From: Wolfgang Bumiller Date: Fri, 12 May 2017 13:03:55 +0000 (+0200) Subject: bump version to 2.0.8-1 X-Git-Url: https://git.proxmox.com/?p=lxc.git;a=commitdiff_plain;h=7395ab25d1b1aa50fafa9db5245bd21af71eb2a8;hp=6047286ba40d6ef11d9f26f3f8647f4c53e7be54 bump version to 2.0.8-1 --- diff --git a/Makefile b/Makefile index 4a56d62..14f0592 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ PACKAGE=lxc-pve -LXCVER=2.0.7 -DEBREL=500 +LXCVER=2.0.8 +DEBREL=1 SRCDIR=lxc SRCTAR=${SRCDIR}.tgz diff --git a/debian/changelog b/debian/changelog index 309a0df..34c3039 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lxc (2.0.8-1) unstable; urgency=medium + + * update to lxc-2.0.8 + + -- Proxmox Support Team Fri, 12 May 2017 14:59:15 +0200 + lxc (2.0.7-500) unstable; urgency=medium * bump version for stretch diff --git a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch index 05f55ae..fb6d2ff 100644 --- a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch +++ b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch @@ -1,7 +1,7 @@ -From 10bc10054434f20870f812bb710eef5b5e22040b Mon Sep 17 00:00:00 2001 +From a070120ceba622b1834ad2693376256ba177f249 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:13:40 +0100 -Subject: [PATCH 1/9] lxc.service: start after a potential syslog.service +Subject: [PATCH 1/8] lxc.service: start after a potential syslog.service Signed-off-by: Wolfgang Bumiller --- @@ -9,7 +9,7 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in -index cd61996..7754191 100644 +index cd619967..77541917 100644 --- a/config/init/systemd/lxc.service.in +++ b/config/init/systemd/lxc.service.in @@ -1,6 +1,6 @@ @@ -21,5 +21,5 @@ index cd61996..7754191 100644 Documentation=man:lxc-autostart man:lxc -- -2.1.4 +2.11.0 diff --git a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch index a91aa4d..af17f84 100644 --- a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch +++ b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch @@ -1,7 +1,7 @@ -From e68a4291abec1c140fffbc8c954ff9596b17aad4 Mon Sep 17 00:00:00 2001 +From de03e2bff16699c10f1c3a80e4c84a44c0a32bc0 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:14:55 +0100 -Subject: [PATCH 2/9] jessie/systemd: remove Delegate flag to silence warnings +Subject: [PATCH 2/8] jessie/systemd: remove Delegate flag to silence warnings Signed-off-by: Wolfgang Bumiller --- @@ -10,7 +10,7 @@ Signed-off-by: Wolfgang Bumiller 2 files changed, 2 deletions(-) diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in -index 7754191..bdd5828 100644 +index 77541917..bdd58283 100644 --- a/config/init/systemd/lxc.service.in +++ b/config/init/systemd/lxc.service.in @@ -12,7 +12,6 @@ ExecStart=@LIBEXECDIR@/lxc/lxc-containers start @@ -22,7 +22,7 @@ index 7754191..bdd5828 100644 StandardError=syslog diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in -index 44d11e8..6b8b5ff 100644 +index 44d11e8e..6b8b5ff1 100644 --- a/config/init/systemd/lxc@.service.in +++ b/config/init/systemd/lxc@.service.in @@ -13,7 +13,6 @@ TimeoutStopSec=120s @@ -34,5 +34,5 @@ index 44d11e8..6b8b5ff 100644 StandardError=syslog -- -2.1.4 +2.11.0 diff --git a/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch b/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch index c6b6e92..4dafb93 100644 --- a/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch +++ b/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch @@ -1,7 +1,7 @@ -From 6b3de84e0654c3b0b13166d63af9961a3a757c6e Mon Sep 17 00:00:00 2001 +From 405bcb676e3eb07e2e2efab45b15cdc8b799b15c Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:15:37 +0100 -Subject: [PATCH 3/9] pve: run lxcnetaddbr when instantiating veths +Subject: [PATCH 3/8] pve: run lxcnetaddbr when instantiating veths FIXME: Why aren't we using regular up-scripts? @@ -11,10 +11,10 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index a93124b..c4079bb 100644 +index 923a4d90..3bedcf0f 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c -@@ -2683,8 +2683,13 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd +@@ -2742,8 +2742,13 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd "veth", veth1, (char*) NULL); if (err) goto out_delete; @@ -30,5 +30,5 @@ index a93124b..c4079bb 100644 veth1, veth2, netdev->ifindex); -- -2.1.4 +2.11.0 diff --git a/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch index eb271c8..656ed0c 100644 --- a/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch +++ b/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch @@ -1,7 +1,7 @@ -From e7d6b0d2384070f2c34a46aaa20250ce31f96c9c Mon Sep 17 00:00:00 2001 +From 05337fbce533630e978904db57601eedf498b776 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 9 Nov 2016 09:14:26 +0100 -Subject: [PATCH 4/9] deny rw mounting of /sys and /proc +Subject: [PATCH 4/8] deny rw mounting of /sys and /proc this would allow root in a privileged container to change the permissions of /sys on the host, which could lock out @@ -14,7 +14,7 @@ if a rw /sys is desired, set "lxc.mount.auto" accordingly 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base -index 06290de..779aadd 100644 +index 06290de2..779aadd4 100644 --- a/config/apparmor/abstractions/container-base +++ b/config/apparmor/abstractions/container-base @@ -84,7 +84,6 @@ @@ -38,7 +38,7 @@ index 06290de..779aadd 100644 # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. # mount options=(rw,make-slave) -> **, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in -index 5bc9b28..5c8e441 100644 +index 5bc9b28b..5c8e441f 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in @@ -84,7 +84,6 @@ @@ -62,5 +62,5 @@ index 5bc9b28..5c8e441 100644 # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. # mount options=(rw,make-slave) -> **, -- -2.1.4 +2.11.0 diff --git a/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch b/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch index 51402b5..76054d4 100644 --- a/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch +++ b/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch @@ -1,7 +1,7 @@ -From 6adbaea0d07553932f4cd78b5530cd5291c3b41f Mon Sep 17 00:00:00 2001 +From 5ceb26ec765edb81aba25b9db4fc5ede0d7a0375 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 15 Nov 2016 09:20:24 +0100 -Subject: [PATCH 5/9] separate the limiting from the namespaced cgroup root +Subject: [PATCH 5/8] separate the limiting from the namespaced cgroup root When cgroup namespaces are enabled a privileged container with mixed cgroups has full write access to its own root @@ -26,7 +26,7 @@ Signed-off-by: Wolfgang Bumiller 9 files changed, 219 insertions(+), 77 deletions(-) diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c -index 8499200..b78b78d 100644 +index 3bfa5239..f305a561 100644 --- a/src/lxc/cgroups/cgfs.c +++ b/src/lxc/cgroups/cgfs.c @@ -2383,12 +2383,15 @@ static void cgfs_destroy(void *hdata, struct lxc_conf *conf) @@ -96,7 +96,7 @@ index 8499200..b78b78d 100644 return false; diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index 2b772e2..f7df3cf 100644 +index ebd548b9..b26e1b27 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -72,6 +72,7 @@ struct hierarchy { @@ -107,7 +107,7 @@ index 2b772e2..f7df3cf 100644 }; /* -@@ -814,6 +815,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup) +@@ -820,6 +821,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup) new->mountpoint = mountpoint; new->base_cgroup = base_cgroup; new->fullcgpath = NULL; @@ -115,7 +115,7 @@ index 2b772e2..f7df3cf 100644 newentry = append_null_to_list((void ***)&hierarchies); hierarchies[newentry] = new; -@@ -1286,6 +1288,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf) +@@ -1304,6 +1306,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf) free(h->fullcgpath); h->fullcgpath = NULL; } @@ -124,7 +124,7 @@ index 2b772e2..f7df3cf 100644 } } -@@ -1299,18 +1303,25 @@ struct cgroup_ops *cgfsng_ops_init(void) +@@ -1321,18 +1325,25 @@ struct cgroup_ops *cgfsng_ops_init(void) return &cgfsng_ops; } @@ -156,7 +156,7 @@ index 2b772e2..f7df3cf 100644 } static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) -@@ -1325,7 +1336,8 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) +@@ -1347,7 +1358,8 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname) * Try to create the same cgroup in all hierarchies. * Start with cgroup_pattern; next cgroup_pattern-1, -2, ..., -999 */ @@ -166,7 +166,7 @@ index 2b772e2..f7df3cf 100644 { struct cgfsng_handler_data *d = hdata; char *tmp, *cgname, *offset; -@@ -1335,9 +1347,15 @@ static inline bool cgfsng_create(void *hdata) +@@ -1357,9 +1369,15 @@ static inline bool cgfsng_create(void *hdata) if (!d) return false; if (d->container_cgroup) { @@ -182,7 +182,7 @@ index 2b772e2..f7df3cf 100644 tmp = lxc_string_replace("%n", d->name, d->cgroup_pattern); if (!tmp) { -@@ -1358,7 +1376,7 @@ again: +@@ -1380,7 +1398,7 @@ again: if (idx) snprintf(offset, 5, "-%d", idx); for (i = 0; hierarchies[i]; i++) { @@ -191,7 +191,7 @@ index 2b772e2..f7df3cf 100644 int j; SYSERROR("Failed to create %s: %s", hierarchies[i]->fullcgpath, strerror(errno)); free(hierarchies[i]->fullcgpath); -@@ -1378,7 +1396,24 @@ out_free: +@@ -1400,7 +1418,24 @@ out_free: return false; } @@ -217,7 +217,7 @@ index 2b772e2..f7df3cf 100644 { char pidstr[25]; int i, len; -@@ -1388,7 +1423,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid) +@@ -1410,7 +1445,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid) return false; for (i = 0; hierarchies[i]; i++) { @@ -232,7 +232,7 @@ index 2b772e2..f7df3cf 100644 "cgroup.procs", NULL); if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) { SYSERROR("Failed to enter %s", fullpath); -@@ -1404,6 +1445,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid) +@@ -1426,6 +1467,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid) struct chown_data { struct cgfsng_handler_data *d; uid_t origuid; // target uid in parent namespace @@ -240,7 +240,7 @@ index 2b772e2..f7df3cf 100644 }; /* -@@ -1432,13 +1474,20 @@ static int chown_cgroup_wrapper(void *data) +@@ -1454,13 +1496,20 @@ static int chown_cgroup_wrapper(void *data) for (i = 0; hierarchies[i]; i++) { char *fullpath, *path = hierarchies[i]->fullcgpath; @@ -261,7 +261,7 @@ index 2b772e2..f7df3cf 100644 return -1; } -@@ -1462,12 +1511,14 @@ static int chown_cgroup_wrapper(void *data) +@@ -1484,12 +1533,14 @@ static int chown_cgroup_wrapper(void *data) if (chmod(fullpath, 0664) < 0) WARN("Error chmoding %s: %m", path); free(fullpath); @@ -277,7 +277,7 @@ index 2b772e2..f7df3cf 100644 { struct cgfsng_handler_data *d = hdata; struct chown_data wrap; -@@ -1480,6 +1531,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf) +@@ -1502,6 +1553,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf) wrap.d = d; wrap.origuid = geteuid(); @@ -285,7 +285,7 @@ index 2b772e2..f7df3cf 100644 