[lxc-devel] [lxc/lxc] 4fef78: container.conf: Add option to set keyring SELinux ...

Fri Jan 31 14:56:58 UTC 2020

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 4fef78bc332a2d186dca6f1c29952a0ec5423217
      https://github.com/lxc/lxc/commit/4fef78bc332a2d186dca6f1c29952a0ec5423217
  Author: Maximilian Blenk <Maximilian.Blenk at bmw.de>
  Date:   2020-01-31 (Fri, 31 Jan 2020)

  Changed paths:
    M config/selinux/lxc.te
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M src/lxc/lsm/lsm.c
    M src/lxc/lsm/lsm.h
    M src/lxc/lsm/selinux.c
    M src/lxc/utils.c
    M src/lxc/utils.h

  Log Message:
  -----------
  container.conf: Add option to set keyring SELinux context

lxc set's up a new session keyring for every container by default.
If executed on an SELinux enabled system, by default, the keyring
inherits the label of the creating process. If executed with the
currently available SELinux policy, this means that the keyring
is labeled with the lxc_t type. Applications inside the container,
however, might expect that the keyring is labeled with a certain
context (and will fail to access the keyring if it's not explicitly
allowed in the global policy). This patch introduces the config
option lxc.selinux.context.keyring which enables to specify the
label of the newly created keyring. That is, the keyring can be
labeled with the label expected by the started application.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk at bmw.de>

  Commit: 8f818a845432b36b3b344a24ae9dee596bac4687
      https://github.com/lxc/lxc/commit/8f818a845432b36b3b344a24ae9dee596bac4687
  Author: Maximilian Blenk <Maximilian.Blenk at bmw.de>
  Date:   2020-01-31 (Fri, 31 Jan 2020)

  Changed paths:
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M src/lxc/confile_utils.c
    M src/lxc/confile_utils.h

  Log Message:
  -----------
  container.conf: Add option to disable session keyring creation

lxc set's up a new session keyring for every container by default.
There might be valid use-cases where this is not wanted / needed
(e.g. systemd by default creates a new session keyring anyway).

Signed-off-by: Maximilian Blenk <Maximilian.Blenk at bmw.de>

  Commit: ad36e96a3d54667dcde6f124a8c36d8e7bdbc4a3
      https://github.com/lxc/lxc/commit/ad36e96a3d54667dcde6f124a8c36d8e7bdbc4a3
  Author: Maximilian Blenk <Maximilian.Blenk at bmw.de>
  Date:   2020-01-31 (Fri, 31 Jan 2020)

  Changed paths:
    M doc/lxc.container.conf.sgml.in

  Log Message:
  -----------
  doc: Add doc for keyring options

Signed-off-by: Maximilian Blenk <Maximilian.Blenk at bmw.de>

  Commit: a8b9febda3102c98468586bc59c69f899f7f1f19
      https://github.com/lxc/lxc/commit/a8b9febda3102c98468586bc59c69f899f7f1f19
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2020-01-31 (Fri, 31 Jan 2020)

  Changed paths:
    M config/selinux/lxc.te
    M doc/lxc.container.conf.sgml.in
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M src/lxc/confile_utils.c
    M src/lxc/confile_utils.h
    M src/lxc/lsm/lsm.c
    M src/lxc/lsm/lsm.h
    M src/lxc/lsm/selinux.c
    M src/lxc/utils.c
    M src/lxc/utils.h

  Log Message:
  -----------
  Merge pull request #3260 from blenk92/add-keyring-option

Add keyring option

Compare: https://github.com/lxc/lxc/compare/f5a15e1e3d92...a8b9febda310