about the interfaces provided by netns_getifaddrs(), we can instead use the if_nametoindex() function, which is much more efficient.
Signed-off-by: Sam Boyles <sam.boyles@alliedtelesis.co.nz>
Stéphane Graber [Thu, 16 Jul 2020 22:09:51 +0000 (18:09 -0400)]
Merge pull request #3486 from brauner/2020-07-16/license
autotools: include COPYING file