lxc: Backport patches for keyring options

The added patches allow to set the SELinux context for the session keyring that is created by lxc. In addition it is possible to disable the creation of a new session keyring completely. Upstream PR: https://github.com/lxc/lxc/pull/3260 (merged) If lxc is executed on a SELinux enabled system, these options can be used to assign the expected label to the session keyring. Signed-off-by: Maximilian Blenk <maximilian.blenk@bmw.de> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Maximilian Blenk <Maximilian.Blenk@bmw.de> 2020-02-04 15:55:28 +0100
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2020-02-13 17:21:41 -0500
commit: b8c810c6083311593b0432ede69cefeb4226cdf6 (patch)
tree: 48459fb25442b046716a6082d8414f3b94cf4ed3 /recipes-containers
parent: ad580c253d82126e8d1d0e96e0d77829ab26beec (diff)
download: meta-virtualization-b8c810c6083311593b0432ede69cefeb4226cdf6.tar.gz
3 files changed, 494 insertions, 0 deletions
diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
new file mode 100644
index 00000000..0da1be08
--- /dev/null
+++ b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
@@ -0,0 +1,275 @@
+From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+Date: Wed, 29 Jan 2020 17:09:50 +0100
+Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context
+lxc set's up a new session keyring for every container by default.
+If executed on an SELinux enabled system, by default, the keyring
+inherits the label of the creating process. If executed with the
+currently available SELinux policy, this means that the keyring
+is labeled with the lxc_t type. Applications inside the container,
+however, might expect that the keyring is labeled with a certain
+context (and will fail to access the keyring if it's not explicitly
+allowed in the global policy). This patch introduces the config
+option lxc.selinux.context.keyring which enables to specify the
+label of the newly created keyring. That is, the keyring can be
+labeled with the label expected by the started application.
+Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+---
+ config/selinux/lxc.te |  3 +++
+ src/lxc/conf.c        | 10 +++++++++-
+ src/lxc/conf.h        |  1 +
+ src/lxc/confile.c     | 24 ++++++++++++++++++++++++
+ src/lxc/lsm/lsm.c     | 13 +++++++++++++
+ src/lxc/lsm/lsm.h     |  2 ++
+ src/lxc/lsm/selinux.c | 13 +++++++++++++
+ src/lxc/utils.c       |  9 ++++++++-
+ src/lxc/utils.h       |  2 +-
+ 9 files changed, 74 insertions(+), 3 deletions(-)
+diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
+index bb4bfe3a8..d3f78d80b 100644
+--- a/config/selinux/lxc.te
+++ b/config/selinux/lxc.te
+@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
+ allow lxc_t self:rawip_socket create_socket_perms;
+ allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
+ 
+# Needed to set label that the keyring will be created with
+allow lxc_t self:process { setkeycreate };
+
+ dontaudit lxc_t sysctl_kernel_t:file write;
+ dontaudit lxc_t sysctl_modprobe_t:file write;
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 0f8b3c928..b06fbf047 100644
+--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
+@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void)
+        new->lsm_aa_profile = NULL;
+        lxc_list_init(&new->lsm_aa_raw);
+        new->lsm_se_context = NULL;
+       new->lsm_se_keyring_context = NULL;
+        new->tmp_umount_proc = false;
+        new->tmp_umount_proc = 0;
+        new->shmount.path_host = NULL;
+@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler)
+        int ret;
+        const char *lxcpath = handler->lxcpath, *name = handler->name;
+        struct lxc_conf *lxc_conf = handler->conf;
+       char *keyring_context = NULL;
+ 
+        ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
+        if (ret < 0) {
+@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler)
+                }
+        }
+ 
+-       ret = lxc_setup_keyring();
+       if (lxc_conf->lsm_se_keyring_context) {
+               keyring_context = lxc_conf->lsm_se_keyring_context;
+       } else if (lxc_conf->lsm_se_context) {
+               keyring_context = lxc_conf->lsm_se_context;
+       }
+
+       ret = lxc_setup_keyring(keyring_context);
+        if (ret < 0)
+                return -1;
+ 
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index 2664a1527..bb47b720e 100644
+--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
+@@ -295,6 +295,7 @@ struct lxc_conf {
+        unsigned int lsm_aa_allow_incomplete;
+        struct lxc_list lsm_aa_raw;
+        char *lsm_se_context;
+       char *lsm_se_keyring_context;
+        bool tmp_umount_proc;
+        struct lxc_seccomp seccomp;
+        int maincmd_fd;
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index 36d62cbca..df184af73 100644
+--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
+@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting);
+ lxc_config_define(seccomp_notify_cookie);
+ lxc_config_define(seccomp_notify_proxy);
+ lxc_config_define(selinux_context);
+lxc_config_define(selinux_context_keyring);
+ lxc_config_define(signal_halt);
+ lxc_config_define(signal_reboot);
+ lxc_config_define(signal_stop);
+@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = {
+        { "lxc.seccomp.notify.proxy",      set_config_seccomp_notify_proxy,        get_config_seccomp_notify_proxy,        clr_config_seccomp_notify_proxy,      },
+        { "lxc.seccomp.profile",           set_config_seccomp_profile,             get_config_seccomp_profile,             clr_config_seccomp_profile,           },
+        { "lxc.selinux.context",           set_config_selinux_context,             get_config_selinux_context,             clr_config_selinux_context,           },
