<!DOCTYPE html >
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    
  <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"></head>
  <body>
    <div id="body" style="font-family:%22Helvetica Neue%22, Helvetica, Arial, sans-serif;font-size:16px;color:#808080;width:570px;margin:0 auto">
      <table background="" class="repository" style="padding:0px;border:0px;width:100%;color:#606060;font-size:20px;margin-bottom:15px;margin-top:15px;">
        <tr style="padding:0px;border:0px;">
          <td style="padding:0px;border:0px;vertical-align:middle"><img src="https://0.gravatar.com/avatar/c42b1ebbbc4ef0736b252a2d62232578?s=40&d=https%3A%2F%2Ftravis-ci.org%2Fimages%2Fmailer%2Fmascot-avatar-40px.png" style="vertical-align:middle;width:40px;height:40px"> <span style="vertical-align:middle;margin-left:3px"><strong><a href="http://clicks.travis-ci.org/track/click/30007208/travis-ci.org?p=eyJzIjoiRTFpSkJyZUFqSlRocENHOVNweWJPVUVkZTUwIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RyYXZpcy1jaS5vcmdcXFwvYnJhdW5lclxcXC9seGNcIixcImlkXCI6XCJiYWJhNzM4ZjRkYjE0YTRkODBjZTg2NjA5OWY3YjEyM1wiLFwidXJsX2lkc1wiOltcImMwNWI4MTdmNWU3ZmNhOWYxMTdlMGE5YTU5ZmYyNzQ5OGY3Y2M3ZDBcIl19In0" style="text-decoration:underline;color:#606060">brauner / lxc</a></strong> (<a href="http://clicks.travis-ci.org/track/click/30007208/github.com?p=eyJzIjoiSEgybC1Wb2dCekhyT3JZa3hORVhFbTVQTXhzIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2dpdGh1Yi5jb21cXFwvYnJhdW5lclxcXC9seGNcXFwvdHJlZVxcXC9tYXN0ZXJcIixcImlkXCI6XCJiYWJhNzM4ZjRkYjE0YTRkODBjZTg2NjA5OWY3YjEyM1wiLFwidXJsX2lkc1wiOltcIjMwNWMzYjY1OTlkNmEwMjU0OTg0ZDUwZWMwZTJlNzljZTFlN2Y4MzZcIl19In0" style="text-decoration:underline;color:#606060">master</a>)</span></td>
        </tr>
      </table>
      <div class="success" id="build" style="border-radius:5px;padding:0px;width:570px;font-size:13px">
        <div class="content">
          <table style="padding:0px;border:0px;width:100%;border-spacing:0">
            <thead>
              <tr style="padding:0px;border:0px;font-weight:700;font-size:18px;background-color:#baecb7;color:#32a32d">
                <td style="border:0px;border-top:1px solid #808080;border-bottom:1px solid #adadad;width:50px;padding:0px;text-align:center;vertical-align:middle;padding-top:5px;border-left:1px solid #606060;border-top-left-radius:5px"><div class="status-image" style="width:25px;background-size:25px;height:30px;margin-left:15px;margin-top:0px;vertical-align:middle"><img height="25" src="https://travis-ci.org/images/mailer/success.png" width="25"></div></td>
                <td class="build-message" style="border:0px;padding:0px 20px 0px 0px;vertical-align:middle;border-top:1px solid #808080;border-bottom:1px solid #adadad"><span style="display:inline-block;margin-top:12px;vertical-align:middle"><a href="http://clicks.travis-ci.org/track/click/30007208/travis-ci.org?p=eyJzIjoiUHFjZ0tJa2R2dVVJd3htYThVV3p4WGo0dlc0IiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RyYXZpcy1jaS5vcmdcXFwvYnJhdW5lclxcXC9seGNcXFwvYnVpbGRzXFxcLzgyNzc5Mzc1XCIsXCJpZFwiOlwiYmFiYTczOGY0ZGIxNGE0ZDgwY2U4NjYwOTlmN2IxMjNcIixcInVybF9pZHNcIjpbXCI1Y2E3NmFjOTdkOWJjYWE2N2NiMTFmNGU4ZGI0N2NmNzk0ODQ5YTRiXCJdfSJ9" style="font-weight:bold;text-decoration:underline;color:#32a32d">Build #1 passed.</a></span><img height="45" src="https://travis-ci.org/images/mailer/arrow-success.png" style="float: right;"></td>
                <td align="right" class="time" style="border:0px;font-weight:normal;font-size:12px;padding:0px 20px 0px 0px;vertical-align:middle;border-top:1px solid #808080;border-bottom:1px solid #adadad;border-right:1px solid #606060;border-top-right-radius:5px"><div class="stop-watch" style="vertical-align:middle;padding:0px;background-size:20px;display:inline-block;width:20px;height:20px"><img height="20" src="https://travis-ci.org/images/mailer/stopwatch-success.png" width="20"></div> <span style="vertical-align:middle">1 minute and 50 seconds</span></td>
