mir/lxc
2
0
Fork 0
mirror of git://github.com/lxc/lxc synced 2025-08-31 12:39:31 +00:00
Code Issues Releases Wiki Activity
10,959 Commits 8 Branches 122 Tags
2ec31bbde7ecf7e592111360b071164d3f9f322c
Commit Graph

10959 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Christian Brauner
2ec31bbde7 network: port ipv4 to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 18:21:54 +02:00
Stéphane Graber
19202d882b Merge pull request #3952 from brauner/2021-08-25.list.2 
conf: port more types to new list type
 2021-08-26 10:53:06 -04:00
Christian Brauner
20ab75789e conf: simplify and port caps to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 15:25:28 +02:00
Christian Brauner
badf09ec16 cgroup: remove unneeded forward declaration 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 14:19:53 +02:00
Christian Brauner
9ab399dfcf terminal: remove unused struct member 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 14:19:14 +02:00
Christian Brauner
c294a68d13 conf: port environment to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 14:16:53 +02:00
Christian Brauner
0ef1dbb17b conf: remove unused variables 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 13:38:07 +02:00
Christian Brauner
2ff1170b42 conf: switch to parse_mount_attrs() even for legacy mount() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 11:11:08 +02:00
Christian Brauner
6b48a57529 conf: support recursive propagation options properly 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 11:06:52 +02:00
Christian Brauner
3eb2323041 conf: rework recursive mount option handling 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 10:47:47 +02:00
Christian Brauner
e73af35bba rootfs: remove "options" member 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 10:27:38 +02:00
Christian Brauner
091f611c7c conf: remove unused mountflags nember 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 10:17:21 +02:00
Christian Brauner
0589d744f6 conf: port id_map to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 09:47:47 +02:00
Christian Brauner
c9dbb8edf9 conf: port cgroup settings to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 09:47:47 +02:00
Christian Brauner
91d04bf9db conf: port procs to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-26 09:47:39 +02:00
Christian Brauner
ba9f93472d conf: port sysctls to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-25 18:49:49 +02:00
Christian Brauner
223797c313 conf: port rlimits to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-25 18:38:06 +02:00
Stéphane Graber
610c93b735 Merge pull request #3950 from brauner/2021-08-25.list 
tree-wide: introduce new list type and port network handling to it
 2021-08-25 12:29:14 -04:00
Christian Brauner
d2e75eba7e conf: port state_clients to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-25 15:30:01 +02:00
Christian Brauner
2345ad43f0 mainloop: port handlers to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-25 15:19:25 +02:00
Christian Brauner
93de768ea3 cgroups: port bpf devices to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-25 14:28:06 +02:00
Christian Brauner
87d0990c1a tree-wide: port network handling to new list type 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-25 13:25:03 +02:00
Christian Brauner
4780b5e7f4 list: add new kernel-based list implementation 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-25 13:24:51 +02:00
Stéphane Graber
e91d7f22f1 Merge pull request #3949 from brauner/2021-08-24.attach 
tools: lxc-attach fixes
 2021-08-24 23:56:17 -04:00
Stéphane Graber
fc1625fb23 Merge pull request #3948 from brauner/2021-08-24.fixes 
confile: return negative errno everywhere
 2021-08-24 08:29:49 -04:00
Maximilian Blenk
8c5c30d175 tools: fix elevated privilege handler in lxc-attach 
Make sure to return an error when the user requests an LSM profile to be
set while also requesting that elevated LSM privileges are to be used.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-24 10:01:11 +02:00
Christian Brauner
d253a09f9b confile: rework lxc_fill_elevated_privileges() 
Cc: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-24 09:58:47 +02:00
Christian Brauner
d34bbcb71a attach_options: add LXC_ATTACH_LSM_LABEL to LXC_ATTACH_LSM flags 