+       { "lxc.selinux.context.keyring",   set_config_selinux_context_keyring,     get_config_selinux_context_keyring,     clr_config_selinux_context_keyring    },
+        { "lxc.signal.halt",               set_config_signal_halt,                 get_config_signal_halt,                 clr_config_signal_halt,               },
+        { "lxc.signal.reboot",             set_config_signal_reboot,               get_config_signal_reboot,               clr_config_signal_reboot,             },
+        { "lxc.signal.stop",               set_config_signal_stop,                 get_config_signal_stop,                 clr_config_signal_stop,               },
+@@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char *key, const char *value,
+        return set_config_string_item(&lxc_conf->lsm_se_context, value);
+ }
+ 
+static int set_config_selinux_context_keyring(const char *key, const char *value,
+                                             struct lxc_conf *lxc_conf, void *data)
+{
+       return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
+}
+
+ static int set_config_log_file(const char *key, const char *value,
+                              struct lxc_conf *c, void *data)
+ {
+@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen,
+        return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
+ }
+ 
+static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen,
+                                             struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
+}
+
+
+ /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
+  * just the value(s) will be printed. Since there still could be more than one,
+  * it is newline-separated.
+@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key,
+        return 0;
+ }
+ 
+static inline int clr_config_selinux_context_keyring(const char *key,
+                                                    struct lxc_conf *c, void *data)
+{
+       free(c->lsm_se_keyring_context);
+       c->lsm_se_keyring_context = NULL;
+       return 0;
+}
+
+ static inline int clr_config_cgroup_controller(const char *key,
+                                               struct lxc_conf *c, void *data)
+ {
+@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
+                strprint(retv, inlen, "dir\n");
+        } else if (!strcmp(key, "lxc.selinux")) {
+                strprint(retv, inlen, "context\n");
+               strprint(retv, inlen, "context.keyring\n");
+        } else if (!strcmp(key, "lxc.mount")) {
+                strprint(retv, inlen, "auto\n");
+                strprint(retv, inlen, "entry\n");
+diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
+index 5538c9e84..48c22b700 100644
+--- a/src/lxc/lsm/lsm.c
+++ b/src/lxc/lsm/lsm.c
+@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath)
+ 
+        drv->cleanup(conf, lxcpath);
+ }
+
+int lsm_keyring_label_set(char *label) {
+
+       if (!drv) {
+               ERROR("LSM driver not inited");
+               return -1;
+       }
+
+       if (!drv->keyring_label_set)
+               return 0;
+
+       return drv->keyring_label_set(label);
+}
+diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
+index dda740b3d..a645a2fa0 100644
+--- a/src/lxc/lsm/lsm.h
+++ b/src/lxc/lsm/lsm.h
+@@ -38,6 +38,7 @@ struct lsm_drv {
+        char *(*process_label_get)(pid_t pid);
+        int (*process_label_set)(const char *label, struct lxc_conf *conf,
+                                 bool on_exec);
+       int (*keyring_label_set)(char* label);
+        int (*prepare)(struct lxc_conf *conf, const char *lxcpath);
+        void (*cleanup)(struct lxc_conf *conf, const char *lxcpath);
+ };
+@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
+ extern int lsm_process_label_set_at(int label_fd, const char *label,
+                                    bool on_exec);
+ extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath);
+extern int lsm_keyring_label_set(char *label);
+ 
+ #endif /* __LXC_LSM_H */
+diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
+index 625bcae90..b3d95c310 100644
+--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
+@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
+        return 0;
+ }
+ 
+/*
+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring
+ *
+ * @label   : label string
+ *
+ * Returns 0 on success, < 0 on failure
+ */
+static int selinux_keyring_label_set(char *label)
+{
+       return setkeycreatecon_raw(label);
+};
+
+ static struct lsm_drv selinux_drv = {
+        .name = "SELinux",
+        .enabled           = is_selinux_enabled,
+        .process_label_get = selinux_process_label_get,
+        .process_label_set = selinux_process_label_set,
+       .keyring_label_set = selinux_keyring_label_set,
+ };
+ 
+ struct lsm_drv *lsm_selinux_drv_init(void)
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index bf4a9c2cb..90852eb87 100644
+--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
+@@ -48,6 +48,7 @@
+ 
+ #include "config.h"
+ #include "log.h"
+#include "lsm/lsm.h"
+ #include "lxclock.h"
+ #include "memory_utils.h"
+ #include "namespace.h"
+@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname)
+        return r;
+ }
+ 
+-int lxc_setup_keyring(void)
+int lxc_setup_keyring(char *keyring_label)
+ {
+        key_serial_t keyring;
+        int ret = 0;
+ 
+       if (keyring_label) {
+               if (lsm_keyring_label_set(keyring_label) < 0) {
+                       ERROR("Couldn't set keyring label");
+               }
+       }
+
+        /* Try to allocate a new session keyring for the container to prevent
+         * information leaks.
