Scott Moser [Tue, 22 Aug 2023 18:07:36 +0000 (14:07 -0400)]
Fix start api call to split quoted strings in execute or init command.
If a user of the container.start api call provided NULL for the argv
argument, then lxc would load either 'lxc.execute.cmd' or
'lxc.init.cmd' configuration items as the command.
lxc would just split the string on spaces and end up executing array:
['touch', 'file"', 'one"', '"file', '2"']
This differs from the experience with the `lxc-start` command which
would use lxc_string_split_quoted and execute:
['touch', 'file one', 'file 2']
Note that as described in lxc_string_split_quoted, commands that include
nested quotes and possibly other characters are still a problem. In
those cases, the caller of 'start' can provide an argv array.
get_hierarchy: dont WARN about no usable controller
If I start a container with loglevel WARN, and (on a pretty
stock ubuntu) do lxc-info -n $c, I get
lxc-start media 20230706233337.765 WARN cgfsng - cgroups/cgfsng.c:get_hierarchy:142 - There is no useable cpuacct controller
lxc-start media 20230706233337.765 WARN cgfsng - cgroups/cgfsng.c:get_hierarchy:142 - There is no useable blkio controller
I don't think that's worth WARNing about, so change it to
INFO.
lxccontainer: extend lxccontainer API with set_timeout
lxccontainer set_timeout method allows to set LXC client
timeout for waiting monitor response.
Right now, it's implemented using the SO_RCVTIMEO client
socket option. (But it's the implementation detail that
can be changed in the future.)
This commit doesn't change behavior, because it's just
adds a new option and setter, but not changes any existing
LXC commands implementation. It's also extends internal API
function lxc_cmd with lxc_cmd_timeout.
Issue #4257
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Let's disable IORING_POLL_ADD_MULTI to workaround an issue
with false-positive POLLIN events in CQ.
In my local setup I managed to fix an issue without this
by making terminal FDs non-blocking, but during full
testsuite execution in Jenkins it was found that issue
still persists. So, let's add this ugly workaround too.
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Let's prevent freezes on read(2) by making a terminal FDs non-blocking.
It was discovered that there is an issue with io_uring mainloop when
multishot poll (IORING_POLL_ADD_MULTI) mode is enabled. Sometimes
false-positive poll events are put into a CQ. It makes further read(2)
stuck forever and blocks all mainloop processing for an infinite time.
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
it turns out that our parsing of /proc/pid/stat was not safe in general
(though probably safe for lxc, since our executable names do not contain
spaces).
Let's fix this by looking backwards through the file for ), and then
continuing on from there.
This was reported to me by Solar Designer, who pointed me to this thread:
https://twitter.com/solardiz/status/1634204168545001473
Indeed, this is a lot of tap dancing to work around the kernel's 16
character executable limit. Perhaps I'll send a kernel patch to raise that
limit next.
Long story behind this. Many years ago, Stéphane Graber
discovered an issue with apparmor mount rules.
Since
https://github.com/lxc/lxc/commit/7f2b13275daf68b173474900b1ce2c04105da33f
commit ("apparmor: Update mount states handling") it was prohibited
to change mount propagation flags, just because adding rules which
allow mount propagation user inside the container gets an ability
to mount everything [1].
Now with modern systemd versions this problem become more critical than
before. For instance, ArchLinux containers fail to start without
nesting apparmor profile enabled (because nesting profile effectively
just allow all mounts). Of course, that's a security issue.
We've also enabled sharing on the container rootfs:
https://github.com/lxc/lxc/pull/4229
Now for many workloads it's needed to change propagation flag to
private (see https://github.com/canonical/craft-parts/pull/400).
bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported
Failed to remount root directory as MS_SLAVE: Permission denied
(sd-gens) failed with exit status 1.
[!!!!!!] Failed to start up manager.
Exiting PID 1...
John Johansen (Apparmor maintainer) and LXD team worked on fix [2].
It was merged to stable AppArmor 3.0 and 3.1 branches already.
There is no stable AppArmor version tag for that, but I think it will
be in the AppArmor version 3.0.10.
See also:
[1] https://bugs.launchpad.net/apparmor/+bug/1597017
[2] https://gitlab.com/apparmor/apparmor/-/merge_requests/333
Fixes: #4280 Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Serge Hallyn [Wed, 8 Mar 2023 05:53:59 +0000 (23:53 -0600)]
switch from libsystemd's dbus to dbus-1
This is purely so that we can do static linking. Linking against
libsystemd makes that a challenge because while it's perfectly simple
to do, distros tend not to provide a libsystemd.a.
Tools that want to (a) link against liblxc and (b) have a statically
linked binary to bind into a minimal container are ill served by
this. So link against libdbus-1.