if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap) < 0) { ERROR("Error requesting cgroup chown in new namespace"); -@@ -1774,12 +1826,15 @@ static bool cgfsng_unfreeze(void *hdata) +@@ -1796,12 +1848,15 @@ static bool cgfsng_unfreeze(void *hdata) return true; } @@ -302,7 +302,7 @@ index 2b772e2..f7df3cf 100644 return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL; } -@@ -1814,7 +1869,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid) +@@ -1836,7 +1891,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid) char *path, *fullpath; struct hierarchy *h = hierarchies[i]; @@ -312,7 +312,7 @@ index 2b772e2..f7df3cf 100644 continue; diff --git a/src/lxc/cgroups/cgmanager.c b/src/lxc/cgroups/cgmanager.c -index f2756b0..ac966b6 100644 +index f2756b07..ac966b6f 100644 --- a/src/lxc/cgroups/cgmanager.c +++ b/src/lxc/cgroups/cgmanager.c @@ -609,7 +609,7 @@ static inline void cleanup_cgroups(char *path) @@ -382,7 +382,7 @@ index f2756b0..ac966b6 100644 return false; if (!cgm_dbus_connect()) { diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c -index 78472d4..4d26e72 100644 +index 78472d4f..4d26e720 100644 --- a/src/lxc/cgroups/cgroup.c +++ b/src/lxc/cgroups/cgroup.c @@ -80,10 +80,10 @@ void cgroup_destroy(struct lxc_handler *handler) @@ -438,7 +438,7 @@ index 78472d4..4d26e72 100644 } diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h -index 11b251e..f36c6f0 100644 +index 11b251e6..f36c6f02 100644 --- a/src/lxc/cgroups/cgroup.h +++ b/src/lxc/cgroups/cgroup.h @@ -28,6 +28,12 @@ @@ -497,10 +497,10 @@ index 11b251e..f36c6f0 100644 extern int cgroup_num_hierarchies(); extern bool cgroup_get_hierarchies(int i, char ***out); diff --git a/src/lxc/commands.c b/src/lxc/commands.c -index b17879b..5ef682f 100644 +index 27c8c084..0eb2741f 100644 --- a/src/lxc/commands.c +++ b/src/lxc/commands.c -@@ -128,15 +128,15 @@ static int fill_sock_name(char *path, int len, const char *name, +@@ -133,15 +133,15 @@ static int fill_sock_name(char *path, int len, const char *lxcname, static const char *lxc_cmd_str(lxc_cmd_t cmd) { static const char * const cmdname[LXC_CMD_MAX] = { @@ -525,7 +525,7 @@ index b17879b..5ef682f 100644 }; if (cmd >= LXC_CMD_MAX) -@@ -429,30 +429,28 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, +@@ -437,30 +437,28 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, return lxc_cmd_rsp_send(fd, &rsp); } @@ -569,7 +569,7 @@ index b17879b..5ef682f 100644 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); if (ret < 0) return NULL; -@@ -471,16 +469,42 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, +@@ -479,16 +477,42 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, return cmd.rsp.data; } @@ -613,7 +613,7 @@ index b17879b..5ef682f 100644 if (!path) return -1; rsp.datalen = strlen(path) + 1, -@@ -491,6 +515,24 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, +@@ -499,6 +523,24 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, } /* @@ -638,7 +638,7 @@ index b17879b..5ef682f 100644 * lxc_cmd_get_config_item: Get config item the running container * * @name : name of container to connect to -@@ -841,16 +883,16 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, +@@ -849,16 +891,16 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, typedef int (*callback)(int, struct lxc_cmd_req *, struct lxc_handler *); callback cb[LXC_CMD_MAX] = { @@ -666,7 +666,7 @@ index b17879b..5ef682f 100644 if (req->cmd >= LXC_CMD_MAX) { diff --git a/src/lxc/commands.h b/src/lxc/commands.h -index 184eefa..6430b33 100644 +index 184eefa0..6430b334 100644 --- a/src/lxc/commands.h +++ b/src/lxc/commands.h @@ -77,6 +77,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd, @@ -679,7 +679,7 @@ index 184eefa..6430b33 100644 extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath); extern char *lxc_cmd_get_name(const char *hashed_sock); diff --git a/src/lxc/criu.c b/src/lxc/criu.c -index 8a0702f..5843f97 100644 +index d757bef6..64512193 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c @@ -283,7 +283,7 @@ static void exec_criu(struct criu_opts *opts) @@ -691,7 +691,7 @@ index 8a0702f..5843f97 100644 if (!p) { ERROR("failed to get cgroup path for %s", controllers[0]); goto err; -@@ -795,7 +795,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_ +@@ -805,7 +805,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_ goto out_fini_handler; } @@ -701,10 +701,10 @@ index 8a0702f..5843f97 100644 goto out_fini_handler; } diff --git a/src/lxc/start.c b/src/lxc/start.c -index c2c14a7..e889421 100644 +index bca7f8eb..2d7df0e7 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1104,7 +1104,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1115,7 +1115,7 @@ static int lxc_spawn(struct lxc_handler *handler) cgroups_connected = true; @@ -713,7 +713,7 @@ index c2c14a7..e889421 100644 ERROR("Failed creating cgroups."); goto out_delete_net; } -@@ -1191,10 +1191,10 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1202,10 +1202,10 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } @@ -726,7 +726,7 @@ index c2c14a7..e889421 100644 goto out_delete_net; if (failed_before_rename) -@@ -1237,6 +1237,21 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1248,6 +1248,21 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } @@ -749,5 +749,5 @@ index c2c14a7..e889421 100644 cgroups_connected = false; -- -2.1.4 +2.11.0 diff --git a/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch b/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch index ca114da..739cf9f 100644 --- a/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch +++ b/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch @@ -1,7 +1,7 @@ -From af72260927efd412210ec85842e1ef70ccc0c5e8 Mon Sep 17 00:00:00 2001 +From 2b4c8a851ae299a840af3e5e0cdf128ea205b5a4 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 16 Nov 2016 09:53:42 +0100 -Subject: [PATCH 6/9] start/initutils: make cgroupns separation level +Subject: [PATCH 6/8] start/initutils: make cgroupns separation level configurable Adds a new global config variable `lxc.cgroup.separate` @@ -17,7 +17,7 @@ Signed-off-by: Wolfgang Bumiller 3 files changed, 26 insertions(+), 20 deletions(-) diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c -index 8d9016c..0630293 100644 +index 8d9016cd..06302935 100644 --- a/src/lxc/initutils.c +++ b/src/lxc/initutils.c @@ -88,14 +88,15 @@ static char *copy_global_config_value(char *p) @@ -45,7 +45,7 @@ index 8d9016c..0630293 100644 }; diff --git a/src/lxc/initutils.h b/src/lxc/initutils.h -index c021fd6..443ad02 100644 +index c021fd61..443ad026 100644 --- a/src/lxc/initutils.h +++ b/src/lxc/initutils.h @@ -43,6 +43,7 @@ @@ -57,10 +57,10 @@ index c021fd6..443ad02 100644 extern void lxc_setup_fs(void); extern const char *lxc_global_config_value(const char *option_name); diff --git a/src/lxc/start.c b/src/lxc/start.c -index e889421..4217c5d 100644 +index 2d7df0e7..a909c631 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1050,6 +1050,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1061,6 +1061,7 @@ static int lxc_spawn(struct lxc_handler *handler) int saved_ns_fd[LXC_NS_MAX]; int preserve_mask = 0, i, flags; int netpipepair[2], nveths; @@ -68,7 +68,7 @@ index e889421..4217c5d 100644 netpipe = -1; -@@ -1113,7 +1114,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1124,7 +1125,7 @@ static int lxc_spawn(struct lxc_handler *handler) * it readonly. * If the container is unprivileged then skip rootfs pinning. */ @@ -77,7 +77,7 @@ index e889421..4217c5d 100644 handler->pinfd = pin_rootfs(handler->conf->rootfs.path); if (handler->pinfd == -1) INFO("Failed to pin the rootfs for container \"%s\".", handler->name); -@@ -1238,17 +1239,20 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1249,17 +1250,20 @@ static int lxc_spawn(struct lxc_handler *handler) } if (cgns_supported()) { @@ -110,5 +110,5 @@ index e889421..4217c5d 100644 } -- -2.1.4 +2.11.0 diff --git a/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch b/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch index 0421cb5..1e6edbb 100644 --- a/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch +++ b/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch @@ -1,7 +1,7 @@ -From 3790507952f3cda5c6dd9bb6f87c80d9b0ddadf7 Mon Sep 17 00:00:00 2001 +From adf5f6720c85fe7059ff98942c136846b16880eb Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 23 Dec 2016 15:57:24 +0100 -Subject: [PATCH 7/9] rename cgroup namespace directory to ns +Subject: [PATCH 7/8] rename cgroup namespace directory to ns Signed-off-by: Wolfgang Bumiller --- @@ -9,7 +9,7 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h -index f36c6f0..2c504c8 100644 +index f36c6f02..2c504c81 100644 --- a/src/lxc/cgroups/cgroup.h +++ b/src/lxc/cgroups/cgroup.h @@ -32,7 +32,7 @@ @@ -22,5 +22,5 @@ index f36c6f0..2c504c8 100644 struct lxc_handler; struct lxc_conf; -- -2.1.4 +2.11.0 diff --git a/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch b/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch index 2119d45..7081220 100644 --- a/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch +++ b/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch @@ -1,7 +1,7 @@ -From 24af6aaf126f63229b3f9289b7dba58b3f07e847 Mon Sep 17 00:00:00 2001 +From eea36cafdc53b5ed2200ea0910f4222bc4e7891f Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 10:23:36 +0100 -Subject: [PATCH 8/9] possibility to run lxc-monitord as a regular daemon +Subject: [PATCH 8/8] possibility to run lxc-monitord as a regular daemon This includes an lxc-monitord.service, required by lxc@.service which is now of Type=forking. @@ -30,7 +30,7 @@ Signed-off-by: Wolfgang Bumiller create mode 100644 config/init/systemd/lxc-monitord.service.in diff --git a/config/init/systemd/Makefile.am b/config/init/systemd/Makefile.am -index c448850..4a4fde5 100644 +index c448850d..4a4fde5e 100644 --- a/config/init/systemd/Makefile.am +++ b/config/init/systemd/Makefile.am @@ -2,19 +2,21 @@ EXTRA_DIST = \ @@ -61,7 +61,7 @@ index c448850..4a4fde5 100644 pkglibexec_SCRIPTS = lxc-apparmor-load diff --git a/config/init/systemd/lxc-monitord.service.in b/config/init/systemd/lxc-monitord.service.in new file mode 100644 -index 0000000..4063516 +index 00000000..40635168 --- /dev/null +++ b/config/init/systemd/lxc-monitord.service.in @@ -0,0 +1,12 @@ @@ -78,7 +78,7 @@ index 0000000..4063516 +[Install] +WantedBy=multi-user.target diff --git a/config/init/systemd/lxc@.service.in b/config/init/systemd/lxc@.service.in -index 6b8b5ff..c35526b 100644 +index 6b8b5ff1..c35526b3 100644 --- a/config/init/systemd/lxc@.service.in +++ b/config/init/systemd/lxc@.service.in @@ -1,16 +1,17 @@ @@ -103,10 +103,10 @@ index 6b8b5ff..c35526b 100644 # Environment=CONSOLETYPE=serial StandardOutput=syslog diff --git a/configure.ac b/configure.ac -index 42ece7a..c6b2a78 100644 +index bd2d82f6..fa3926a9 