+         */
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index dd6404f0b..7560711b7 100644
+--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
+@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
+ extern int lxc_set_death_signal(int signal, pid_t parent);
+ extern int fd_cloexec(int fd, bool cloexec);
+ extern int recursive_destroy(char *dirname);
+-extern int lxc_setup_keyring(void);
+extern int lxc_setup_keyring(char *keyring_label);
+ 
+ #endif /* __LXC_UTILS_H */
+-- 
+2.24.1
diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
new file mode 100644
index 00000000..34647c80
--- /dev/null
+++ b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
@@ -0,0 +1,217 @@
+From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+Date: Thu, 30 Jan 2020 19:21:10 +0100
+Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
+ creation
+lxc set's up a new session keyring for every container by default.
+There might be valid use-cases where this is not wanted / needed
+(e.g. systemd by default creates a new session keyring anyway).
+Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+---
+ src/lxc/conf.c          | 19 ++++++++++--------
+ src/lxc/conf.h          |  1 +
+ src/lxc/confile.c       | 44 ++++++++++++++++++++++-------------------
+ src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
+ src/lxc/confile_utils.h |  2 ++
+ 5 files changed, 62 insertions(+), 28 deletions(-)
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index b06fbf047..be4761a54 100644
+--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
+@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
+        lxc_list_init(&new->lsm_aa_raw);
+        new->lsm_se_context = NULL;
+        new->lsm_se_keyring_context = NULL;
+       new->keyring_disable_session = false;
+        new->tmp_umount_proc = false;
+        new->tmp_umount_proc = 0;
+        new->shmount.path_host = NULL;
+@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
+                }
+        }
+ 
+-       if (lxc_conf->lsm_se_keyring_context) {
+-               keyring_context = lxc_conf->lsm_se_keyring_context;
+-       } else if (lxc_conf->lsm_se_context) {
+-               keyring_context = lxc_conf->lsm_se_context;
+-       }
+       if (!lxc_conf->keyring_disable_session) {
+               if (lxc_conf->lsm_se_keyring_context) {
+                       keyring_context = lxc_conf->lsm_se_keyring_context;
+               } else if (lxc_conf->lsm_se_context) {
+                       keyring_context = lxc_conf->lsm_se_context;
+               }
+ 
+-       ret = lxc_setup_keyring(keyring_context);
+-       if (ret < 0)
+-               return -1;
+               ret = lxc_setup_keyring(keyring_context);
+               if (ret < 0)
+                       return -1;
+       }
+ 
+        if (handler->ns_clone_flags & CLONE_NEWNET) {
+                ret = lxc_setup_network_in_child_namespaces(lxc_conf,
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index bb47b720e..b81786838 100644
+--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
+@@ -296,6 +296,7 @@ struct lxc_conf {
+        struct lxc_list lsm_aa_raw;
+        char *lsm_se_context;
+        char *lsm_se_keyring_context;
+       bool keyring_disable_session;
+        bool tmp_umount_proc;
+        struct lxc_seccomp seccomp;
+        int maincmd_fd;
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index df184af73..fd8b3aaba 100644
+--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
+@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
+ lxc_config_define(init_cwd);
+ lxc_config_define(init_gid);
+ lxc_config_define(init_uid);
+lxc_config_define(keyring_session);
+ lxc_config_define(log_file);
+ lxc_config_define(log_level);
+ lxc_config_define(log_syslog);
+@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
+        { "lxc.init.gid",                  set_config_init_gid,                    get_config_init_gid,                    clr_config_init_gid,                  },
+        { "lxc.init.uid",                  set_config_init_uid,                    get_config_init_uid,                    clr_config_init_uid,                  },