Cc: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-24 09:58:25 +02:00
Christian Brauner
7cde4e411a tools: align struct initialization 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-24 09:57:44 +02:00
Christian Brauner
647df91d9a tools: fix variable declarations in lxc-attach 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-24 09:36:34 +02:00
Maximilian Blenk
b445fcb114 attach: allow LSM attach without new mnt namespace 
Currently, the -c command (to set the selinux context) seems to be
broken because lxc-attach expects that also a new mount namespace
is specified via command line. This commit remove the check for the new
mount namespace to fix this issue. Please note that the
--elevated-privileges option is not affected by this issue.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-24 09:20:02 +02:00
Christian Brauner
b28be01f5c confile: return negative errno everywhere 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-24 09:13:36 +02:00
Christian Brauner
a0738fa00b Merge pull request #3947 from blenk92/fix-missing-seccomp 
config: enable seccomp profile only when compiled with libseccomp
 2021-08-24 09:07:48 +02:00
Maximilian Blenk
3d46e1d1f8 config: enable seccomp profile only when compiled with libseccomp 
Make lxc fail if seccomp.profile is specified but lxc is compiled
without seccomp support. Currently, seccomp.profile is silently ignored
if is specified in such a scenario. This could lead to the false
impression that the seccomp filter is applied while it actually isn't.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
 2021-08-24 01:17:32 +02:00
Stéphane Graber
f1b5286c65 Merge pull request #3943 from brauner/2021-08-19.fixes 
seccomp: fix complication when !HAVE_DECL_SECCOMP_NOTIFY_FD
 2021-08-19 15:18:07 -04:00
Christian Brauner
c16d194abf seccomp: fix complication when !HAVE_DECL_SECCOMP_NOTIFY_FD 
[2021-08-18 05:48:26] [build-stdout] mv -f $depbase.Tpo $depbase.Po
[2021-08-18 05:48:26] [build-stderr] seccomp.c: In function ‘seccomp_notify_cleanup_handler’:
[2021-08-18 05:48:26] [build-stderr] seccomp.c:1367:25: error: ‘struct lxc_seccomp’ has no member named ‘notifier’
[2021-08-18 05:48:26] [build-stderr]  1367 |  if (fd == conf->seccomp.notifier.notify_fd)
[2021-08-18 05:48:26] [build-stderr]       |                         ^
[2021-08-18 05:48:26] [build-stderr] In file included from af_unix.h:12,
[2021-08-18 05:48:26] [build-stderr]                  from seccomp.c:14:
[2021-08-18 05:48:26] [build-stderr] seccomp.c:1368:29: error: ‘struct lxc_seccomp’ has no member named ‘notifier’
[2021-08-18 05:48:26] [build-stderr]  1368 |   fd = move_fd(conf->seccomp.notifier.notify_fd);
[2021-08-18 05:48:26] [build-stderr]       |                             ^
[2021-08-18 05:48:26] [build-stderr] macro.h:655:26: note: in definition of macro ‘move_fd’
[2021-08-18 05:48:26] [build-stderr]   655 |   int __internal_fd__ = (fd); \
[2021-08-18 05:48:26] [build-stderr]       |                          ^~
[2021-08-18 05:48:26] [build-stderr] seccomp.c:1368:29: error: ‘struct lxc_seccomp’ has no member named ‘notifier’
[2021-08-18 05:48:26] [build-stderr]  1368 |   fd = move_fd(conf->seccomp.notifier.notify_fd);
[2021-08-18 05:48:26] [build-stderr]       |                             ^
[2021-08-18 05:48:26] [build-stderr] macro.h:656:4: note: in definition of macro ‘move_fd’
[2021-08-18 05:48:26] [build-stderr]   656 |   (fd) = -EBADF;              \
[2021-08-18 05:48:26] [build-stderr]       |    ^~
[2021-08-18 05:48:26] [build-stderr] make[3]: *** [Makefile:4496: seccomp.o] Error 1
[2021-08-18 05:48:26] [build-stdout] make[3]: Leaving directory '/opt/src/src/lxc'
[2021-08-18 05:48:26] [build-stdout] make[2]: Leaving directory '/opt/src/src'
[2021-08-18 05:48:26] [build-stdout] make[1]: Leaving directory '/opt/src/src'
[2021-08-18 05:48:26] [build-stderr] make[2]: *** [Makefile:440: all-recursive] Error 1
[2021-08-18 05:48:26] [build-stderr] make[1]: *** [Makefile:379: all] Error 2
[2021-08-18 05:48:26] [build-stderr] make: *** [Makefile:537: all-recursive] Error 1
[2021-08-18 05:48:26] [build-stderr] + '[' -f build.ninja ']'
[2021-08-18 05:48:26] [build-stdout] Semmle autobuild: no supported build system detected.
