[lxc-devel] [lxc/lxc] dd666a: apparmor: don't do on-exec profile changes

GitHub noreply at github.com
Tue Feb 25 21:18:49 UTC 2014 

  Branch: refs/heads/stable-1.0
  Home:   https://github.com/lxc/lxc
  Commit: dd666a90f235c34dbb1e39a72277f04e7e720e8b
      https://github.com/lxc/lxc/commit/dd666a90f235c34dbb1e39a72277f04e7e720e8b
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-02-25 (Tue, 25 Feb 2014)

  Changed paths:
    M src/lxc/lsm/apparmor.c

  Log Message:
  -----------
  apparmor: don't do on-exec profile changes

always change profile immediately.  Otherwise there are weird
corner cases where the profile change may not happen.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 99bfcb4d778a580ef6fb178192abe3560c18ae65
      https://github.com/lxc/lxc/commit/99bfcb4d778a580ef6fb178192abe3560c18ae65
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-02-25 (Tue, 25 Feb 2014)

  Changed paths:
    M src/lxc/bdev.c
    M src/lxc/bdev.h
    M src/lxc/lxc_create.c

  Log Message:
  -----------
  add dir support

It used to be supported with the lxc-create.in script, and
the manpage says it's supported...  So let's just support it.

Now

sudo lxc-create -t download --dir /opt/ab -n ab

works, creating the container rootfs under /opt/ab.  This
generally isn't something I'd recommend, however telling users
to use a different lxc-path isn't as friendly as I'd like,
because each lxcpath requires separate lxc-ls and lxc-autostart
runs.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 4460deff35bc588e21bf81e2ddc37a66fa840e3c
      https://github.com/lxc/lxc/commit/4460deff35bc588e21bf81e2ddc37a66fa840e3c
  Author: Stéphane Graber <stgraber at ubuntu.com>
  Date:   2014-02-25 (Tue, 25 Feb 2014)

  Changed paths:
    M src/lxc/lxc-start-ephemeral.in

  Log Message:
  -----------
  lxc-start-ephemeral: Set tmpfs mode to 0755

The tmpfs was mounted with its default mode (1777) which was then picked
up by overlayfs/aufs as the target's mode.

This led to a world writable / in ephemeral containers.

I have confirmed that this issue doesn't impact lxc-clone.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: 821b0499a0bcb393a0e83725194ec041d2d71dd0
      https://github.com/lxc/lxc/commit/821b0499a0bcb393a0e83725194ec041d2d71dd0
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-02-25 (Tue, 25 Feb 2014)

  Changed paths:
    M src/lxc/start.c

  Log Message:
  -----------
  Catch seccomp violations by init

Note that if a task other than init violates the seccomp policy,
we cannot catch that.  Init will catch it and (if it feels like
it) log it.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: e5a5ff0093c19254e1a96e3ac8a982ce6187275d
      https://github.com/lxc/lxc/commit/e5a5ff0093c19254e1a96e3ac8a982ce6187275d
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-02-25 (Tue, 25 Feb 2014)

  Changed paths:
    M src/lxc/attach.c
    M src/lxc/bdev.c
    M src/lxc/conf.c
    M src/lxc/lxc_usernsexec.c
    M src/lxc/lxccontainer.c
    M src/lxc/utils.c
    M src/lxc/utils.h

  Log Message:
  -----------
  always check whether rootfs is shared

(this expands on Dwight's recent patch, commit c597baa8f9)

After unshare(CLONE_NEWNS) and before doing any mounting, always
check whether rootfs is shared.  Otherwise template runs or clone
scripts can bleed mount activity to the host.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Dwight Engen <dwight.engen at oracle.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 23b116e35fa5d2b7af83433983f6af9eef601728
      https://github.com/lxc/lxc/commit/23b116e35fa5d2b7af83433983f6af9eef601728
  Author: Stéphane Graber <stgraber at ubuntu.com>
  Date:   2014-02-25 (Tue, 25 Feb 2014)

  Changed paths:
    M src/lxc/attach.c
    M src/lxc/lxc_usernsexec.c

  Log Message:
  -----------
  attach: Defined MS_REC and MS_SLAVE if not set

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 00903d7d68398a514e8f98bb82c71cddda9c3dda
      https://github.com/lxc/lxc/commit/00903d7d68398a514e8f98bb82c71cddda9c3dda
  Author: Stéphane Graber <stgraber at ubuntu.com>
  Date:   2014-02-25 (Tue, 25 Feb 2014)

  Changed paths:
    M src/python-lxc/lxc/__init__.py

  Log Message:
  -----------
  python3: Add support for wlan device add

With this change it's now possible to add wlan devices to the container.
This will track down the right phy device, move it to the right
namespace (we don't care about its name), then if the user asked for a
new device name for the actual interface, we attach to the container and
rename the interface in there using attach.

I have tested this to work with both Intel and Atheros NICs.

This patch is based on the one provided to lxc-devel by Gregor Beck and
has then been updated to do the device renaming as well as minor code
style changes. Thanks!

Reported-by: Gregor Beck <gbeck at sernet.de>
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/223b1e0c8741...00903d7d6839

More information about the lxc-devel mailing list