[lxc-devel] [lxc/lxc] 2d489f: pivot_root: switch to a new mechanism (v2)

GitHub noreply at github.com
Mon Sep 22 21:29:47 UTC 2014 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 2d489f9e87fa0cccd8a1762680a43eeff2fe1b6e
      https://github.com/lxc/lxc/commit/2d489f9e87fa0cccd8a1762680a43eeff2fe1b6e
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-09-22 (Mon, 22 Sep 2014)

  Changed paths:
    M doc/lxc.container.conf.sgml.in
    M src/lxc/conf.c
    M src/lxc/confile.c

  Log Message:
  -----------
  pivot_root: switch to a new mechanism (v2)

This idea came from Andy Lutomirski.  Instead of using a
temporary directory for the pivot_root put-old, use "." both
for new-root and old-root.  Then fchdir into the old root
temporarily in order to unmount the old-root, and finally
chdir back into our '/'.

Drop lxc.pivotdir from the lxc.container.conf manpage.

Warn when we see a lxc.pivotdir entry (but keep it in the
lxc.conf for now).

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 7aff4f43fd84b021db12b2ffed1a4aa1b4cf65ef
      https://github.com/lxc/lxc/commit/7aff4f43fd84b021db12b2ffed1a4aa1b4cf65ef
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-09-22 (Mon, 22 Sep 2014)

  Changed paths:
    M src/lxc/attach.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M src/lxc/lsm/apparmor.c
    M src/lxc/lsm/lsm.c
    M src/lxc/lsm/lsm.h
    M src/lxc/lsm/nop.c
    M src/lxc/lsm/selinux.c
    M src/lxc/start.c
    M src/tests/Makefile.am
    A src/tests/lxc-test-apparmor-mount

  Log Message:
  -----------
  apparmor: improve behavior when kernel lacks mount restrictions (v2)

(Dwight, I took the liberty of adding your Ack but the code did
change a bit to continue passing the char *label from attach.
Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1"
does attach you to the p2 profile)

Apparmor policies require mount restrictions to fullfill many of
their promises - for instance if proc can be mounted anywhere,
then 'deny /proc/sysrq-trigger w' prevents only accidents, not
malice.

The mount restrictions are not available in the upstream kernel.
We can detect their presence through /sys.  In the past, when
we detected it missing, we would not enable apparmor.  But that
prevents apparmor from helping to prevent accidents.

At the same time, if the user accidentaly boots a kernel which
has regressed, we do not want them starting the container thinking
they are more protected than they are.

This patch:

1. adds a lxc.aa_allow_incomplete = 1 container config flag.  If
not set, then any container which is not set to run unconfined
will refuse to run.   If set, then the container will run with
apparmor protection.

2. to pass this flag to the apparmor driver, we pass the container
configuration (lxc_conf) to the lsm_label_set hook.

3. add a testcase.  To test the case were a kernel does not
provide mount restrictions, we mount an empty directory over
the /sys/kernel/security/apparmor/features/mount directory.  In
order to have that not be unmounted in a new namespace, we must
test using unprivileged containers (who cannot remove bind mounts
which hide existing mount contents).

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Dwight Engen <dwight.engen at oracle.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 85108024bda372e0bbdae9dc1858948987947ef7
      https://github.com/lxc/lxc/commit/85108024bda372e0bbdae9dc1858948987947ef7
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-09-22 (Mon, 22 Sep 2014)

  Changed paths:
    M src/lxc/lsm/apparmor.c

  Log Message:
  -----------
  apparmor: make sure sysfs and securityfs are mounted when checking for mount feature

Otherwise the check will return false if securityfs was not mounted
by the container's configuration.  In the past we let that quietly
proceed, but unconfined.  Now that we restrict such container
starts, this caused lxc-test-apparmor to fail.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Dwight Engen <dwight.engen at oracle.com>


  Commit: dc18b2c96efdf4da533e765327bee9e5dd17e121
      https://github.com/lxc/lxc/commit/dc18b2c96efdf4da533e765327bee9e5dd17e121
  Author: Masami Ichikawa <masami256 at gmail.com>
  Date:   2014-09-22 (Mon, 22 Sep 2014)

  Changed paths:
    M src/python-lxc/lxc.c

  Log Message:
  -----------
  Fix build error(ISO C90 specs violation) in lxc.c

This patch fixes following build errors.

running build_ext
building '_lxc' extension
creating build/temp.linux-x86_64-3.4
gcc -pthread -Wno-unused-result -Werror=declaration-after-statement -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -fPIC -I../../src -I../../src -I/usr/include/python3.4m -c lxc.c -o ./build/temp.linux-x86_64-3.4/lxc.o
lxc.c: In function ‘convert_tuple_to_char_pointer_array’:
lxc.c:49:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char **result = (char**) calloc(argc + 1, sizeof(char*));
     ^
lxc.c:60:9: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
   char *str = NULL;
   ^
lxc.c: In function ‘Container_get_cgroup_item’:
lxc.c:822:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
lxc.c: In function ‘Container_get_config_item’:
lxc.c:861:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
lxc.c: In function ‘Container_get_keys’:
lxc.c:903:5: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
     char* value = (char*) malloc(sizeof(char)*len + 1);
     ^
cc1: some warnings being treated as errors
error: command 'gcc' failed with exit status 1
Makefile:472: recipe for target 'all' failed
make[3]: *** [all] Error 1
make[3]: Leaving directory '/home/masami/codes/lxc/src/python-lxc'
Makefile:394: recipe for target 'all-recursive' failed
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory '/home/masami/codes/lxc/src'
Makefile:338: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/home/masami/codes/lxc/src'
Makefile:484: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

build env:
distribution: Arch Linux
gcc version 4.9.1 20140903 (prerelease) (GCC)

Signed-off-by: Masami Ichikawa <masami256 at gmail.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 93c709b23108300d780011a41069ae4239ad1096
      https://github.com/lxc/lxc/commit/93c709b23108300d780011a41069ae4239ad1096
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-09-22 (Mon, 22 Sep 2014)

  Changed paths:
    M doc/lxc.container.conf.sgml.in

  Log Message:
  -----------
  document the new lxc.aa_allow_incomplete flag

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/01db01975192...93c709b23108

More information about the lxc-devel mailing list