[lxc-devel] [lxc/lxc] 405634: lxc-net.conf: use +e at teardown

GitHub noreply at github.com
Wed Jul 22 14:13:08 UTC 2015 

  Branch: refs/heads/stable-1.0
  Home:   https://github.com/lxc/lxc
  Commit: 4056340ae7ac5b3a6b31a47c5324df7328dccba0
      https://github.com/lxc/lxc/commit/4056340ae7ac5b3a6b31a47c5324df7328dccba0
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-04-06 (Mon, 06 Apr 2015)

  Changed paths:
    M config/init/upstart/lxc-net.conf

  Log Message:
  -----------
  lxc-net.conf: use +e at teardown

When we are shutting down the lxc network, we should not fail when
things go wrong, as that only makes it harder to clean up later.

See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1429140 in particular

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: f547349ea7ef3a6eae6965a95cb5986cd921bd99
      https://github.com/lxc/lxc/commit/f547349ea7ef3a6eae6965a95cb5986cd921bd99
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2015-07-22 (Wed, 22 Jul 2015)

  Changed paths:
    M src/lxc/lxclock.c
    M src/tests/locktests.c

  Log Message:
  -----------
  CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc

This prevents an unprivileged user to use LXC to create arbitrary file
on the filesystem.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>


  Commit: 15ec0fd9d490dd5c8a153401360233c6ee947c24
      https://github.com/lxc/lxc/commit/15ec0fd9d490dd5c8a153401360233c6ee947c24
  Author: Stéphane Graber <stgraber at ubuntu.com>
  Date:   2015-07-22 (Wed, 22 Jul 2015)

  Changed paths:
    M src/lxc/attach.c

  Log Message:
  -----------
  CVE-2015-1334: Don't use the container's /proc during attach

A user could otherwise over-mount /proc and prevent the apparmor profile
or selinux label from being written which combined with a modified
/bin/sh or other commonly used binary would lead to unconfined code
execution.

Reported-by: Roman Fiedler
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/dbbfd438e7c4...15ec0fd9d490

More information about the lxc-devel mailing list