git.ipfire.org Git - thirdparty/lxc.git/log

]> git.ipfire.org Git - thirdparty/lxc.git/log

projects / thirdparty / lxc.git / log

commit | commitdiff | tree

Christian Brauner [Wed, 8 Aug 2018 11:05:45 +0000 (13:05 +0200)]

macro: move network macros from utils.h

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Tue, 6 Feb 2018 19:16:40 +0000 (20:16 +0100)]

netns: allocate network namespace id

Start to allocate a new network namespace id for each container.

Relates to https://github.com/lxc/lxd/issues/4831.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Stéphane Graber [Mon, 6 Aug 2018 16:34:44 +0000 (12:34 -0400)]

Merge pull request #2513 from brauner/2018-08-06/fix_busybox

templates: avoid endless loop

commit | commitdiff | tree

Christian Brauner [Wed, 25 Jul 2018 17:56:54 +0000 (19:56 +0200)]

CVE 2018-6556: verify netns fd in lxc-user-nic

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Mon, 6 Aug 2018 14:43:35 +0000 (16:43 +0200)]

templates: avoid endless loop

Closes #2512.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Mon, 6 Aug 2018 09:35:35 +0000 (11:35 +0200)]

Merge pull request #2495 from 2xsec/bugfix

add default log priority & cleanups

commit | commitdiff | tree

Christian Brauner [Mon, 6 Aug 2018 09:32:33 +0000 (11:32 +0200)]

Merge pull request #2511 from 2xsec/coverity

fix coverity issues

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 07:57:53 +0000 (16:57 +0900)]

coverity: #1438232

Failure to restore non-local value

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 05:36:05 +0000 (14:36 +0900)]

pam_cgfs: cleanups

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 05:11:46 +0000 (14:11 +0900)]

coverity: #1438231

Dereference after null check

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 05:03:22 +0000 (14:03 +0900)]

coverity: #1438230

Logically dead code

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 05:01:33 +0000 (14:01 +0900)]

coverity: #1438229

Resource leak

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 04:54:34 +0000 (13:54 +0900)]

coverity: #1438233

Resource leak

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 04:44:46 +0000 (13:44 +0900)]

coverity: #1438234

Resource leak

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 04:19:53 +0000 (13:19 +0900)]

coverity: #1438235

Resource leak

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 04:12:00 +0000 (13:12 +0900)]

coverity: #1438236

Resource leak

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 03:58:01 +0000 (12:58 +0900)]

tools: lxc-unshare: apply default log priority

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 03:50:31 +0000 (12:50 +0900)]

log: add default log priority

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

2xsec [Mon, 6 Aug 2018 02:23:41 +0000 (11:23 +0900)]

log: function cleanups

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commit | commitdiff | tree

Stéphane Graber [Sun, 5 Aug 2018 14:18:55 +0000 (10:18 -0400)]

Merge pull request #2510 from brauner/2018-08-05/cap_fixes

tree-wide: pass unsigned long to prctl()

commit | commitdiff | tree

Christian Brauner [Sun, 5 Aug 2018 12:04:03 +0000 (14:04 +0200)]

tree-wide: pass unsigned long to prctl()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Stéphane Graber [Sat, 4 Aug 2018 19:55:32 +0000 (15:55 -0400)]

Merge pull request #2508 from brauner/2018-08-04/cap_fixes

macro: add new macro header, caps: bugfixes, log: bugfixes

commit | commitdiff | tree

Christian Brauner [Sat, 4 Aug 2018 18:41:59 +0000 (20:41 +0200)]

log: bugfixes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sat, 4 Aug 2018 18:12:56 +0000 (20:12 +0200)]

caps: bugfixes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sat, 4 Aug 2018 18:11:58 +0000 (20:11 +0200)]

macro: add new macro header

This allows us to use a bunch of macros in our static build for init.lxc.static
without having to link against all of utils.{c,h}.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sat, 4 Aug 2018 16:06:11 +0000 (18:06 +0200)]

travis: export CFLAGS=-O0 for coverity

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sat, 4 Aug 2018 15:50:33 +0000 (17:50 +0200)]

travis: build with -O0 for coverity

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Stéphane Graber [Tue, 31 Jul 2018 14:55:16 +0000 (10:55 -0400)]

