<!DOCTYPE html >
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    
  <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"></head>
  <body>
    <div id="body" style="font-family:%22Helvetica Neue%22, Helvetica, Arial, sans-serif;font-size:16px;color:#808080;width:570px;margin:0 auto">
      <table background="" class="repository" style="padding:0px;border:0px;width:100%;color:#606060;font-size:20px;margin-bottom:15px;margin-top:15px;">
        <tr style="padding:0px;border:0px;">
          <td style="padding:0px;border:0px;vertical-align:middle"><img src="https://avatars.githubusercontent.com/u/2301756?s=40&d=https%3A%2F%2Ftravis-ci.org%2Fimages%2Fmailer%2Fmascot-avatar-40px.png" style="vertical-align:middle;width:40px;height:40px"> <span style="vertical-align:middle;margin-left:3px"><strong><a href="http://clicks.travis-ci.org/track/click/30007208/travis-ci.org?p=eyJzIjoiWmJLYXMxclRKU0d6LWFZZ2p4VlZlN0EzazVvIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RyYXZpcy1jaS5vcmdcXFwvbHhjXFxcL2x4Y1wiLFwiaWRcIjpcImUwM2U3YjYwNzVkZTQ3MDI4YzRkZGI5OWFiZjBkODgyXCIsXCJ1cmxfaWRzXCI6W1wiYzA1YjgxN2Y1ZTdmY2E5ZjExN2UwYTlhNTlmZjI3NDk4ZjdjYzdkMFwiXX0ifQ" style="text-decoration:underline;color:#606060">lxc / lxc</a></strong> (<a href="http://clicks.travis-ci.org/track/click/30007208/github.com?p=eyJzIjoiRWJQZzllZVRfbkxjU1IzYkw2d1pyb1ZhMl9JIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2dpdGh1Yi5jb21cXFwvbHhjXFxcL2x4Y1xcXC90cmVlXFxcL2x4Y1xcXC9zdGFibGUtMS4wXCIsXCJpZFwiOlwiZTAzZTdiNjA3NWRlNDcwMjhjNGRkYjk5YWJmMGQ4ODJcIixcInVybF9pZHNcIjpbXCIzMDVjM2I2NTk5ZDZhMDI1NDk4NGQ1MGVjMGUyZTc5Y2UxZTdmODM2XCJdfSJ9" style="text-decoration:underline;color:#606060">lxc/stable-1.0</a>)</span></td>
        </tr>
      </table>
      <div class="error" id="build" style="border-radius:5px;padding:0px;width:570px;font-size:13px">
        <div class="content">
          <table style="padding:0px;border:0px;width:100%;border-spacing:0">
            <thead>
              <tr style="padding:0px;border:0px;font-weight:700;font-size:18px;background-color:#cccccc;color:#707070">
                <td style="border:0px;border-top:1px solid #808080;border-bottom:1px solid #adadad;width:50px;padding:0px;text-align:center;vertical-align:middle;padding-top:5px;border-left:1px solid #606060;border-top-left-radius:5px"><div class="status-image" style="width:25px;background-size:25px;height:30px;margin-left:15px;margin-top:0px;vertical-align:middle"><img height="25" src="https://travis-ci.org/images/mailer/error.png" width="25"></div></td>
                <td class="build-message" style="border:0px;padding:0px 20px 0px 0px;vertical-align:middle;border-top:1px solid #808080;border-bottom:1px solid #adadad"><span style="display:inline-block;margin-top:12px;vertical-align:middle"><a href="http://clicks.travis-ci.org/track/click/30007208/travis-ci.org?p=eyJzIjoiX1NUakNxZWZPdXY2TFFaOE1rMEgxeEJhbEFrIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3RyYXZpcy1jaS5vcmdcXFwvbHhjXFxcL2x4Y1xcXC9idWlsZHNcXFwvODI3NjAzNDVcIixcImlkXCI6XCJlMDNlN2I2MDc1ZGU0NzAyOGM0ZGRiOTlhYmYwZDg4MlwiLFwidXJsX2lkc1wiOltcIjVjYTc2YWM5N2Q5YmNhYTY3Y2IxMWY0ZThkYjQ3Y2Y3OTQ4NDlhNGJcIl19In0" style="font-weight:bold;text-decoration:underline;color:#707070">Build #1259 has errored.</a></span><img height="45" src="https://travis-ci.org/images/mailer/arrow-error.png" style="float: right;"></td>
                <td align="right" class="time" style="border:0px;font-weight:normal;font-size:12px;padding:0px 20px 0px 0px;vertical-align:middle;border-top:1px solid #808080;border-bottom:1px solid #adadad;border-right:1px solid #606060;border-top-right-radius:5px"><div class="stop-watch" style="vertical-align:middle;padding:0px;background-size:20px;display:inline-block;width:20px;height:20px"><img height="20" src="https://travis-ci.org/images/mailer/stopwatch-error.png" width="20"></div> <span style="vertical-align:middle">8 seconds</span></td>
