[lxc-devel] [lxc/lxc] 5a46f2: conf, confile: add option for PR_SET_NO_NEW_PRIVS
GitHub
noreply at github.com
Fri Sep 16 01:35:23 UTC 2016
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: 5a46f2831ee8444c6146345dd0e0ec2a83e4e761
https://github.com/lxc/lxc/commit/5a46f2831ee8444c6146345dd0e0ec2a83e4e761
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-09-05 (Mon, 05 Sep 2016)
Changed paths:
M src/lxc/conf.h
M src/lxc/confile.c
Log Message:
-----------
conf, confile: add option for PR_SET_NO_NEW_PRIVS
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: 029cdff5822b155245df6355e1a774ceb4f415f7
https://github.com/lxc/lxc/commit/029cdff5822b155245df6355e1a774ceb4f415f7
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-09-05 (Mon, 05 Sep 2016)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
start: set PR_SET_NO_NEW_PRIVS when requested
Set no_new_privs after setting the lsm label. If we do set it before we aren't
allowed to change the label anymore.
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: 1325da7eae056474fcb0e7362927d53e29e4ca2f
https://github.com/lxc/lxc/commit/1325da7eae056474fcb0e7362927d53e29e4ca2f
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-09-05 (Mon, 05 Sep 2016)
Changed paths:
M src/lxc/attach_options.h
Log Message:
-----------
attach_options: add LXC_ATTACH_NO_NEW_PRIVS
Add a flag for PR_SET_NO_NEW_PRIVS. It is off by default.
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: ff07d7bb5a3e056eb51e5fe259c79d113435eca5
https://github.com/lxc/lxc/commit/ff07d7bb5a3e056eb51e5fe259c79d113435eca5
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-09-05 (Mon, 05 Sep 2016)
Changed paths:
M src/lxc/attach.c
Log Message:
-----------
attach: call lxc_container_new() earlier
We will reuse the newly initialized container for PR_SET_NO_NEW_PRIVS.
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: 2e812c16a502b03abe79ee00025de50d1928ad5e
https://github.com/lxc/lxc/commit/2e812c16a502b03abe79ee00025de50d1928ad5e
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-09-05 (Mon, 05 Sep 2016)
Changed paths:
M src/lxc/attach.c
Log Message:
-----------
attach: use PR_SET_NO_NEW_PRIVS
- When we detect that the container, we want to attach to, has been stared with
PR_SET_NO_NEW_PRIVS we attach with PR_SET_NO_NEW_PRIVS as well. (We might
relax this restriction later but let's be strict for now.)
- When LXC_ATTACH_NO_NEW_PRIVS is set in the flags passed to
lxc_attach()/attach_child_main() then we set PR_SET_NO_NEW_PRIVS irrespective
of whether the container was started with PR_SET_NO_NEW_PRIVS or not.
- Set no_new_privs before lsm and seccomp. We probably don't want attach() to
be able to change the lsm or seccomp policy if the container was started with
PR_SET_NO_NEW_PRIVS enabled.
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: 222ddc91a818cba50fe23c5166f7662d3da84622
https://github.com/lxc/lxc/commit/222ddc91a818cba50fe23c5166f7662d3da84622
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-09-05 (Mon, 05 Sep 2016)
Changed paths:
M doc/lxc.container.conf.sgml.in
Log Message:
-----------
doc: add lxc.no_new_privs to lxc.container.conf
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: 955e2a0237c7d914fc7561018ebff4970a8b12df
https://github.com/lxc/lxc/commit/955e2a0237c7d914fc7561018ebff4970a8b12df
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-09-06 (Tue, 06 Sep 2016)
Changed paths:
M configure.ac
M src/lxc/attach.c
M src/lxc/start.c
Log Message:
-----------
attach, start: declare PR_{S,G}PR_GET_NO_NEW_PRIVS
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: bca94305afabaa7c115d7732844230435b766169
https://github.com/lxc/lxc/commit/bca94305afabaa7c115d7732844230435b766169
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-09-06 (Tue, 06 Sep 2016)
Changed paths:
M src/tests/Makefile.am
A src/tests/lxc-test-no-new-privs
Log Message:
-----------
tests: add test for PR_SET_NO_NEW_PRIVS
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: a307c271461c68ca8987fbde74e54ca4b4f57b28
https://github.com/lxc/lxc/commit/a307c271461c68ca8987fbde74e54ca4b4f57b28
Author: Serge Hallyn <serge at hallyn.com>
Date: 2016-09-15 (Thu, 15 Sep 2016)
Changed paths:
M configure.ac
M doc/lxc.container.conf.sgml.in
M src/lxc/attach.c
M src/lxc/attach_options.h
M src/lxc/conf.h
M src/lxc/confile.c
M src/lxc/start.c
M src/tests/Makefile.am
A src/tests/lxc-test-no-new-privs
Log Message:
-----------
Merge pull request #1166 from brauner/2016-09-02/no_new_privileges
implement PR_SET_NO_NEW_PRIVS in liblxc
Compare: https://github.com/lxc/lxc/compare/18000bb3a3cd...a307c271461c
More information about the lxc-devel
mailing list