+        { "lxc.init.cwd",                  set_config_init_cwd,                    get_config_init_cwd,                    clr_config_init_cwd,                  },
+       { "lxc.keyring.session",           set_config_keyring_session,             get_config_keyring_session,             clr_config_keyring_session            },
+        { "lxc.log.file",                  set_config_log_file,                    get_config_log_file,                    clr_config_log_file,                  },
+        { "lxc.log.level",                 set_config_log_level,                   get_config_log_level,                   clr_config_log_level,                 },
+        { "lxc.log.syslog",                set_config_log_syslog,                  get_config_log_syslog,                  clr_config_log_syslog,                },
+@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
+        return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
+ }
+ 
+static int set_config_keyring_session(const char *key, const char *value,
+                                     struct lxc_conf *lxc_conf, void *data)
+{
+       return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
+}
+
+ static int set_config_log_file(const char *key, const char *value,
+                              struct lxc_conf *c, void *data)
+ {
+@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
+ static int set_config_rootfs_managed(const char *key, const char *value,
+                                     struct lxc_conf *lxc_conf, void *data)
+ {
+-       unsigned int val = 0;
+-
+-       if (lxc_config_value_empty(value)) {
+-               lxc_conf->rootfs.managed = true;
+-               return 0;
+-       }
+-
+-       if (lxc_safe_uint(value, &val) < 0)
+-               return -EINVAL;
+-
+-       switch (val) {
+-       case 0:
+-               lxc_conf->rootfs.managed = false;
+-               return 0;
+-       case 1:
+-               lxc_conf->rootfs.managed = true;
+-               return 0;
+-       }
+-
+-       return -EINVAL;
+       return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
+ }
+ 
+ static int set_config_rootfs_mount(const char *key, const char *value,
+@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
+        return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
+ }
+ 
+static int get_config_keyring_session(const char *key, char *retv, int inlen,
+                                     struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
+}
+
+ 
+ /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
+  * just the value(s) will be printed. Since there still could be more than one,
+@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
+        return 0;
+ }
+ 
+static inline int clr_config_keyring_session(const char *key,
+                                            struct lxc_conf *c, void *data)
+{
+       c->keyring_disable_session = false;
+       return 0;
+}
+
+ static inline int clr_config_cgroup_controller(const char *key,
+                                               struct lxc_conf *c, void *data)
+ {
+@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
+                strprint(retv, inlen, "order\n");
+        } else if (!strcmp(key, "lxc.monitor")) {
+                strprint(retv, inlen, "unshare\n");
+       } else if (!strcmp(key, "lxc.keyring")) {
+               strprint(retv, inlen, "session\n");
+        } else {
+                fulllen = -1;
+        }
+diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
+index 6941f4026..02e48454b 100644
+--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
+@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
+        return set_config_string_item_max(conf_item, value, PATH_MAX);
+ }
+ 
+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
+{
+       unsigned int val = 0;
+
+       if (lxc_config_value_empty(value)) {
+               *conf_item = empty_conf_action;
+               return 0;
+       }
+
+       if (lxc_safe_uint(value, &val) < 0)
+               return -EINVAL;
+
+       switch (val) {
+       case 0:
+               *conf_item = false;
+               return 0;
+       case 1:
+               *conf_item = true;