              </tr>
            </thead>
            <tbody style="margin-bottom:40px">
              <tr style="padding:0px;border:0px">
                <td class="profile-image" style="border:0px;height:20px;width:50px;padding:0px;border-left:1px solid #adadad;padding-top:20px;padding-bottom:5px;text-align:center"><img src="https://secure.gravatar.com/avatar/4125b842e0df6dd83c3d06e570235134?s=15&d=https%3A%2F%2Ftravis-ci.org%2Fimages%2Fmailer%2Fmascot-avatar-15px.png"></td>
                <td class="grey" style="border:0px;color:#808080;padding:10px 20px 10px 0px;height:20px;padding-top:20px;padding-bottom:5px"><strong>Serge Hallyn</strong></td>
                <td align="right" class="grey" style="border:0px;color:#808080;padding:10px 20px 10px 0px;height:20px;border-right:1px solid #adadad;padding-top:20px;padding-bottom:5px"><a href="http://clicks.travis-ci.org/track/click/30007208/github.com?p=eyJzIjoicVhaRnhXVFJnNzViZS1hQmFsaXJsckZYZExrIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2dpdGh1Yi5jb21cXFwvbHhjXFxcL2x4Y1xcXC9jb21taXRcXFwvNmJiYjgxMDBjNGRlYzRiMWM3MTc1OGMyNzEwNDk4NWE2OTRhNGVhY1wiLFwiaWRcIjpcImUwM2U3YjYwNzVkZTQ3MDI4YzRkZGI5OWFiZjBkODgyXCIsXCJ1cmxfaWRzXCI6W1wiNTBkYjI5YjA3MjNmYWY4YzU3MGQ3MmUzYzQ2ZmY3ZGI3MDgzMWExN1wiXX0ifQ" style="text-decoration:none;font-weight:bold;color:#57769d">6bbb810</a> <a href="http://clicks.travis-ci.org/track/click/30007208/github.com?p=eyJzIjoidEFTN3FSdWlfUHltRldiVTVQUnFwZWJKcVFjIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2dpdGh1Yi5jb21cXFwvbHhjXFxcL2x4Y1xcXC9jb21taXRcXFwvNmJiYjgxMDBjNGRlXCIsXCJpZFwiOlwiZTAzZTdiNjA3NWRlNDcwMjhjNGRkYjk5YWJmMGQ4ODJcIixcInVybF9pZHNcIjpbXCI1MGRiMjliMDcyM2ZhZjhjNTcwZDcyZTNjNDZmZjdkYjcwODMxYTE3XCJdfSJ9" style="text-decoration:none;font-weight:bold;color:#57769d">Changeset →</a></td>
              </tr>
              <tr style="padding:0px;border:0px">
                <td style="border:0px;height:20px;width:50px;padding:0px;border-left:1px solid #adadad;border-bottom-left-radius:5px;border-bottom:1px solid #adadad"> </td>
                <td class="grey" colspan="2" style="border:0px;color:#808080;padding:10px 20px 10px 0px;height:20px;border-right:1px solid #adadad;padding-bottom:20px;padding-top:0px;border-bottom:1px solid #adadad;border-bottom-right-radius:5px">CVE-2015-1335: Protect container mounts against symlinks<br><br>When a container starts up, lxc sets up the container's inital fstree<br>by doing a bunch of mounting, guided by the container configuration<br>file.  The container config is owned by the admin or user on the host,<br>so we do not try to guard against bad entries.  However, since the<br>mount target is in the container, it's possible that the container admin<br>could divert the mount with symbolic links.  This could bypass proper<br>container startup (i.e. confinement of a root-owned container by the<br>restrictive apparmor policy, by diverting the required write to<br>/proc/self/attr/current), or bypass the (path-based) apparmor policy<br>by diverting, say, /proc to /mnt in the container.<br><br>To prevent this,<br><br>1. do not allow mounts to paths containing symbolic links<br><br>2. do not allow bind mounts from relative paths containing symbolic<br>links.<br><br>Details:<br><br>Define safe_mount which ensures that the container has not inserted any<br>symbolic links into any mount targets for mounts to be done during<br>container setup.<br><br>The host's mount path may contain symbolic links.  As it is under the<br>control of the administrator, that's ok.  So safe_mount begins the check<br>for symbolic links after the rootfs->mount, by opening that directory.<br><br>It opens each directory along the path using openat() relative to the<br>parent directory using O_NOFOLLOW.  