[lxc-devel] [lxc/lxc] d65239: tests: lxc-test-apparmor-mount: show a log on erro...

Thu Jul 26 04:04:34 UTC 2018

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: d6523915861f2289505a11140874001099dfdfdc
      https://github.com/lxc/lxc/commit/d6523915861f2289505a11140874001099dfdfdc
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-24 (Tue, 24 Jul 2018)

  Changed paths:
    M src/tests/lxc-test-apparmor-mount

  Log Message:
  -----------
  tests: lxc-test-apparmor-mount: show a log on error

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: 39e2cbec3cc9f49e3edd65b2aa4bdd3983a25fea
      https://github.com/lxc/lxc/commit/39e2cbec3cc9f49e3edd65b2aa4bdd3983a25fea
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-24 (Tue, 24 Jul 2018)

  Changed paths:
    M src/tests/lxc-test-apparmor-mount

  Log Message:
  -----------
  tests: lxc-test-apparmor-mount: check environment early

don't kill all my processes when running it as user...

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: c68d5b0dd63ea8226698ae3ff8a5336a60c171c3
      https://github.com/lxc/lxc/commit/c68d5b0dd63ea8226698ae3ff8a5336a60c171c3
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-24 (Tue, 24 Jul 2018)

  Changed paths:
    M src/lxc/lsm/apparmor.c
    M src/lxc/lsm/lsm.c

  Log Message:
  -----------
  lsm: fixup lsm_process_label_set_at return values

Always return -1 on error (some code paths returned -1, some
returned negative error codes), don't assume 'errno' is set
afterwards, as the function already prints errors and not
all code paths will have a usable errno value.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: 7e556d185c49ff99825612bc7d6c93afc34113c8
      https://github.com/lxc/lxc/commit/7e556d185c49ff99825612bc7d6c93afc34113c8
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-25 (Wed, 25 Jul 2018)

  Changed paths:
    M src/lxc/lsm/apparmor.c

  Log Message:
  -----------
  apparmor: use fopen_cloexec

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: eb5c2e6aeef233c4f3349d182e5c25315cca8de8
      https://github.com/lxc/lxc/commit/eb5c2e6aeef233c4f3349d182e5c25315cca8de8
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-25 (Wed, 25 Jul 2018)

  Changed paths:
    M src/lxc/utils.c
    M src/lxc/utils.h

  Log Message:
  -----------
  utils: add must_concat helper

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: 6e6aca3e3e71ae0cfad69456acd1dc503feaf964
      https://github.com/lxc/lxc/commit/6e6aca3e3e71ae0cfad69456acd1dc503feaf964
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-25 (Wed, 25 Jul 2018)

  Changed paths:
    M config/apparmor/abstractions/container-base.in
    M config/apparmor/profiles/lxc-default-cgns
    M config/apparmor/profiles/lxc-default-with-nesting

  Log Message:
  -----------
  apparmor: update current profiles

remove cgmanager rules and add fstype=cgroup2 variants for
the existing fstype=cgroup rules

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: 1800f9247357948fd11c9da73b1943a8a7b6882b
      https://github.com/lxc/lxc/commit/1800f9247357948fd11c9da73b1943a8a7b6882b
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-25 (Wed, 25 Jul 2018)

  Changed paths:
    M configure.ac
    M src/lxc/Makefile.am
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M src/lxc/criu.c
    M src/lxc/lsm/apparmor.c
    M src/lxc/lsm/lsm.c
    M src/lxc/lsm/lsm.h
    M src/lxc/lsm/nop.c
    M src/lxc/lsm/selinux.c
    M src/lxc/start.c

  Log Message:
  -----------
  apparmor: profile generation

This copies lxd's apparmor profile generation. This tries to
detect features such as cgroup namespaces, apparmor
namespaces and stacking support, and has profile parts
conditionally for unprivileged containers.

This introduces the following changes to the configuration:
  lxc.apparmor.profile = generated
    The fixed value 'generated' will cause this
    functionality to be used, otherwise there should be no
    functional changes happening unless specifically
    requested with the next key:
  lxc.apparmor.allow_nesting
    This is a boolean which, if enabled, causes the
    following changes: When generated apparmor profiles are
    used, they will contain the necessary changes to allow
    creating a nested container. In addition to the usual
    mount points, /dev/.lxc/proc and /dev/.lxc/sys will
    contain procfs and sysfs mount points without the lxcfs
    overlays, which, if generated apparmor profiles are
    being used, will not be read/writable directly.
  lxc.apparmor.raw
    A list of raw apparmor profile lines to append to the
    profile. Only valid when using generated profiles.

The following apparmor profile lines have not been copied
from lxd:

  mount /var/lib/lxd/shmounts/ -> /var/lib/lxd/shmounts/,
  mount none -> /var/lib/lxd/shmounts/,
  mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**,

They should be added via lxc.apparmor.raw entries by lxd.

In order for apparmor_parser's cache to be of use, this adds
a --with-apparmor-cache-dir ./configure option.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: 242a9fa7ee7e9f524de5a23917faa846ea525622
      https://github.com/lxc/lxc/commit/242a9fa7ee7e9f524de5a23917faa846ea525622
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-25 (Wed, 25 Jul 2018)

  Changed paths:
    M config/apparmor/abstractions/start-container

  Log Message:
  -----------
  apparmor: allow start-container to change to lxc-**

For generated profiles with apparmor namespaces we get
profile names with slashes in them. To match those, we need
to allow changing to lxc-**, not just lxc-*.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: e7311a84e5bd0758931033b1a0ce649baa720a58
      https://github.com/lxc/lxc/commit/e7311a84e5bd0758931033b1a0ce649baa720a58
  Author: Wolfgang Bumiller <w.bumiller at proxmox.com>
  Date:   2018-07-25 (Wed, 25 Jul 2018)

  Changed paths:
    M src/tests/Makefile.am
    A src/tests/lxc-test-apparmor-generated

  Log Message:
  -----------
  tests: add test for generated apparmor profiles

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

  Commit: 400081550b553935f557c07eb8cda807a534d319
      https://github.com/lxc/lxc/commit/400081550b553935f557c07eb8cda807a534d319
  Author: Serge Hallyn <serge at hallyn.com>
  Date:   2018-07-25 (Wed, 25 Jul 2018)

  Changed paths:
    M config/apparmor/abstractions/container-base.in
    M config/apparmor/abstractions/start-container
    M config/apparmor/profiles/lxc-default-cgns
    M config/apparmor/profiles/lxc-default-with-nesting
    M configure.ac
    M src/lxc/Makefile.am
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M src/lxc/criu.c
    M src/lxc/lsm/apparmor.c
    M src/lxc/lsm/lsm.c
    M src/lxc/lsm/lsm.h
    M src/lxc/lsm/nop.c
    M src/lxc/lsm/selinux.c
    M src/lxc/start.c
    M src/lxc/utils.c
    M src/lxc/utils.h
    M src/tests/Makefile.am
    A src/tests/lxc-test-apparmor-generated
    M src/tests/lxc-test-apparmor-mount

  Log Message:
  -----------
  Merge pull request #2479 from Blub/apparmor-profiles

RFC: Generated Apparmor profiles, namespaces, stacking

Compare: https://github.com/lxc/lxc/compare/434381b00b28...400081550b55
      **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.