[lxc-devel] [lxc/lxc] 881fa6: seccomp: warn but continue on unresolvable syscall...
GitHub
noreply at github.com
Mon Jun 30 16:42:46 UTC 2014
Branch: refs/heads/stable-1.0
Home: https://github.com/lxc/lxc
Commit: 881fa65739d12d76935a1042b7c0ee0eb5624663
https://github.com/lxc/lxc/commit/881fa65739d12d76935a1042b7c0ee0eb5624663
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-06-18 (Wed, 18 Jun 2014)
Changed paths:
M src/lxc/seccomp.c
Log Message:
-----------
seccomp: warn but continue on unresolvable syscalls
If a syscall is listed which is not resolvable, continue. This allows
us to keep a more complete list of syscalls in a global seccomp policy
without having to worry about older kernels not supporting the newer
syscalls.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: e00fef737e2898aaff4bf59d1cd84d6f0c877dc3
https://github.com/lxc/lxc/commit/e00fef737e2898aaff4bf59d1cd84d6f0c877dc3
Author: Stéphane Graber <stgraber at ubuntu.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/lxc_attach.c
Log Message:
-----------
Fix typo in lxc_attach's usage
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: 010898a9e5981984dddb361bb294b999ba841a18
https://github.com/lxc/lxc/commit/010898a9e5981984dddb361bb294b999ba841a18
Author: Dwight Engen <dwight.engen at oracle.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/caps.c
M src/lxc/caps.h
M src/lxc/lxc_init.c
Log Message:
-----------
don't force dropping capabilities in lxc-init
Commit 0af683cf added clearing of capabilities to lxc-init, but only
after lxc_setup_fs() was done, likely so that the mounting done in
that routine wouldn't fail.
However, in my testing lxc_caps_reset() wasn't really effective
anyway since it did not clear the bounding set. Adding prctl
PR_CAPBSET_DROP in a loop from 0 to CAP_LAST_CAP would fix this, but I
don't think its necessary to forcefully clear all capabilities since
users can now specify lxc.cap.keep = none to drop all capabilities.
Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
Commit: a668d196029615532007e0fbf3e4daf4beeca295
https://github.com/lxc/lxc/commit/a668d196029615532007e0fbf3e4daf4beeca295
Author: Dwight Engen <dwight.engen at oracle.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M configure.ac
M src/lxc/Makefile.am
Log Message:
-----------
split -lcap and -lselinux out of LIBS
Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
Commit: 87850eca8bc147b093261d0db656e773fc8f3901
https://github.com/lxc/lxc/commit/87850eca8bc147b093261d0db656e773fc8f3901
Author: Dwight Engen <dwight.engen at oracle.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M config/init/systemd/lxc.service.in
Log Message:
-----------
fix the expansion of libexecdir when not explicitly passed to configure
Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: 391ece78f7181f744c39ef17a7d0761f35eb78dc
https://github.com/lxc/lxc/commit/391ece78f7181f744c39ef17a7d0761f35eb78dc
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/conf.h
M src/lxc/seccomp.c
Log Message:
-----------
seccomp: support 'all' arch sections (plus bugfixes)
seccomp_ctx is already a void*, so don't use 'scmp_filter_ctx *'
Separately track the native arch from the arch a rule is aimed at.
Clearly ignore irrelevant architectures (i.e. arm rules on x86)
Don't try to load seccomp (and don't fail) if we are already
seccomp-confined. Otherwise nested containers fail.
Make it clear that the extra seccomp ctx is only for compat calls
on 64-bit arch. (This will be extended to arm64 when libseccomp
supports it). Power may will complicate this (if ever it is supported)
and require a new rethink and rewrite.
NOTE - currently when starting a 32-bit container on 64-bit host,
rules pertaining to 32-bit syscalls (as opposed to once which have
the same syscall #) appear to be ignored. I can reproduce that without
lxc, so either there is a bug in seccomp or a fundamental
misunderstanding in how I"m merging the contexts.
Rereading the seccomp_rule_add manpage suggests that keeping the seccond
seccomp context may not be necessary, but this is not something I care
to test right now. If it's true, then the code could be simplified, and
it may solve my concerns about power.
With this patch I'm able to start nested containers (with seccomp
policies defined) including 32-bit and 32-bit-in-64-bit.
[ this patch does not yet add the default seccomp policy ]
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: 0995cb736e34360c911d79bf66958c270fe840db
https://github.com/lxc/lxc/commit/0995cb736e34360c911d79bf66958c270fe840db
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/seccomp.c
Log Message:
-----------
seccomp: fix 32-bit rules
When calling seccomp_rule_add(), you must pass the native syscall number
even if the context is a 32-bit context. So use resolve_name rather
than resolve_name_arch.