              </tr>
            </thead>
            <tbody style="margin-bottom:40px">
              <tr style="padding:0px;border:0px">
                <td class="profile-image" style="border:0px;height:20px;width:50px;padding:0px;border-left:1px solid #adadad;padding-top:20px;padding-bottom:5px;text-align:center"><img src="https://secure.gravatar.com/avatar/4125b842e0df6dd83c3d06e570235134?s=15&d=https%3A%2F%2Ftravis-ci.org%2Fimages%2Fmailer%2Fmascot-avatar-15px.png"></td>
                <td class="grey" style="border:0px;color:#808080;padding:10px 20px 10px 0px;height:20px;padding-top:20px;padding-bottom:5px"><strong>Serge Hallyn</strong></td>
                <td align="right" class="grey" style="border:0px;color:#808080;padding:10px 20px 10px 0px;height:20px;border-right:1px solid #adadad;padding-top:20px;padding-bottom:5px"><a href="http://clicks.travis-ci.org/track/click/30007208/github.com?p=eyJzIjoieF83RzF0S0w5LUdJUVVqc2k2WFBOWWs4ZnJBIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2dpdGh1Yi5jb21cXFwvYnJhdW5lclxcXC9seGNcXFwvY29tbWl0XFxcLzU5MmZkNDdhNjI0NTUwOGI3OWZlNmFjODE5ZmU2ZDNiMmMxMjg5YmVcIixcImlkXCI6XCJiYWJhNzM4ZjRkYjE0YTRkODBjZTg2NjA5OWY3YjEyM1wiLFwidXJsX2lkc1wiOltcIjUwZGIyOWIwNzIzZmFmOGM1NzBkNzJlM2M0NmZmN2RiNzA4MzFhMTdcIl19In0" style="text-decoration:none;font-weight:bold;color:#57769d">592fd47</a> <a href="http://clicks.travis-ci.org/track/click/30007208/github.com?p=eyJzIjoiX29taDBuLU9mTmstZzVCZ2VoRE5HeTdGYk84IiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2dpdGh1Yi5jb21cXFwvYnJhdW5lclxcXC9seGNcXFwvY29tcGFyZVxcXC9mMmU0ZGRkZDcxZDQuLi41OTJmZDQ3YTYyNDVcIixcImlkXCI6XCJiYWJhNzM4ZjRkYjE0YTRkODBjZTg2NjA5OWY3YjEyM1wiLFwidXJsX2lkc1wiOltcImEyNzZhYWExMTk0N2JmNjgxNjVjODRhZDRkMWNkODZjZjBkMGMxNzZcIl19In0" style="text-decoration:none;font-weight:bold;color:#57769d">Changeset →</a></td>
              </tr>
              <tr style="padding:0px;border:0px">
                <td style="border:0px;height:20px;width:50px;padding:0px;border-left:1px solid #adadad;border-bottom-left-radius:5px;border-bottom:1px solid #adadad"> </td>
                <td class="grey" colspan="2" style="border:0px;color:#808080;padding:10px 20px 10px 0px;height:20px;border-right:1px solid #adadad;padding-bottom:20px;padding-top:0px;border-bottom:1px solid #adadad;border-bottom-right-radius:5px">CVE-2015-1335: Protect container mounts against symlinks<br><br>When a container starts up, lxc sets up the container's inital fstree<br>by doing a bunch of mounting, guided by the container configuration<br>file.  The container config is owned by the admin or user on the host,<br>so we do not try to guard against bad entries.  However, since the<br>mount target is in the container, it's possible that the container admin<br>could divert the mount with symbolic links.  This could bypass proper<br>container startup (i.e. confinement of a root-owned container by the<br>restrictive apparmor policy, by diverting the required write to<br>/proc/self/attr/current), or bypass the (path-based) apparmor policy<br>by diverting, say, /proc to /mnt in the container.<br><br>To prevent this,<br><br>1. do not allow mounts to paths containing symbolic links<br><br>2. do not allow bind mounts from relative paths containing symbolic<br>links.<br><br>Details:<br><br>Define safe_mount which ensures that the container has not inserted any<br>symbolic links into any mount targets for mounts to be done during<br>container setup.<br><br>The host's mount path may contain symbolic links.  As it is under the<br>control of the administrator, that's ok.  So safe_mount begins the check<br>for symbolic links after the rootfs->mount, by opening that directory.