+               return 0;
+       }
+
+       return -EINVAL;
+}
+
+ int config_ip_prefix(struct in_addr *addr)
+ {
+        if (IN_CLASSA(addr->s_addr))
+diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
+index f68f9604f..83d49bace 100644
+--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
+@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
+ extern int set_config_string_item_max(char **conf_item, const char *value,
+                                      size_t max);
+ extern int set_config_path_item(char **conf_item, const char *value);
+extern int set_config_bool_item(bool *conf_item, const char *value,
+                                bool empty_conf_action);
+ extern int config_ip_prefix(struct in_addr *addr);
+ extern int network_ifname(char *valuep, const char *value, size_t size);
+ extern void rand_complete_hwaddr(char *hwaddr);
+-- 
+2.24.1
diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_3.2.1.bb
index b8525156..bedcf137 100644
--- a/recipes-containers/lxc/lxc_3.2.1.bb
+++ b/recipes-containers/lxc/lxc_3.2.1.bb
@@ -45,6 +45,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
        file://tests-our-init-is-not-busybox.patch \
        file://tests-add-no-validate-when-using-download-template.patch \
        file://network-restore-ability-to-move-nl80211-devices.patch \
+        file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \
+        file://0002-container.conf-Add-option-to-disable-session-keyring.patch \
        file://dnsmasq.conf \
        file://lxc-net \
        "
author	Maximilian Blenk <Maximilian.Blenk@bmw.de>	2020-02-04 15:55:28 +0100
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2020-02-13 17:21:41 -0500
commit	b8c810c6083311593b0432ede69cefeb4226cdf6 (patch)
tree	48459fb25442b046716a6082d8414f3b94cf4ed3 /recipes-containers
parent	ad580c253d82126e8d1d0e96e0d77829ab26beec (diff)
download	meta-virtualization-b8c810c6083311593b0432ede69cefeb4226cdf6.tar.gz

diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch new file mode 100644 index 00000000..0da1be08 --- /dev/null +++ b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
@@ -0,0 +1,275 @@
		1	From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001
		2	From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
		3	Date: Wed, 29 Jan 2020 17:09:50 +0100
		4	Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context
		5
		6	lxc set's up a new session keyring for every container by default.
		7	If executed on an SELinux enabled system, by default, the keyring
		8	inherits the label of the creating process. If executed with the
		9	currently available SELinux policy, this means that the keyring
		10	is labeled with the lxc_t type. Applications inside the container,
		11	however, might expect that the keyring is labeled with a certain
		12	context (and will fail to access the keyring if it's not explicitly
		13	allowed in the global policy). This patch introduces the config
		14	option lxc.selinux.context.keyring which enables to specify the
		15	label of the newly created keyring. That is, the keyring can be
		16	labeled with the label expected by the started application.
		17
		18	Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
		19	---
		20	config/selinux/lxc.te \| 3 +++
		21	src/lxc/conf.c \| 10 +++++++++-
		22	src/lxc/conf.h \| 1 +
		23	src/lxc/confile.c \| 24 ++++++++++++++++++++++++
		24	src/lxc/lsm/lsm.c \| 13 +++++++++++++
		25	src/lxc/lsm/lsm.h \| 2 ++
		26	src/lxc/lsm/selinux.c \| 13 +++++++++++++
		27	src/lxc/utils.c \| 9 ++++++++-
		28	src/lxc/utils.h \| 2 +-
		29	9 files changed, 74 insertions(+), 3 deletions(-)
		30
		31	diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
		32	index bb4bfe3a8..d3f78d80b 100644
		33	--- a/config/selinux/lxc.te
		34	+++ b/config/selinux/lxc.te
		35	@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
		36	allow lxc_t self:rawip_socket create_socket_perms;
		37	allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
		38
		39	+# Needed to set label that the keyring will be created with
		40	+allow lxc_t self:process { setkeycreate };
		41	+
		42	dontaudit lxc_t sysctl_kernel_t:file write;