.github/workflows/build.yml: switch to dbus-1.
src/lxc/cgroups/cgfsng.c: replace the unpriv_systemd_create_scope(),
start_scope, and enter_scope() systemd code with dbus-1 code.
src/tests/oss-fuzz.sh: update from libsystemd-dev to libdbus-1-dev
src/tests/oss-fuzz.sh: disable dbus
.github/workflows/*: update from libsystemd-dev to libdbus-1-dev
meson.build and meson_options.txt: switch from sd_bus to dbus
lxc.spec.in: add dbus-1 to BuildRequires
Signed-off-by: Serge Hallyn <serge@hallyn.com>
Changelog: 03/13: use custom iter type so we can cleanup more easily...
Changelog: 03/13: initialize each dbus_iter to { 0 } as mihalicyn suggested.
tree-wide: convert fcntl(FD_CLOEXEC) to SOCK_CLOEXEC
- replace accept() + fcntl(FD_CLOEXEC) with accept4(..., SOCK_CLOEXEC)
- remove fcntl(FD_CLOEXEC) in lxc_server_init() as we already set
SOCK_CLOEXEC in lxc_abstract_unix_open().
See also: ad9429e52 ("tree-wide: make socket SOCK_CLOEXEC") Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Scott Moser [Fri, 24 Feb 2023 21:48:10 +0000 (16:48 -0500)]
Allow fuse mounts in apparmor start-container.
Unprivledged user should be able to do fuse mounts during start-container.
Specifically this solves the problem for un-priv fuse mounting via
pre-hook.
In case empty profile files linger somehow (eg. powerloss or
oom killer etc. between creating and writing the file) we
tried to use mmap() with a length of 0 which is invalid.
Let's treat this as if it did not exist.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Quentin Lyons [Sun, 12 Feb 2023 02:03:42 +0000 (02:03 +0000)]
lxc-net.in: fix nftables syntax for IPv6 NAT
The nftables masquarade rule for IPv6 was using the IPv4 syntax. This
resulted in the following error when starting the lxc-net.service with
LXC_IPV6_NAT="true" and nftables:
Feb 11 18:54:54 pc lxc-net[4936]: Error: conflicting protocols specified: ip6 vs. ip
Feb 11 18:54:54 pc lxc-net[4936]: ^^^^^^^^
Feb 11 18:54:54 pc lxc-net[4917]: Failed to setup lxc-net.
Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Main process exited, code=exited, status=1/FAILURE
Feb 11 18:54:54 pc systemd[1]: lxc-net.service: Failed with result 'exit-code'.
Feb 11 18:54:54 pc systemd[1]: Failed to start LXC network bridge setup.
get_mtu() returns int, but "mtu" variable has unsigned int type.
It leads to logical error in error handling, which can end up
with strange -EINVAL error in lxc_veth_create(), cause (mtu > 0)
condition is met, but negative "mtu" value is too large when set
as mtu for network device.
Issue #4232
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Maher Azzouzi [Sun, 25 Dec 2022 12:50:25 +0000 (13:50 +0100)]
Patching an incoming CVE (CVE-2022-47952)
lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may
allow local users to infer whether any file exists, even within a
protected directory tree, because "Failed to open" often indicates
that a file does not exist, whereas "does not refer to a network
namespace path" often indicates that a file exists. NOTE: this is
different from CVE-2018-6556 because the CVE-2018-6556 fix design was
based on the premise that "we will report back to the user that the
open() failed but the user has no way of knowing why it failed";
however, in many realistic cases, there are no plausible reasons for
failing except that the file does not exist.
PoC:
> % ls /l
> ls: cannot open directory '/l': Permission denied
> % /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/tt h h
> cmd/lxc_user_nic.c: 1096: main: Failed to open "/l/h/tt" <----- file does not exist.
> % /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/t h h
> cmd/lxc_user_nic.c: 1101: main: Path "/l/h/t" does not refer to a network namespace path <---- file exist!
Fabrice Fontaine [Thu, 29 Dec 2022 13:42:45 +0000 (14:42 +0100)]
src/lxc/meson.build: fix build without apparmor
Don't build lsm/apparmor.c if apparmor is explicitly disabled by the
user to avoid the following build failure with gcc 4.8:
/home/buildroot/autobuild/run/instance-3/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/include/bits/fcntl2.h: In function '__apparmor_process_label_open.isra.0':
/home/buildroot/autobuild/run/instance-3/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/include/bits/fcntl2.h:50:24: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments
__open_missing_mode ();
^
Despite the fact that struct nl_handler is filled zeros
in netlink_open() there are two cases where we have possible
exit paths from the function before netlink_open() is called.
At the same time we have cleaner registered:
call_cleaner(netlink_close)
Two cases:
- netdev_get_flag
- lxc_ipvlan_create
If we are exiting from these functions before netlink_open()
is called we will close random file descriptor by reading
it from (struct nl_handler)->fd.
Let's just properly initialize this structure in all cases
to prevent this bug in the future.
Reported-by: coverity (CID #1517319 and #1517316) Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
projects / thirdparty / lxc.git / log
