--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
+Date: Wed, 9 Nov 2016 09:14:26 +0100
+Subject: [PATCH 2/3] PVE: [Config] deny rw mounting of /sys and /proc
+
+Note that we don't actually make use of this anymore, since
+we switched to the generated profiles which already do this.
+
+this would allow root in a privileged container to change
+the permissions of /sys on the host, which could lock out
+non-root users.
+
+if a rw /sys is desired, set "lxc.mount.auto" accordingly
+---
+ config/apparmor/abstractions/container-base | 6 +++++-
+ config/apparmor/abstractions/container-base.in | 6 +++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
+index 077476559..fbd70fdf5 100644
+--- a/config/apparmor/abstractions/container-base
++++ b/config/apparmor/abstractions/container-base
+@@ -82,7 +82,6 @@
+ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+ mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
+@@ -91,6 +90,11 @@
+ # deny reads from debugfs
+ deny /sys/kernel/debug/{,**} rwklx,
+
++ # prevent rw mounting of /sys, because that allows changing its global permissions
++ deny mount -> /proc/,
++ deny mount -> /sys/,
++# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
++
+ # allow paths to be made slave, shared, private or unbindable
+ # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+ # mount options=(rw,make-slave) -> **,
+diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
+index 2606fb64c..3e61c62ea 100644
+--- a/config/apparmor/abstractions/container-base.in
++++ b/config/apparmor/abstractions/container-base.in
+@@ -83,7 +83,6 @@
+ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+ mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
+@@ -91,6 +90,11 @@
+ # deny reads from debugfs
+ deny /sys/kernel/debug/{,**} rwklx,
+
++ # prevent rw mounting of /sys, because that allows changing its global permissions
++ deny mount -> /proc/,
++ deny mount -> /sys/,
++# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
++
+ # allow paths to be made slave, shared, private or unbindable
+ # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
+ # mount options=(rw,make-slave) -> **,
+--
+2.30.2
+
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Fri, 10 Feb 2017 09:13:40 +0100
-Subject: [PATCH 1/3] PVE: [Config] lxc.service: start after a potential
- syslog.service
-
-We could add this as a snippet from pve-container instead.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- config/init/systemd/lxc.service.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in
-index 397a6c4d0..6924374d9 100644
---- a/config/init/systemd/lxc.service.in
-+++ b/config/init/systemd/lxc.service.in
-@@ -1,6 +1,6 @@
- [Unit]
- Description=LXC Container Initialization and Autoboot Code
--After=network.target lxc-net.service remote-fs.target
-+After=network.target lxc-net.service remote-fs.target syslog.target
- Wants=lxc-net.service
- Documentation=man:lxc-autostart man:lxc
-
---
-2.30.2
-
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Tue, 13 Aug 2019 13:57:22 +0200
+Subject: [PATCH 3/3] PVE: [Config] attach: always use getent
+
+In debian buster, some libnss plugins (if installed) can
+cause getpwent to segfault instead of erroring out cleanly.
+To avoid this, stick to always using getent.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+---
+ src/lxc/attach.c | 29 ++---------------------------
+ 1 file changed, 2 insertions(+), 27 deletions(-)
+
+diff --git a/src/lxc/attach.c b/src/lxc/attach.c
+index f086e96c4..9969f2d8e 100644
+--- a/src/lxc/attach.c
++++ b/src/lxc/attach.c
+@@ -1843,45 +1843,21 @@ int lxc_attach_run_command(void *payload)
+
+ int lxc_attach_run_shell(void* payload)
+ {
+- __do_free char *buf = NULL;
+ uid_t uid;
+- struct passwd pwent;
+- struct passwd *pwentp = NULL;
+ char *user_shell;
+- ssize_t bufsize;
+- int ret;
+
+ /* Ignore payload parameter. */
+ (void)payload;
+
+ uid = getuid();
+
+- bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+- if (bufsize < 0)
+- bufsize = 1024;
+-
+- buf = malloc(bufsize);
+- if (buf) {
+- ret = getpwuid_r(uid, &pwent, buf, bufsize, &pwentp);
+- if (!pwentp) {
+- if (ret == 0)
+- WARN("Could not find matched password record");
+-
+- WARN("Failed to get password record - %u", uid);
+- }
+- }
+-
+ /* This probably happens because of incompatible nss implementations in
+ * host and container (remember, this code is still using the host's
+ * glibc but our mount namespace is in the container) we may try to get
+ * the information by spawning a [getent passwd uid] process and parsing
+ * the result.
+ */
+- if (!pwentp)
+- user_shell = lxc_attach_getpwshell(uid);
+- else
+- user_shell = pwent.pw_shell;
+-
++ user_shell = lxc_attach_getpwshell(uid);
+ if (user_shell)
+ execlp(user_shell, user_shell, (char *)NULL);
+
+@@ -1891,8 +1867,7 @@ int lxc_attach_run_shell(void* payload)
+ execlp("/bin/sh", "/bin/sh", (char *)NULL);
+
+ SYSERROR("Failed to execute shell");
+- if (!pwentp)
+- free(user_shell);
++ free(user_shell);
+
+ return -1;
+ }
+--
+2.30.2
+
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
-Date: Wed, 9 Nov 2016 09:14:26 +0100
-Subject: [PATCH 2/3] PVE: [Config] deny rw mounting of /sys and /proc
-
-Note that we don't actually make use of this anymore, since
-we switched to the generated profiles which already do this.