Enhance the check of /proc/self/status for Seccomp: so that we do not
enable seccomp policies if seccomp is not built into the kernel. This
is needed before we can enable by-default seccomp policies (which we
want to do next)
Fix wrong return value check from seccomp_arch_exist, and remove
needless abstraction in arch handling.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: 2d5aad5f03e8c3c9658e4d77a28a3abbbffb7b44
https://github.com/lxc/lxc/commit/2d5aad5f03e8c3c9658e4d77a28a3abbbffb7b44
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M config/templates/Makefile.am
M config/templates/ubuntu.common.conf.in
A config/templates/ubuntu.priv.seccomp
M config/templates/ubuntu.userns.conf.in
Log Message:
-----------
ubuntu containers: use a seccomp filter by default (v2)
Blacklist module loading, kexec, and open_by_handle_at (the cause of the
not-docker-specific dockerinit mounts namespace escape).
This should be applied to all arches, but iiuc stgraber will be doing
some reworking of the commonizations which will simplify that, so I'm
not doing it here.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: ca1b82fb5312fae1ee0fc8b1964c1d56d422fff1
https://github.com/lxc/lxc/commit/ca1b82fb5312fae1ee0fc8b1964c1d56d422fff1
Author: Stéphane Graber <stgraber at ubuntu.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M config/templates/Makefile.am
Log Message:
-----------
Include ubuntu.priv.seccomp in dist tarball
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: beb5f0696cf292cf6ebddb2c8e0ee11e60281dd5
https://github.com/lxc/lxc/commit/beb5f0696cf292cf6ebddb2c8e0ee11e60281dd5
Author: Alexander Vladimirov <alexander.idkfa.vladimirov at gmail.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
Prevent write_config from corrupting container config
write_config doesn't check the value sig_name function returns,
this causes write_config to produce corrupted container config when
using non-predefined signal names.
Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov at gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
Commit: 96324abb7234c5c825b8df022de9f2c92e88c20c
https://github.com/lxc/lxc/commit/96324abb7234c5c825b8df022de9f2c92e88c20c
Author: Stéphane Graber <stgraber at ubuntu.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/attach.c
Log Message:
-----------
attach: Fix querying for the current personality
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Commit: fb6c761621909d546756821188adf4e6cc3f4944
https://github.com/lxc/lxc/commit/fb6c761621909d546756821188adf4e6cc3f4944
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/cgmanager.c
Log Message:
-----------
cgmanager: have cgm_set and cgm_get use absolute path when possible
This allows users to get/set cgroup settings when logged into a different
session than that from which they started the container.
There is no cgmanager command to do an _abs variant of cgmanager_get_value
and cgmanager_set_value. So we fork off a new task, which enters the
parent cgroup of the started container, then can get/set the value from
there. The reason not to go straight into the container's cgroup is that
if we are freezing the container, or the container is already frozen, we'll
freeze as well :) The reason to fork off a new task is that if we are
in a cgroup which is set to remove-on-empty, we may not be able to return
to our original cgroup after making the change.
This should fix https://github.com/lxc/lxc/issues/246
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
Commit: 08ddf801e315d500d3f4efb681ce675c402ebb67
https://github.com/lxc/lxc/commit/08ddf801e315d500d3f4efb681ce675c402ebb67
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/cgmanager.c
Log Message:
-----------
cgm_get: make sure @value is null-terminated
Previously this was done by strncpy, but now we just read
the len bytes - not including \0 - from a pipe, so pre-fill
@value with 0s to be safe.
This fixes the python3 api_test failure.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Commit: d6dc38b47639cfb9d48e171f2db7c115f74c76d5
https://github.com/lxc/lxc/commit/d6dc38b47639cfb9d48e171f2db7c115f74c76d5
Author: Alexander Vladimirov <alexander.idkfa.vladimirov at gmail.com>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/confile.c
Log Message:
-----------
Don't call sig_name twice, use pointer instead
Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov at gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
Commit: 1bd3214ff7f39956924baa83a6cfbdd542268b44
https://github.com/lxc/lxc/commit/1bd3214ff7f39956924baa83a6cfbdd542268b44
Author: TAMUKI Shoichi <tamuki at linet.gr.jp>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
Fix to work lxc-start with unprivileged containers on recent kernel
Change chown_mapped_root() to map in both the root uid and gid, not
just the uid, so as to work lxc-start with unprivileged containers on
recent kernel.
Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
Signed-off-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
Commit: 308fddd2e93bd6ae83f089d5a7e914e7134901cf
https://github.com/lxc/lxc/commit/308fddd2e93bd6ae83f089d5a7e914e7134901cf
Author: TAMUKI Shoichi <tamuki at linet.gr.jp>
Date: 2014-06-30 (Mon, 30 Jun 2014)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
Fix to work lxc-destroy with unprivileged containers on recent kernel
Change idmap_add_id() to add both ID_TYPE_UID and ID_TYPE_GID entries
to an existing lxc_conf, not just an ID_TYPE_UID entry, so as to work
lxc-destroy with unprivileged containers on recent kernel.
Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
Acked-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
Compare: https://github.com/lxc/lxc/compare/7ef2c07c25e1...308fddd2e93b
More information about the lxc-devel
mailing list