Merge pull request #2505 from brauner/2018-07-31/bugfixes

coverity: #438136

commit | commitdiff | tree

Christian Brauner [Tue, 31 Jul 2018 11:52:12 +0000 (13:52 +0200)]

READEM: update Serge's mail address

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Serge Hallyn <serge@hallyn.com>

commit | commitdiff | tree

Christian Brauner [Tue, 31 Jul 2018 08:55:52 +0000 (10:55 +0200)]

coverity: #438136

String not null terminated

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Tue, 31 Jul 2018 07:17:47 +0000 (09:17 +0200)]

Merge pull request #2503 from tenforward/japanese

doc: Add incompatibility with network type=none into Japanese man

commit | commitdiff | tree

KATOH Yasufumi [Tue, 31 Jul 2018 07:03:31 +0000 (16:03 +0900)]

doc: Add incompatibility with network type=none into Japanese man

Update for commit e4b3e36

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

commit | commitdiff | tree

Stéphane Graber [Mon, 30 Jul 2018 18:57:23 +0000 (14:57 -0400)]

Merge pull request #2499 from brauner/lxc/master

bugfixes

commit | commitdiff | tree

Stéphane Graber [Mon, 30 Jul 2018 18:56:54 +0000 (14:56 -0400)]

Merge pull request #2475 from brauner/2018-07-16/monitor_signal_pdeath

conf: improve rootfs setup

commit | commitdiff | tree

Stéphane Graber [Mon, 30 Jul 2018 18:56:19 +0000 (14:56 -0400)]

Merge pull request #2502 from brauner/2018-07-27/fix_max_devpts_option

conf: mount devpts without "max" on EINVAL

commit | commitdiff | tree

Wolfgang Bumiller [Mon, 30 Jul 2018 18:30:50 +0000 (20:30 +0200)]

conf: don't return a clobbered errno value

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Christian Brauner [Mon, 30 Jul 2018 13:55:09 +0000 (15:55 +0200)]

conf: mount devpts without "max" on EINVAL

The "max" option to devpts got introduced in kernel 3.4.

Closes #2490.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Mon, 30 Jul 2018 13:32:19 +0000 (15:32 +0200)]

Merge pull request #2500 from akosiaris/patch-1

Unprivileged's incompatibility with type=none docs

commit | commitdiff | tree

Alexandros Kosiaris [Mon, 30 Jul 2018 12:01:15 +0000 (15:01 +0300)]

Unprivileged's incompatibility with type=none docs

Unprivileged containers are not compatible with sharing the
host namespace due to an inability to mount sysfs. Add docs
in lxc.container.conf to document that out.

Refs #2463

Signed-off-by: Alexandros Kosiaris <akosiaris@gmail.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:57:30 +0000 (23:57 +0200)]

caps: handle EINTR in read()

We don't want to link caps.{c,h} against utils.{c,h} for the sake of our static
builds init.lxc.static. This means lxc_write_nointr() will not be available. So
handle it EINTR.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:54:32 +0000 (23:54 +0200)]

log: handle EINTR in read()

We don't want to link log.{c,h} against utils.{c,h} for the sake of our static
builds init.lxc.static. This means lxc_write_nointr() will not be available. So
handle it EINTR.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 22:03:03 +0000 (00:03 +0200)]

utils: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 22:02:10 +0000 (00:02 +0200)]

terminal: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 22:00:19 +0000 (00:00 +0200)]

monitor: s/write()/lxc_write_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 22:00:00 +0000 (00:00 +0200)]

monitor: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:59:22 +0000 (23:59 +0200)]

apparmor: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:55:28 +0000 (23:55 +0200)]

tools: s/write()/lxc_write_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:56:33 +0000 (23:56 +0200)]

tools: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:51:02 +0000 (23:51 +0200)]

sync: s/write()/lxc_write_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:50:51 +0000 (23:50 +0200)]

sync: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:49:32 +0000 (23:49 +0200)]

network: s/write()/lxc_write_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:49:05 +0000 (23:49 +0200)]

network: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:48:28 +0000 (23:48 +0200)]

lxccontainer: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:47:57 +0000 (23:47 +0200)]