<br><br>It opens each directory along the path using openat() relative to the<br>parent directory using O_NOFOLLOW.  When the target is reached, it<br>mounts onto /proc/self/fd/<targetfd>.<br><br>Use safe_mount() in mount_entry(), when mounting container proc,<br>and when needed.  In particular, safe_mount() need not be used in<br>any case where:<br><br>1. the mount is done in the container's namespace<br>2. the mount is for the container's rootfs<br>3. the mount is relative to a tmpfs or proc/sysfs which we have<br>   just safe_mount()ed ourselves<br><br>Since we were using proc/net as a temporary placeholder for /proc/sys/net<br>during container startup, and proc/net is a symbolic link, use proc/tty<br>instead.<br><br>Update the lxc.container.conf manpage with details about the new<br>restrictions.<br><br>Finally, add a testcase to test some symbolic link possibilities.<br><br>Reported-by: Roman Fiedler<br>Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com><br>Acked-by: Stéphane Graber <stgraber@ubuntu.com></td>
              </tr>
              </tbody>
          </table>
        </div>
      </div>


      <div style="padding-top: 10px; width: 570px">
        <span>
          <div class="section footnote" style="margin-top:20px;border-radius:5px;border:1px solid #adadad;font-size:12px;padding:10px 20px;width:528px">
            <p class="grey" style="color:#808080;margin-top:0px;margin-bottom:5px"><strong style="font-size:14px">Want to know about upcoming build environment updates?</strong></p>
            <p class="grey" style="color:#808080;margin-top:0px;margin-bottom:5px">Would you like to stay up-to-date with the upcoming Travis CI build environment updates?
              We set up a mailing list for you!
              Sign up <a href="http://clicks.travis-ci.org/track/click/30007208/eepurl.com?p=eyJzIjoiVW90cnlJaUprSHpXVEgxOFZSTExJWVFjTmFjIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZWVwdXJsLmNvbVxcXC85T0NzUFwiLFwiaWRcIjpcImJhYmE3MzhmNGRiMTRhNGQ4MGNlODY2MDk5ZjdiMTIzXCIsXCJ1cmxfaWRzXCI6W1wiMTEwZTdlYThkN2Y5YjA5NDdlYWJiMzQ3NmYyMDBkMmI2NTRkZjMyNlwiXX0ifQ" style="text-decoration:underline;color:#606060">here</a>.
            </p>
          </div>
        </span>
      </div>

      <table border="0" class="footer" style="background-color:#e9e6e7;border-radius:5px;border:1px solid #adadad;padding:10px;margin-top:20px;font-size:12px;width:570px;line-height:16px">
        <tr style="padding:0px;border:0px">
          <td style="padding:0px;border:0px">
            <img src="https://travis-ci.org/images/mailer/email-footer-travis-logo.png" style="width: 50px; height: 50px;">
          </td>
          <td class="grey" style="padding:0px;border:0px;color:#808080;">
            <a href="http://clicks.travis-ci.org/track/click/30007208/docs.travis-ci.com?p=eyJzIjoia2FiSVB4Q2lxejZkam5HUzYycHktWmRDWFowIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZG9jcy50cmF2aXMtY2kuY29tXCIsXCJpZFwiOlwiYmFiYTczOGY0ZGIxNGE0ZDgwY2U4NjYwOTlmN2IxMjNcIixcInVybF9pZHNcIjpbXCI1ZmE3OTJiOGY5Nzk0YTkzNmU0OWZiNzcwNDI0NzJkNjU5N2ZmMDhjXCJdfSJ9" style="text-decoration:underline;color:#606060">Documentation</a> about Travis CI<br>
            For help please join our IRC channel <a href="irc://irc.freenode.net/travis" style="text-decoration:underline;color:#606060">irc.freenode.net#travis</a>.<br>
            Choose who receives these build notification emails in your <a href="http://clicks.travis-ci.org/track/click/30007208/docs.travis-ci.com?p=eyJzIjoicW9CM0pVMHA4SHBYYU5HNk5PUDAteEtWa0d3IiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZG9jcy50cmF2aXMtY2kuY29tXFxcL3VzZXJcXFwvbm90aWZpY2F0aW9uc1wiLFwiaWRcIjpcImJhYmE3MzhmNGRiMTRhNGQ4MGNlODY2MDk5ZjdiMTIzXCIsXCJ1cmxfaWRzXCI6W1wiNGY1YzYwZDBkY2IxOGQ5ZGQzYTMwMzFkYjNjMjc1MTk4NmIyMmNhMFwiXX0ifQ" style="text-decoration:underline;color:#606060">configuration file</a>.
