[lxc-devel] [lxc/lxc] a19b97: conf: write "deny" to /proc/[pid]/setgroups
GitHub
noreply at github.com
Thu Jan 4 16:26:03 UTC 2018
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: a19b974f42d4ceff13f605e5a7194502dee1dfa0
https://github.com/lxc/lxc/commit/a19b974f42d4ceff13f605e5a7194502dee1dfa0
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-01-04 (Thu, 04 Jan 2018)
Changed paths:
M src/lxc/cgroups/cgfsng.c
M src/lxc/conf.c
M src/lxc/conf.h
M src/lxc/start.c
Log Message:
-----------
conf: write "deny" to /proc/[pid]/setgroups
When fully unprivileged users run a container that only maps their own {g,u}id
and they do not have access to setuid new{g,u}idmap binaries we will write the
idmapping directly. This however requires us to write "deny" to
/proc/[pid]/setgroups otherwise any write to /proc/[pid]/gid_map will be
denied.
On a sidenote, this patch enables fully unprivileged containers. If you now set
lxc.net.[i].type = empty no privilege whatsoever is required to run a container.
Enhances #2033.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Cc: Felix Abecassis <fabecassis at nvidia.com>
Cc: Jonathan Calmels <jcalmels at nvidia.com>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: c7e345ae1f1c6b976ec1e6ae47f188567846d829
https://github.com/lxc/lxc/commit/c7e345ae1f1c6b976ec1e6ae47f188567846d829
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-01-04 (Thu, 04 Jan 2018)
Changed paths:
M src/lxc/conf.c
M src/lxc/conf.h
Log Message:
-----------
conf: non-functional changes
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: dcf0ffdf41990872151f8d33a9a81a93bbeb9d24
https://github.com/lxc/lxc/commit/dcf0ffdf41990872151f8d33a9a81a93bbeb9d24
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-01-04 (Thu, 04 Jan 2018)
Changed paths:
M src/lxc/conf.c
Log Message:
-----------
conf: rework userns_exec_1()
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: bd8ef4e4da956e0eba0cced93036a4edec20f8f6
https://github.com/lxc/lxc/commit/bd8ef4e4da956e0eba0cced93036a4edec20f8f6
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-01-04 (Thu, 04 Jan 2018)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgfsng: only establish mapping once
When we deleted cgroups for unprivileged containers we used to allocate a new
mapping and clone a new user namespace each time we delete a cgroup. This of
course meant - on a cgroup v1 system - doing this >= 10 times when all
controllers were used. Let's not to do this and only allocate and establish a
mapping once.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: a3f5fbb39a691bc8ad6f55fff9c65a4b527f580c
https://github.com/lxc/lxc/commit/a3f5fbb39a691bc8ad6f55fff9c65a4b527f580c
Author: Serge Hallyn <serge at hallyn.com>
Date: 2018-01-04 (Thu, 04 Jan 2018)
Changed paths:
M src/lxc/cgroups/cgfsng.c
M src/lxc/conf.c
M src/lxc/conf.h
M src/lxc/start.c
Log Message:
-----------
Merge pull request #2067 from brauner/2018-01-03/allow_fully_unprivileged_containers
conf: write "deny" to /proc/[pid]/setgroups
Compare: https://github.com/lxc/lxc/compare/4f5e5b78c864...a3f5fbb39a69
More information about the lxc-devel
mailing list