		43	dontaudit lxc_t sysctl_modprobe_t:file write;
		44	diff --git a/src/lxc/conf.c b/src/lxc/conf.c
		45	index 0f8b3c928..b06fbf047 100644
		46	--- a/src/lxc/conf.c
		47	+++ b/src/lxc/conf.c
		48	@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void)
		49	new->lsm_aa_profile = NULL;
		50	lxc_list_init(&new->lsm_aa_raw);
		51	new->lsm_se_context = NULL;
		52	+ new->lsm_se_keyring_context = NULL;
		53	new->tmp_umount_proc = false;
		54	new->tmp_umount_proc = 0;
		55	new->shmount.path_host = NULL;
		56	@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler)
		57	int ret;
		58	const char lxcpath = handler->lxcpath, name = handler->name;
		59	struct lxc_conf *lxc_conf = handler->conf;
		60	+ char *keyring_context = NULL;
		61
		62	ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
		63	if (ret < 0) {
		64	@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler)
		65	}
		66	}
		67
		68	- ret = lxc_setup_keyring();
		69	+ if (lxc_conf->lsm_se_keyring_context) {
		70	+ keyring_context = lxc_conf->lsm_se_keyring_context;
		71	+ } else if (lxc_conf->lsm_se_context) {
		72	+ keyring_context = lxc_conf->lsm_se_context;
		73	+ }
		74	+
		75	+ ret = lxc_setup_keyring(keyring_context);
		76	if (ret < 0)
		77	return -1;
		78
		79	diff --git a/src/lxc/conf.h b/src/lxc/conf.h
		80	index 2664a1527..bb47b720e 100644
		81	--- a/src/lxc/conf.h
		82	+++ b/src/lxc/conf.h
		83	@@ -295,6 +295,7 @@ struct lxc_conf {
		84	unsigned int lsm_aa_allow_incomplete;
		85	struct lxc_list lsm_aa_raw;
		86	char *lsm_se_context;
		87	+ char *lsm_se_keyring_context;
		88	bool tmp_umount_proc;
		89	struct lxc_seccomp seccomp;
		90	int maincmd_fd;
		91	diff --git a/src/lxc/confile.c b/src/lxc/confile.c
		92	index 36d62cbca..df184af73 100644
		93	--- a/src/lxc/confile.c
		94	+++ b/src/lxc/confile.c
		95	@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting);
		96	lxc_config_define(seccomp_notify_cookie);
		97	lxc_config_define(seccomp_notify_proxy);
		98	lxc_config_define(selinux_context);
		99	+lxc_config_define(selinux_context_keyring);
		100	lxc_config_define(signal_halt);
		101	lxc_config_define(signal_reboot);
		102	lxc_config_define(signal_stop);
		103	@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = {
		104	{ "lxc.seccomp.notify.proxy", set_config_seccomp_notify_proxy, get_config_seccomp_notify_proxy, clr_config_seccomp_notify_proxy, },
		105	{ "lxc.seccomp.profile", set_config_seccomp_profile, get_config_seccomp_profile, clr_config_seccomp_profile, },
		106	{ "lxc.selinux.context", set_config_selinux_context, get_config_selinux_context, clr_config_selinux_context, },
		107	+ { "lxc.selinux.context.keyring", set_config_selinux_context_keyring, get_config_selinux_context_keyring, clr_config_selinux_context_keyring },
		108	{ "lxc.signal.halt", set_config_signal_halt, get_config_signal_halt, clr_config_signal_halt, },
		109	{ "lxc.signal.reboot", set_config_signal_reboot, get_config_signal_reboot, clr_config_signal_reboot, },
		110	{ "lxc.signal.stop", set_config_signal_stop, get_config_signal_stop, clr_config_signal_stop, },
		111	@@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char key, const char value,
		112	return set_config_string_item(&lxc_conf->lsm_se_context, value);
		113	}
		114
		115	+static int set_config_selinux_context_keyring(const char key, const char value,
		116	+ struct lxc_conf lxc_conf, void data)
		117	+{
		118	+ return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
		119	+}
		120	+
		121	static int set_config_log_file(const char key, const char value,
		122	struct lxc_conf c, void data)
		123	{
		124	@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char key, char retv, int inlen,
		125	return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
		126	}
		127
		128	+static int get_config_selinux_context_keyring(const char key, char retv, int inlen,
		129	+ struct lxc_conf c, void data)
		130	+{
		131	+ return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
		132	+}
		133	+
		134	+
		135	/* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
		136	* just the value(s) will be printed. Since there still could be more than one,
		137	* it is newline-separated.