          </td>
        </tr>
      </table>

      <div style="padding-top: 10px; width: 570px">
        <img id="mascot" src="https://travis-ci.org/images/mailer/travis-mascot.png" style="float:right;margin-top:10px;margin-right:20px" width="80">
        <div class="section footnote" style="margin-top:20px;border-radius:5px;border:1px solid #adadad;font-size:12px;padding:10px 20px;width:528px">
          <p class="grey" style="color:#808080;margin-top:0px;margin-bottom:5px"><strong style="font-size:14px">Would you like to test your private code?</strong></p>
          <p class="grey" style="color:#808080;margin-top:0px;margin-bottom:5px"><a href="http://clicks.travis-ci.org/track/click/30007208/travis-ci.com?p=eyJzIjoick4wSkNoakdqTFJ0by1iTC1ubURMaVBLS01BIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvdHJhdmlzLWNpLmNvbT91dG1fc291cmNlPWJ1aWxkX2VtYWlsX2Zvb3RlciZ1dG1fY2FtcGFpZ249dHJhdmlzLWNpLm9yZyZ1dG1fbWVkaXVtPWVtYWlsXCIsXCJpZFwiOlwiYmFiYTczOGY0ZGIxNGE0ZDgwY2U4NjYwOTlmN2IxMjNcIixcInVybF9pZHNcIjpbXCIyMDAwYzI0MjkxOWZkYWYzNzVlNDhhM2Q5OTM4ZGY4MDc3YzZlMTk4XCJdfSJ9" style="text-decoration:underline;color:#606060">Travis Pro</a> could be your new best friend!</p>
        </div>

        <div class="tiny-footer" style="font-size:12px;text-align:center;vertical-align:middle;height:20px;width:570px">
          <p class="grey" style="color:#808080;margin-top:10px">
            <span style="vertical-align:middle">Travis CI is powered by </span><a href="http://clicks.travis-ci.org/track/click/30007208/bluebox.net?p=eyJzIjoiSzVOTDduUnlaN2dlT0I2bWtmbUZJYU5DT2hzIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvYmx1ZWJveC5uZXRcIixcImlkXCI6XCJiYWJhNzM4ZjRkYjE0YTRkODBjZTg2NjA5OWY3YjEyM1wiLFwidXJsX2lkc1wiOltcIjBmZTEzMmY2NGJkMjQ2ODhlMGM5MDM2MDcyNDA2NGY2NDRlMWVjMzFcIl19In0" style="text-decoration:underline"><img src="https://travis-ci.org/images/sponsors/bluebox-78x15.png" style="vertical-align:middle"></a>
          </p>
        </div>
      </div>

    </div>
    <script type="application/ld+json">
    {
      "@context": "http://schema.org",
      "@type": "EmailMessage",
      "action": {
        "@type": "ViewAction",
        "url": "https://travis-ci.org/brauner/lxc/builds/82779375",
        "name": "View Build"
      },
      "description": "View Build #1 on Travis CI"
    }
    </script>


<img src="http://clicks.travis-ci.org/track/open.php?u=30007208&id=baba738f4db14a4d80ce866099f7b123" height="1" width="1"></body></html>