lxccontainer: s/write()/lxc_write_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:47:15 +0000 (23:47 +0200)]

criu: s/write()/lxc_write_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:46:54 +0000 (23:46 +0200)]

criu: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:45:51 +0000 (23:45 +0200)]

cmd: s/read()/lxc_read_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:45:18 +0000 (23:45 +0200)]

cmd: s/write()/lxc_write_nointr()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 20:59:37 +0000 (22:59 +0200)]

cmd: s/pipe()/pipe2()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:09:45 +0000 (23:09 +0200)]

lxccontainer: s/pipe()/pipe2()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:09:13 +0000 (23:09 +0200)]

lxccontainer: cleanup do_lxcapi_get_interfaces()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:07:33 +0000 (23:07 +0200)]

criu: s/pipe()/pipe2()/

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:03:32 +0000 (23:03 +0200)]

conf: always close pipe in run_userns_fn()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 21:02:14 +0000 (23:02 +0200)]

conf: s/pipe()/pipe2()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 16:46:42 +0000 (18:46 +0200)]

Merge pull request #2497 from brauner/2018-07-29/nl_fix

nl: avoid NULL pointer dereference

commit | commitdiff | tree

Rafał Miłecki [Sun, 29 Jul 2018 15:44:06 +0000 (17:44 +0200)]

nl: avoid NULL pointer dereference

It's a valid case to call nla_put() with NULL data and 0 len. It's done e.g. in
the nla_put_attr().

There has to be a check for data in nla_put() as passing NULL to the memcpy()
is not allowed. Even if length is 0, both pointers have to be valid.

For a reference see C99 standard (7.21.1/2), it says: "pointer arguments on
such a call shall still have valid values".

Reported-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
[christian.brauner@ubuntu.com: adapted commit message]
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 12:35:09 +0000 (14:35 +0200)]

confile: split mount options into flags and data

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Sun, 29 Jul 2018 12:31:31 +0000 (14:31 +0200)]

conf: improve rootfs setup

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Stéphane Graber [Sun, 29 Jul 2018 01:08:38 +0000 (21:08 -0400)]

Merge pull request #2496 from flx42/nvidia-hook-lgpl

Fix license of the nvidia hook

commit | commitdiff | tree

Felix Abecassis [Sun, 29 Jul 2018 01:06:58 +0000 (18:06 -0700)]

Fix license of the nvidia hook

Fixes: #2494
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

commit | commitdiff | tree

Stéphane Graber [Thu, 26 Jul 2018 14:56:46 +0000 (10:56 -0400)]

Merge pull request #2493 from brauner/2018-07-26/bugfixes

utils: add lxc_iterate_parts(), compile with -Wvla and -std=gnu11

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 11:38:21 +0000 (13:38 +0200)]

autotools: default to -Wvla -std=gnu11

We can't really support anything less than gcc-4.8 anyway.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 12:42:05 +0000 (14:42 +0200)]

include: remove VLAs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 11:38:11 +0000 (13:38 +0200)]

tests: remove VLAs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 11:37:58 +0000 (13:37 +0200)]

Makefile: add missing lxctest.h

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:16:28 +0000 (16:16 +0200)]

utils: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:19:42 +0000 (16:19 +0200)]

tools: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:17:19 +0000 (16:17 +0200)]

storage: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:13:39 +0000 (16:13 +0200)]

state: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:11:43 +0000 (16:11 +0200)]

parse: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:10:27 +0000 (16:10 +0200)]

namespace: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:09:31 +0000 (16:09 +0200)]

lxccontainer: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:08:29 +0000 (16:08 +0200)]

confile: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 14:00:32 +0000 (16:00 +0200)]

conf: s/strtok_r()/lxc_iterate_parts()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 10:57:47 +0000 (12:57 +0200)]

cgroups: s/strtok_r()/lxc_iterate_parts()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Christian Brauner [Thu, 26 Jul 2018 10:43:29 +0000 (12:43 +0200)]

utils: add lxc_iterate_parts()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Serge Hallyn [Thu, 26 Jul 2018 04:04:32 +0000 (23:04 -0500)]