100644 --- a/configure.ac +++ b/configure.ac -@@ -694,6 +694,7 @@ AC_CONFIG_FILES([ +@@ -697,6 +697,7 @@ AC_CONFIG_FILES([ config/init/systemd/lxc.service config/init/systemd/lxc@.service config/init/systemd/lxc-net.service @@ -115,7 +115,7 @@ index 42ece7a..c6b2a78 100644 config/init/sysvinit/lxc-containers config/init/sysvinit/lxc-net diff --git a/lxc.spec.in b/lxc.spec.in -index 0e64907..f35d81c 100644 +index 0e64907e..f35d81ca 100644 --- a/lxc.spec.in +++ b/lxc.spec.in @@ -259,6 +259,7 @@ fi @@ -127,7 +127,7 @@ index 0e64907..f35d81c 100644 %{_sysconfdir}/rc.d/init.d/lxc %{_sysconfdir}/rc.d/init.d/lxc-net diff --git a/src/lxc/lxc_monitord.c b/src/lxc/lxc_monitord.c -index 62e2121..ad40dbe 100644 +index 62e21211..ad40dbef 100644 --- a/src/lxc/lxc_monitord.c +++ b/src/lxc/lxc_monitord.c @@ -344,16 +344,43 @@ static void lxc_monitord_sig_handler(int sig) @@ -225,5 +225,5 @@ index 62e2121..ad40dbe 100644 NOTICE("No remaining clients. lxc-monitord is exiting."); break; -- -2.1.4 +2.11.0 diff --git a/debian/patches/0009-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch b/debian/patches/0009-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch deleted file mode 100644 index 7147cba..0000000 --- a/debian/patches/0009-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch +++ /dev/null @@ -1,188 +0,0 @@ -From 8095074e1aa2b308d8134638999a0ffe25e12347 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sat, 28 Jan 2017 13:02:34 +0100 -Subject: [PATCH 9/9] CVE-2017-5985: Ensure target netns is caller-owned - -Before this commit, lxc-user-nic could potentially have been tricked into -operating on a network namespace over which the caller did not hold privilege. - -This commit ensures that the caller is privileged over the network namespace by -temporarily dropping privilege. - -Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676 -Reported-by: Jann Horn -Signed-off-by: Christian Brauner ---- - src/lxc/lxc_user_nic.c | 119 ++++++++++++++++++++++++++++++++++++------------- - 1 file changed, 87 insertions(+), 32 deletions(-) - -diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c -index 409a53a..96dc398 100644 ---- a/src/lxc/lxc_user_nic.c -+++ b/src/lxc/lxc_user_nic.c -@@ -50,6 +50,14 @@ - #include "utils.h" - #include "network.h" - -+#define usernic_debug_stream(stream, format, ...) \ -+ do { \ -+ fprintf(stream, "%s: %d: %s: " format, __FILE__, __LINE__, \ -+ __func__, __VA_ARGS__); \ -+ } while (false) -+ -+#define usernic_error(format, ...) usernic_debug_stream(stderr, format, __VA_ARGS__) -+ - static void usage(char *me, bool fail) - { - fprintf(stderr, "Usage: %s lxcpath name pid type bridge nicname\n", me); -@@ -670,68 +678,115 @@ again: - } - - #define VETH_DEF_NAME "eth%d" -- - static int rename_in_ns(int pid, char *oldname, char **newnamep) - { -- int fd = -1, ofd = -1, ret, ifindex = -1; -+ uid_t ruid, suid, euid; -+ int fret = -1; -+ int fd = -1, ifindex = -1, ofd = -1, ret; - bool grab_newname = false; - - ofd = lxc_preserve_ns(getpid(), "net"); - if (ofd < 0) { -- fprintf(stderr, "Failed opening network namespace path for '%d'.", getpid()); -- return -1; -+ usernic_error("Failed opening network namespace path for '%d'.", getpid()); -+ return fret; - } - - fd = lxc_preserve_ns(pid, "net"); - if (fd < 0) { -- fprintf(stderr, "Failed opening network namespace path for '%d'.", pid); -- return -1; -+ usernic_error("Failed opening network namespace path for '%d'.", pid); -+ goto do_partial_cleanup; -+ } -+ -+ ret = getresuid(&ruid, &euid, &suid); -+ if (ret < 0) { -+ usernic_error("Failed to retrieve real, effective, and saved " -+ "user IDs: %s\n", -+ strerror(errno)); -+ goto do_partial_cleanup; -+ } -+ -+ ret = setns(fd, CLONE_NEWNET); -+ close(fd); -+ fd = -1; -+ if (ret < 0) { -+ usernic_error("Failed to setns() to the network namespace of " -+ "the container with PID %d: %s.