-
-this would allow root in a privileged container to change
-the permissions of /sys on the host, which could lock out
-non-root users.
-
-if a rw /sys is desired, set "lxc.mount.auto" accordingly
----
- config/apparmor/abstractions/container-base | 6 +++++-
- config/apparmor/abstractions/container-base.in | 6 +++++-
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base
-index 077476559..fbd70fdf5 100644
---- a/config/apparmor/abstractions/container-base
-+++ b/config/apparmor/abstractions/container-base
-@@ -82,7 +82,6 @@
- deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
- mount fstype=proc -> /proc/,
- mount fstype=sysfs -> /sys/,
-- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
- deny /sys/firmware/efi/efivars/** rwklx,
- deny /sys/kernel/security/** rwklx,
- mount options=(move) /sys/fs/cgroup/cgmanager/ -> /sys/fs/cgroup/cgmanager.lower/,
-@@ -91,6 +90,11 @@
- # deny reads from debugfs
- deny /sys/kernel/debug/{,**} rwklx,
-
-+ # prevent rw mounting of /sys, because that allows changing its global permissions
-+ deny mount -> /proc/,
-+ deny mount -> /sys/,
-+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
-+
- # allow paths to be made slave, shared, private or unbindable
- # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
- # mount options=(rw,make-slave) -> **,
-diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in
-index 2606fb64c..3e61c62ea 100644
---- a/config/apparmor/abstractions/container-base.in
-+++ b/config/apparmor/abstractions/container-base.in
-@@ -83,7 +83,6 @@
- deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
- mount fstype=proc -> /proc/,
- mount fstype=sysfs -> /sys/,
-- mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
- deny /sys/firmware/efi/efivars/** rwklx,
- deny /sys/kernel/security/** rwklx,
- mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
-@@ -91,6 +90,11 @@
- # deny reads from debugfs
- deny /sys/kernel/debug/{,**} rwklx,
-
-+ # prevent rw mounting of /sys, because that allows changing its global permissions
-+ deny mount -> /proc/,
-+ deny mount -> /sys/,
-+# mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
-+
- # allow paths to be made slave, shared, private or unbindable
- # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
- # mount options=(rw,make-slave) -> **,
---
-2.30.2
-
+++ /dev/null
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Date: Tue, 13 Aug 2019 13:57:22 +0200
-Subject: [PATCH 3/3] PVE: [Config] attach: always use getent
-
-In debian buster, some libnss plugins (if installed) can
-cause getpwent to segfault instead of erroring out cleanly.
-To avoid this, stick to always using getent.
-
-Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
----
- src/lxc/attach.c | 29 ++---------------------------
- 1 file changed, 2 insertions(+), 27 deletions(-)
-
-diff --git a/src/lxc/attach.c b/src/lxc/attach.c
-index f086e96c4..9969f2d8e 100644
---- a/src/lxc/attach.c
-+++ b/src/lxc/attach.c
-@@ -1843,45 +1843,21 @@ int lxc_attach_run_command(void *payload)
-
- int lxc_attach_run_shell(void* payload)
- {
-- __do_free char *buf = NULL;
- uid_t uid;
-- struct passwd pwent;
-- struct passwd *pwentp = NULL;
- char *user_shell;
-- ssize_t bufsize;
-- int ret;
-
- /* Ignore payload parameter. */
- (void)payload;
-
- uid = getuid();
-
-- bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
-- if (bufsize < 0)
-- bufsize = 1024;
--
-- buf = malloc(bufsize);
-- if (buf) {
-- ret = getpwuid_r(uid, &pwent, buf, bufsize, &pwentp);
-- if (!pwentp) {
-- if (ret == 0)
-- WARN("Could not find matched password record");
--
-- WARN("Failed to get password record - %u", uid);
-- }
-- }
--
- /* This probably happens because of incompatible nss implementations in
- * host and container (remember, this code is still using the host's
- * glibc but our mount namespace is in the container) we may try to get
- * the information by spawning a [getent passwd uid] process and parsing
- * the result.
- */
-- if (!pwentp)
-- user_shell = lxc_attach_getpwshell(uid);
-- else
-- user_shell = pwent.pw_shell;
--
-+ user_shell = lxc_attach_getpwshell(uid);
- if (user_shell)
- execlp(user_shell, user_shell, (char *)NULL);
-
-@@ -1891,8 +1867,7 @@ int lxc_attach_run_shell(void* payload)
- execlp("/bin/sh", "/bin/sh", (char *)NULL);
-
- SYSERROR("Failed to execute shell");
-- if (!pwentp)
-- free(user_shell);
-+ free(user_shell);
-
- return -1;
- }
---
-2.30.2
-
extra/0001-apparmor-don-t-try-to-mmap-empty-files.patch
-pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
-pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
-pve/0003-PVE-Config-attach-always-use-getent.patch
+pve/0001-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
+pve/0002-PVE-Config-attach-always-use-getent.patch
projects / lxc.git / commitdiff