When the target is reached, it<br>mounts onto /proc/self/fd/<targetfd>.<br><br>Use safe_mount() in mount_entry(), when mounting container proc,<br>and when needed.  In particular, safe_mount() need not be used in<br>any case where:<br><br>1. the mount is done in the container's namespace<br>2. the mount is for the container's rootfs<br>3. the mount is relative to a tmpfs or proc/sysfs which we have<br>   just safe_mount()ed ourselves<br><br>Since we were using proc/net as a temporary placeholder for /proc/sys/net<br>during container startup, and proc/net is a symbolic link, use proc/tty<br>instead.<br><br>Update the lxc.container.conf manpage with details about the new<br>restrictions.<br><br>Finally, add a testcase to test some symbolic link possibilities.<br><br>Reported-by: Roman Fiedler<br>Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com><br>ACked-by: Stéphane Graber <stgraber@ubuntu.com></td>
              </tr>
              </tbody>
          </table>
        </div>
      </div>


      <div style="padding-top: 10px; width: 570px">
        <span>
          <div class="section footnote" style="margin-top:20px;border-radius:5px;border:1px solid #adadad;font-size:12px;padding:10px 20px;width:528px">
            <p class="grey" style="color:#808080;margin-top:0px;margin-bottom:5px"><strong style="font-size:14px">Want to know about upcoming build environment updates?</strong></p>
            <p class="grey" style="color:#808080;margin-top:0px;margin-bottom:5px">Would you like to stay up-to-date with the upcoming Travis CI build environment updates?
              We set up a mailing list for you!
              Sign up <a href="http://clicks.travis-ci.org/track/click/30007208/eepurl.com?p=eyJzIjoiSVRLSmFEV0p5TVNNN1dKM2NlOWJvWGlPMWFrIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZWVwdXJsLmNvbVxcXC85T0NzUFwiLFwiaWRcIjpcImUwM2U3YjYwNzVkZTQ3MDI4YzRkZGI5OWFiZjBkODgyXCIsXCJ1cmxfaWRzXCI6W1wiMTEwZTdlYThkN2Y5YjA5NDdlYWJiMzQ3NmYyMDBkMmI2NTRkZjMyNlwiXX0ifQ" style="text-decoration:underline;color:#606060">here</a>.
            </p>
          </div>
        </span>
      </div>

      <table border="0" class="footer" style="background-color:#e9e6e7;border-radius:5px;border:1px solid #adadad;padding:10px;margin-top:20px;font-size:12px;width:570px;line-height:16px">
        <tr style="padding:0px;border:0px">
          <td style="padding:0px;border:0px">
            <img src="https://travis-ci.org/images/mailer/email-footer-travis-logo.png" style="width: 50px; height: 50px;">
          </td>
          <td class="grey" style="padding:0px;border:0px;color:#808080;">
            <a href="http://clicks.travis-ci.org/track/click/30007208/docs.travis-ci.com?p=eyJzIjoiS2VGaFJydkxXLXNMWUwxRExLRm45dElUYm9NIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZG9jcy50cmF2aXMtY2kuY29tXCIsXCJpZFwiOlwiZTAzZTdiNjA3NWRlNDcwMjhjNGRkYjk5YWJmMGQ4ODJcIixcInVybF9pZHNcIjpbXCI1ZmE3OTJiOGY5Nzk0YTkzNmU0OWZiNzcwNDI0NzJkNjU5N2ZmMDhjXCJdfSJ9" style="text-decoration:underline;color:#606060">Documentation</a> about Travis CI<br>
            For help please join our IRC channel <a href="irc://irc.freenode.net/travis" style="text-decoration:underline;color:#606060">irc.freenode.net#travis</a>.<br>
            Choose who receives these build notification emails in your <a href="http://clicks.travis-ci.org/track/click/30007208/docs.travis-ci.com?p=eyJzIjoiZkZSMkpHRE9KOU40Sk5lM0RwYi1SMVBtM1pBIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvZG9jcy50cmF2aXMtY2kuY29tXFxcL3VzZXJcXFwvbm90aWZpY2F0aW9uc1wiLFwiaWRcIjpcImUwM2U3YjYwNzVkZTQ3MDI4YzRkZGI5OWFiZjBkODgyXCIsXCJ1cmxfaWRzXCI6W1wiNGY1YzYwZDBkY2IxOGQ5ZGQzYTMwMzFkYjNjMjc1MTk4NmIyMmNhMFwiXX0ifQ" style="text-decoration:underline;color:#606060">configuration file</a>.