		138	@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key,
		139	return 0;
		140	}
		141
		142	+static inline int clr_config_selinux_context_keyring(const char *key,
		143	+ struct lxc_conf c, void data)
		144	+{
		145	+ free(c->lsm_se_keyring_context);
		146	+ c->lsm_se_keyring_context = NULL;
		147	+ return 0;
		148	+}
		149	+
		150	static inline int clr_config_cgroup_controller(const char *key,
		151	struct lxc_conf c, void data)
		152	{
		153	@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf conf, const char key, char *retv,
		154	strprint(retv, inlen, "dir\n");
		155	} else if (!strcmp(key, "lxc.selinux")) {
		156	strprint(retv, inlen, "context\n");
		157	+ strprint(retv, inlen, "context.keyring\n");
		158	} else if (!strcmp(key, "lxc.mount")) {
		159	strprint(retv, inlen, "auto\n");
		160	strprint(retv, inlen, "entry\n");
		161	diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
		162	index 5538c9e84..48c22b700 100644
		163	--- a/src/lxc/lsm/lsm.c
		164	+++ b/src/lxc/lsm/lsm.c
		165	@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf conf, const char lxcpath)
		166
		167	drv->cleanup(conf, lxcpath);
		168	}
		169	+
		170	+int lsm_keyring_label_set(char *label) {
		171	+
		172	+ if (!drv) {
		173	+ ERROR("LSM driver not inited");
		174	+ return -1;
		175	+ }
		176	+
		177	+ if (!drv->keyring_label_set)
		178	+ return 0;
		179	+
		180	+ return drv->keyring_label_set(label);
		181	+}
		182	diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
		183	index dda740b3d..a645a2fa0 100644
		184	--- a/src/lxc/lsm/lsm.h
		185	+++ b/src/lxc/lsm/lsm.h
		186	@@ -38,6 +38,7 @@ struct lsm_drv {
		187	char (process_label_get)(pid_t pid);
		188	int (process_label_set)(const char label, struct lxc_conf *conf,
		189	bool on_exec);
		190	+ int (keyring_label_set)(char label);
		191	int (prepare)(struct lxc_conf conf, const char *lxcpath);
		192	void (cleanup)(struct lxc_conf conf, const char *lxcpath);
		193	};
		194	@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
		195	extern int lsm_process_label_set_at(int label_fd, const char *label,
		196	bool on_exec);
		197	extern void lsm_process_cleanup(struct lxc_conf conf, const char lxcpath);
		198	+extern int lsm_keyring_label_set(char *label);
		199
		200	#endif /* __LXC_LSM_H */
		201	diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
		202	index 625bcae90..b3d95c310 100644
		203	--- a/src/lxc/lsm/selinux.c
		204	+++ b/src/lxc/lsm/selinux.c
		205	@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char inlabel, struct lxc_conf conf,
		206	return 0;
		207	}
		208
		209	+/*
		210	+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring
		211	+ *
		212	+ * @label : label string
		213	+ *
		214	+ * Returns 0 on success, < 0 on failure
		215	+ */
		216	+static int selinux_keyring_label_set(char *label)
		217	+{
		218	+ return setkeycreatecon_raw(label);
		219	+};
		220	+
		221	static struct lsm_drv selinux_drv = {
		222	.name = "SELinux",
		223	.enabled = is_selinux_enabled,
		224	.process_label_get = selinux_process_label_get,
		225	.process_label_set = selinux_process_label_set,
		226	+ .keyring_label_set = selinux_keyring_label_set,
		227	};
		228
		229	struct lsm_drv *lsm_selinux_drv_init(void)
		230	diff --git a/src/lxc/utils.c b/src/lxc/utils.c
		231	index bf4a9c2cb..90852eb87 100644
		232	--- a/src/lxc/utils.c
		233	+++ b/src/lxc/utils.c
		234	@@ -48,6 +48,7 @@
		235
		236	#include "config.h"
		237	#include "log.h"
		238	+#include "lsm/lsm.h"
		239	#include "lxclock.h"
		240	#include "memory_utils.h"
		241	#include "namespace.h"
		242	@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname)
		243	return r;
		244	}
		245
		246	-int lxc_setup_keyring(void)
		247	+int lxc_setup_keyring(char *keyring_label)
		248	{
		249	key_serial_t keyring;
		250	int ret = 0;
		251
		252	+ if (keyring_label) {
		253	+ if (lsm_keyring_label_set(keyring_label) < 0) {
		254	+ ERROR("Couldn't set keyring label");
		255	+ }
		256	+ }
		257	+
		258	/* Try to allocate a new session keyring for the container to prevent
		259	* information leaks.
		260	*/
		261	diff --git a/src/lxc/utils.h b/src/lxc/utils.h
		262	index dd6404f0b..7560711b7 100644
		263	--- a/src/lxc/utils.h
		264	+++ b/src/lxc/utils.h
		265	@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
		266	extern int lxc_set_death_signal(int signal, pid_t parent);
		267	extern int fd_cloexec(int fd, bool cloexec);
		268	extern int recursive_destroy(char *dirname);
		269	-extern int lxc_setup_keyring(void);
		270	+extern int lxc_setup_keyring(char *keyring_label);
		271
		272	#endif /* __LXC_UTILS_H */
		273	--
		274	2.24.1
		275


diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch new file mode 100644 index 00000000..34647c80 --- /dev/null +++ b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
@@ -0,0 +1,217 @@
		1	From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
		2	From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
		3	Date: Thu, 30 Jan 2020 19:21:10 +0100
		4	Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
		5	creation
		6
		7	lxc set's up a new session keyring for every container by default.
		8	There might be valid use-cases where this is not wanted / needed
		9	(e.g. systemd by default creates a new session keyring anyway).