Merge pull request #2479 from Blub/apparmor-profiles

RFC: Generated Apparmor profiles, namespaces, stacking

commit | commitdiff | tree

Wolfgang Bumiller [Tue, 24 Jul 2018 11:59:04 +0000 (13:59 +0200)]

tests: add test for generated apparmor profiles

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Wolfgang Bumiller [Tue, 24 Jul 2018 14:42:26 +0000 (16:42 +0200)]

apparmor: allow start-container to change to lxc-**

For generated profiles with apparmor namespaces we get
profile names with slashes in them. To match those, we need
to allow changing to lxc-**, not just lxc-*.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Wolfgang Bumiller [Wed, 25 Jul 2018 10:11:31 +0000 (12:11 +0200)]

apparmor: profile generation

This copies lxd's apparmor profile generation. This tries to
detect features such as cgroup namespaces, apparmor
namespaces and stacking support, and has profile parts
conditionally for unprivileged containers.

This introduces the following changes to the configuration:
  lxc.apparmor.profile = generated
    The fixed value 'generated' will cause this
    functionality to be used, otherwise there should be no
    functional changes happening unless specifically
    requested with the next key:
  lxc.apparmor.allow_nesting
    This is a boolean which, if enabled, causes the
    following changes: When generated apparmor profiles are
    used, they will contain the necessary changes to allow
    creating a nested container. In addition to the usual
    mount points, /dev/.lxc/proc and /dev/.lxc/sys will
    contain procfs and sysfs mount points without the lxcfs
    overlays, which, if generated apparmor profiles are
    being used, will not be read/writable directly.
  lxc.apparmor.raw
    A list of raw apparmor profile lines to append to the
    profile. Only valid when using generated profiles.

The following apparmor profile lines have not been copied
from lxd:

  mount /var/lib/lxd/shmounts/ -> /var/lib/lxd/shmounts/,
  mount none -> /var/lib/lxd/shmounts/,
  mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**,

They should be added via lxc.apparmor.raw entries by lxd.

In order for apparmor_parser's cache to be of use, this adds
a --with-apparmor-cache-dir ./configure option.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Wolfgang Bumiller [Wed, 25 Jul 2018 10:11:23 +0000 (12:11 +0200)]

apparmor: update current profiles

remove cgmanager rules and add fstype=cgroup2 variants for
the existing fstype=cgroup rules

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Wolfgang Bumiller [Wed, 18 Jul 2018 10:43:37 +0000 (12:43 +0200)]

utils: add must_concat helper

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Wolfgang Bumiller [Wed, 25 Jul 2018 10:06:16 +0000 (12:06 +0200)]

apparmor: use fopen_cloexec

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Stéphane Graber [Tue, 24 Jul 2018 15:17:32 +0000 (11:17 -0400)]

Merge pull request #2492 from brauner/2018-07-14/fix_indendation

lxccontainer: fix indendation

commit | commitdiff | tree

Christian Brauner [Tue, 24 Jul 2018 13:09:13 +0000 (15:09 +0200)]

lxccontainer: fix indendation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commit | commitdiff | tree

Wolfgang Bumiller [Thu, 12 Jul 2018 13:16:40 +0000 (15:16 +0200)]

lsm: fixup lsm_process_label_set_at return values

Always return -1 on error (some code paths returned -1, some
returned negative error codes), don't assume 'errno' is set
afterwards, as the function already prints errors and not
all code paths will have a usable errno value.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Wolfgang Bumiller [Tue, 24 Jul 2018 09:49:14 +0000 (11:49 +0200)]

tests: lxc-test-apparmor-mount: check environment early

don't kill all my processes when running it as user...

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Wolfgang Bumiller [Mon, 23 Jul 2018 15:23:08 +0000 (17:23 +0200)]

tests: lxc-test-apparmor-mount: show a log on error

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

commit | commitdiff | tree

Christian Brauner [Sun, 22 Jul 2018 15:42:33 +0000 (17:42 +0200)]

Merge pull request #2489 from 2xsec/bugfix

change log macro of error case from lxc_ambient_caps_up/down

commit | commitdiff | tree

Christian Brauner [Sun, 22 Jul 2018 14:20:31 +0000 (16:20 +0200)]

Merge pull request #2300 from LizaTretyakova/mount_injection

Mount injection API

Mirror of https://github.com/lxc/lxc.git

RSS Atom