[2021-08-18 05:48:26] [build-stderr] + '[' -d ../_lgtm_build_dir ']'
[2021-08-18 05:48:26] [build-stderr] + for f in build build.sh
[2021-08-18 05:48:26] [build-stderr] + '[' -x build ']'
[2021-08-18 05:48:26] [build-stderr] + for f in build build.sh
[2021-08-18 05:48:26] [build-stderr] + '[' -x build.sh ']'
[2021-08-18 05:48:26] [build-stderr] + '[' -f setup.py ']'
[2021-08-18 05:48:26] [build-stderr] + echo 'Semmle autobuild: no supported build system detected.'
[2021-08-18 05:48:26] [build-stderr] + exit 1
[2021-08-18 05:48:26] [ERROR] Spawned process exited abnormally (code 1; tried to run: [/opt/dist/tools/linux64/preload_tracer, /opt/dist/cpp/tools/do-build])
[2021-08-18 05:48:26] [build-stderr] A fatal error occurred: Exit status 1 from command: [/opt/dist/cpp/tools/do-build]
[2021-08-18 05:48:26] [build-stderr] deptrace-server: received exit command
[2021-08-18 05:48:27] [ERROR] Spawned process exited abnormally (code 2; tried to run: [/opt/work/lgtm-workspace/lgtm/extract.sh])
A fatal error occurred: Exit status 2 from command: [/opt/work/lgtm-workspace/lgtm/extract.sh]

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-19 10:47:31 +02:00
Stéphane Graber
ba4339b677 Merge pull request #3940 from brauner/2021-08-16.fixes.2 
tests: only rely on busybox template getting rid of all network dependencies; terminal: allow for tty allocation even when container did not request separate devpts instance
 2021-08-17 12:45:57 -04:00
Christian Brauner
41ed9db898 tests: use busybox in lxc-test-usernic.in 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 17:35:48 +02:00
Christian Brauner
6c321ceada tests: use busybox in lxc-test-unpriv 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 17:35:48 +02:00
Christian Brauner
f6a53ad2c5 tests: use busybox in lxc-test-no-new-privs 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 17:35:48 +02:00
Christian Brauner
bc84935552 test: use busybox in lxc-test-autostart 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 13:51:28 +02:00
Christian Brauner
adb14537d2 test: use busybox in lxc-test-apparmor-mount 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 13:51:27 +02:00
Christian Brauner
acd792c965 test: use busybox in lxc-test-apparmor-generated 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 13:51:27 +02:00
Christian Brauner
fd0349a7a0 tests: fix order in sys_mixed 
We need to set the config item after we loaded the config obviously.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 13:51:27 +02:00
Christian Brauner
03585adc0e conf: allow for tty allocation even when container did not request separate devpts instance 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 13:51:27 +02:00
Christian Brauner
b081cb55e4 busybox: simplify 
Start relying on autodev for busybox template and wipe all the device
creation.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 13:50:58 +02:00
Christian Brauner
8829829deb busybox: mount sys:ro 
There's no udev so sys doesn't need to be read-write.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 13:49:56 +02:00
Christian Brauner
803839b8b9 terminal: use /dev/ptmx when allocating pty devices from devpts instances we didn't mount ourselves 
When we aren't told what devpts instance to allocate from we assume it
is the one in the caller's mount namespace.
This poses a slight complication, a lot of distros will change
permissions on /dev/ptmx so it can be opened by unprivileged users but
will not change permissions on /dev/pts/ptmx itself. In addition,
/dev/ptmx can either be a symlink, a bind-mount, or a separate device
node. So we need to allow for fairly lax lookup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 11:39:17 +02:00
Christian Brauner
d06abe2f9c file_utils: add same_device() helper 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-08-17 11:39:17 +02:00
Stéphane Graber
72c6d3a56d Merge pull request #3938 from brauner/2021-08-16.fixes 
cgroups: simplify offline and isolated cpumask handling
 2021-08-16 12:35:46 -04:00