\n", -+ pid, strerror(errno)); -+ goto do_partial_cleanup; - } - -- if (setns(fd, 0) < 0) { -- fprintf(stderr, "setns to container network namespace\n"); -- goto out_err; -+ ret = setresuid(ruid, ruid, 0); -+ if (ret < 0) { -+ usernic_error("Failed to drop privilege by setting effective " -+ "user id and real user id to %d, and saved user " -+ "ID to 0: %s.\n", -+ ruid, strerror(errno)); -+ // COMMENT(brauner): It's ok to jump to do_full_cleanup here -+ // since setresuid() will succeed when trying to set real, -+ // effective, and saved to values they currently have. -+ goto do_full_cleanup; - } -- close(fd); fd = -1; -+ - if (!*newnamep) { - grab_newname = true; - *newnamep = VETH_DEF_NAME; -- if (!(ifindex = if_nametoindex(oldname))) { -- fprintf(stderr, "failed to get netdev index\n"); -- goto out_err; -+ -+ ifindex = if_nametoindex(oldname); -+ if (!ifindex) { -+ usernic_error("Failed to get netdev index: %s.\n", strerror(errno)); -+ goto do_full_cleanup; - } - } -- if ((ret = lxc_netdev_rename_by_name(oldname, *newnamep)) < 0) { -- fprintf(stderr, "Error %d renaming netdev %s to %s in container\n", ret, oldname, *newnamep); -- goto out_err; -+ -+ ret = lxc_netdev_rename_by_name(oldname, *newnamep); -+ if (ret < 0) { -+ usernic_error("Error %d renaming netdev %s to %s in container.\n", ret, oldname, *newnamep); -+ goto do_full_cleanup; - } -+ - if (grab_newname) { -- char ifname[IFNAMSIZ], *namep = ifname; -+ char ifname[IFNAMSIZ]; -+ char *namep = ifname; -+ - if (!if_indextoname(ifindex, namep)) { -- fprintf(stderr, "Failed to get new netdev name\n"); -- goto out_err; -+ usernic_error("Failed to get new netdev name: %s.\n", strerror(errno)); -+ goto do_full_cleanup; - } -+ - *newnamep = strdup(namep); - if (!*newnamep) -- goto out_err; -+ goto do_full_cleanup; - } -- if (setns(ofd, 0) < 0) { -- fprintf(stderr, "Error returning to original netns\n"); -- close(ofd); -- return -1; -+ -+ fret = 0; -+ -+do_full_cleanup: -+ ret = setresuid(ruid, euid, suid); -+ if (ret < 0) { -+ usernic_error("Failed to restore privilege by setting effective " -+ "user id to %d, real user id to %d, and saved user " -+ "ID to %d: %s.\n", -+ ruid, euid, suid, strerror(errno)); -+ fret = -1; -+ // COMMENT(brauner): setns() should fail if setresuid() doesn't -+ // succeed but there's no harm in falling through; keeps the -+ // code cleaner. - } -- close(ofd); - -- return 0; -+ ret = setns(ofd, CLONE_NEWNET); -+ if (ret < 0) { -+ usernic_error("Failed to setns() to original network namespace " -+ "of PID %d: %s.\n", -+ ofd, strerror(errno)); -+ fret = -1; -+ } - --out_err: -- if (ofd >= 0) -- close(ofd); -- if (setns(ofd, 0) < 0) -- fprintf(stderr, "Error returning to original network namespace\n"); -+do_partial_cleanup: - if (fd >= 0) - close(fd); -- return -1; -+ close(ofd); -+ -+ return fret; - } - - /* --- -2.1.4 - diff --git a/debian/patches/series b/debian/patches/series index 164f464..35ae8f9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,4 +6,3 @@ 0006-start-initutils-make-cgroupns-separation-level-confi.patch 0007-rename-cgroup-namespace-directory-to-ns.patch 0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch -0009-CVE-2017-5985-Ensure-target-netns-is-caller-owned.patch diff --git a/lxc.tgz b/lxc.tgz index 0fbe4fc..2897b33 100644 Binary files a/lxc.tgz and b/lxc.tgz differ