[lxc-devel] [lxc/lxc] 82866e: Enable default seccomp profile for all distros

GitHub noreply at github.com
Thu Jul 3 19:58:52 UTC 2014 

  Branch: refs/heads/stable-1.0
  Home:   https://github.com/lxc/lxc
  Commit: 82866e3c00f6ad5271378cd9102afd12c843e588
      https://github.com/lxc/lxc/commit/82866e3c00f6ad5271378cd9102afd12c843e588
  Author: Stéphane Graber <stgraber at ubuntu.com>
  Date:   2014-07-03 (Thu, 03 Jul 2014)

  Changed paths:
    M config/templates/Makefile.am
    M config/templates/centos.common.conf.in
    M config/templates/centos.userns.conf.in
    A config/templates/common.seccomp
    M config/templates/debian.common.conf.in
    M config/templates/debian.userns.conf.in
    M config/templates/fedora.common.conf.in
    M config/templates/fedora.userns.conf.in
    M config/templates/gentoo.common.conf.in
    M config/templates/gentoo.moresecure.conf.in
    M config/templates/gentoo.userns.conf.in
    M config/templates/oracle.common.conf.in
    M config/templates/oracle.userns.conf.in
    M config/templates/plamo.common.conf.in
    M config/templates/plamo.userns.conf.in
    R config/templates/ubuntu.priv.seccomp

  Log Message:
  -----------
  Enable default seccomp profile for all distros

This updates the common config to include Serge's seccomp profile by
default for privileged containers.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: a8fe4754c9da6cce95aeb042f6fc015cd6e5569b
      https://github.com/lxc/lxc/commit/a8fe4754c9da6cce95aeb042f6fc015cd6e5569b
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-07-03 (Thu, 03 Jul 2014)

  Changed paths:
    M src/lxc/conf.c

  Log Message:
  -----------
  chown_mapped_root: don't try chgrp if we don't own the file

New kernels require that to have privilege over a file, your
userns must have the old and new groups mapped into your userns.
So if a file is owned by our uid but another groupid, then we
have to chgrp the file to our primary group before we can try
(in a new user namespace) to chgrp the file to a group id in the
namespace.

But in some cases (when cloning) the file may already be mapped
into the container.  Now we cannot chgrp the file to our own
primary group - and we don't have to.

So detect that case.  Only try to chgrp the file to our primary
group if the file is owned by our euid (i.e. not by the container)
and the owning group is not already mapped into the container by
default.

With this patch, I'm again able to both create and clone containers
with no errors again.

Reported-by: S.Çağlar Onur <caglar at 10ur.org>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: c4c3f631ab8a8066ca5320ef158118a699fecaf1
      https://github.com/lxc/lxc/commit/c4c3f631ab8a8066ca5320ef158118a699fecaf1
  Author: Rodrigo Vaz <rodrigo at heroku.com>
  Date:   2014-07-03 (Thu, 03 Jul 2014)

  Changed paths:
    M src/lxc/lxc_start.c
    M src/lxc/lxccontainer.c

  Log Message:
  -----------
  make the container exit code propagate to lxc-start exit code when appropriate

Signed-off-by: Rodrigo Sampaio Vaz <rodrigo at heroku.com>
Acked-by: Serge Hallyn <serge.hallyn at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/3a8c6134711b...c4c3f631ab8a

More information about the lxc-devel mailing list