          </td>
        </tr>
      </table>

      <div style="padding-top: 10px; width: 570px">
        <img id="mascot" src="https://travis-ci.org/images/mailer/travis-mascot.png" style="float:right;margin-top:10px;margin-right:20px" width="80">
        <div class="section footnote" style="margin-top:20px;border-radius:5px;border:1px solid #adadad;font-size:12px;padding:10px 20px;width:528px">
          <p class="grey" style="color:#808080;margin-top:0px;margin-bottom:5px"><strong style="font-size:14px">Would you like to test your private code?</strong></p>
          <p class="grey" style="color:#808080;margin-top:0px;margin-bottom:5px"><a href="http://clicks.travis-ci.org/track/click/30007208/travis-ci.com?p=eyJzIjoiN2xIMzVzazQtMGpPNmhzZ1FybHIwbVlXZGY0IiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvdHJhdmlzLWNpLmNvbT91dG1fc291cmNlPWJ1aWxkX2VtYWlsX2Zvb3RlciZ1dG1fY2FtcGFpZ249dHJhdmlzLWNpLm9yZyZ1dG1fbWVkaXVtPWVtYWlsXCIsXCJpZFwiOlwiZTAzZTdiNjA3NWRlNDcwMjhjNGRkYjk5YWJmMGQ4ODJcIixcInVybF9pZHNcIjpbXCIyMDAwYzI0MjkxOWZkYWYzNzVlNDhhM2Q5OTM4ZGY4MDc3YzZlMTk4XCJdfSJ9" style="text-decoration:underline;color:#606060">Travis Pro</a> could be your new best friend!</p>
        </div>

        <div class="tiny-footer" style="font-size:12px;text-align:center;vertical-align:middle;height:20px;width:570px">
          <p class="grey" style="color:#808080;margin-top:10px">
            <span style="vertical-align:middle">Travis CI is powered by </span><a href="http://clicks.travis-ci.org/track/click/30007208/bluebox.net?p=eyJzIjoiQjRxVDF5cXRrTVUyQWFQak5rZHd0UTF5R0JVIiwidiI6MSwicCI6IntcInVcIjozMDAwNzIwOCxcInZcIjoxLFwidXJsXCI6XCJodHRwOlxcXC9cXFwvYmx1ZWJveC5uZXRcIixcImlkXCI6XCJlMDNlN2I2MDc1ZGU0NzAyOGM0ZGRiOTlhYmYwZDg4MlwiLFwidXJsX2lkc1wiOltcIjBmZTEzMmY2NGJkMjQ2ODhlMGM5MDM2MDcyNDA2NGY2NDRlMWVjMzFcIl19In0" style="text-decoration:underline"><img src="https://travis-ci.org/images/sponsors/bluebox-78x15.png" style="vertical-align:middle"></a>
          </p>
        </div>
      </div>

    </div>
    <script type="application/ld+json">
    {
      "@context": "http://schema.org",
      "@type": "EmailMessage",
      "action": {
        "@type": "ViewAction",
        "url": "https://travis-ci.org/lxc/lxc/builds/82760345",
        "name": "View Build"
      },
      "description": "View Build #1259 on Travis CI"
    }
    </script>


<img src="http://clicks.travis-ci.org/track/open.php?u=30007208&id=e03e7b6075de47028c4ddb99abf0d882" height="1" width="1"></body></html>