		10
		11	Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
		12	---
		13	src/lxc/conf.c \| 19 ++++++++++--------
		14	src/lxc/conf.h \| 1 +
		15	src/lxc/confile.c \| 44 ++++++++++++++++++++++-------------------
		16	src/lxc/confile_utils.c \| 24 ++++++++++++++++++++++
		17	src/lxc/confile_utils.h \| 2 ++
		18	5 files changed, 62 insertions(+), 28 deletions(-)
		19
		20	diff --git a/src/lxc/conf.c b/src/lxc/conf.c
		21	index b06fbf047..be4761a54 100644
		22	--- a/src/lxc/conf.c
		23	+++ b/src/lxc/conf.c
		24	@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
		25	lxc_list_init(&new->lsm_aa_raw);
		26	new->lsm_se_context = NULL;
		27	new->lsm_se_keyring_context = NULL;
		28	+ new->keyring_disable_session = false;
		29	new->tmp_umount_proc = false;
		30	new->tmp_umount_proc = 0;
		31	new->shmount.path_host = NULL;
		32	@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
		33	}
		34	}
		35
		36	- if (lxc_conf->lsm_se_keyring_context) {
		37	- keyring_context = lxc_conf->lsm_se_keyring_context;
		38	- } else if (lxc_conf->lsm_se_context) {
		39	- keyring_context = lxc_conf->lsm_se_context;
		40	- }
		41	+ if (!lxc_conf->keyring_disable_session) {
		42	+ if (lxc_conf->lsm_se_keyring_context) {
		43	+ keyring_context = lxc_conf->lsm_se_keyring_context;
		44	+ } else if (lxc_conf->lsm_se_context) {
		45	+ keyring_context = lxc_conf->lsm_se_context;
		46	+ }
		47
		48	- ret = lxc_setup_keyring(keyring_context);
		49	- if (ret < 0)
		50	- return -1;
		51	+ ret = lxc_setup_keyring(keyring_context);
		52	+ if (ret < 0)
		53	+ return -1;
		54	+ }
		55
		56	if (handler->ns_clone_flags & CLONE_NEWNET) {
		57	ret = lxc_setup_network_in_child_namespaces(lxc_conf,
		58	diff --git a/src/lxc/conf.h b/src/lxc/conf.h
		59	index bb47b720e..b81786838 100644
		60	--- a/src/lxc/conf.h
		61	+++ b/src/lxc/conf.h
		62	@@ -296,6 +296,7 @@ struct lxc_conf {
		63	struct lxc_list lsm_aa_raw;
		64	char *lsm_se_context;
		65	char *lsm_se_keyring_context;
		66	+ bool keyring_disable_session;
		67	bool tmp_umount_proc;
		68	struct lxc_seccomp seccomp;
		69	int maincmd_fd;
		70	diff --git a/src/lxc/confile.c b/src/lxc/confile.c
		71	index df184af73..fd8b3aaba 100644
		72	--- a/src/lxc/confile.c
		73	+++ b/src/lxc/confile.c
		74	@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
		75	lxc_config_define(init_cwd);
		76	lxc_config_define(init_gid);
		77	lxc_config_define(init_uid);
		78	+lxc_config_define(keyring_session);
		79	lxc_config_define(log_file);
		80	lxc_config_define(log_level);
		81	lxc_config_define(log_syslog);
		82	@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
		83	{ "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, },
		84	{ "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, },
		85	{ "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, },
		86	+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session },
		87	{ "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, },
		88	{ "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, },
		89	{ "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, },
		90	@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char key, const char value
		91	return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
		92	}
		93
		94	+static int set_config_keyring_session(const char key, const char value,
		95	+ struct lxc_conf lxc_conf, void data)
		96	+{
		97	+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
		98	+}
		99	+
		100	static int set_config_log_file(const char key, const char value,
		101	struct lxc_conf c, void data)
		102	{
		103	@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char key, const char value,
		104	static int set_config_rootfs_managed(const char key, const char value,
		105	struct lxc_conf lxc_conf, void data)
		106	{
		107	- unsigned int val = 0;
		108	-
		109	- if (lxc_config_value_empty(value)) {
		110	- lxc_conf->rootfs.managed = true;
		111	- return 0;
		112	- }
		113	-
		114	- if (lxc_safe_uint(value, &val) < 0)
		115	- return -EINVAL;
		116	-
		117	- switch (val) {
		118	- case 0:
		119	- lxc_conf->rootfs.managed = false;
		120	- return 0;
		121	- case 1:
		122	- lxc_conf->rootfs.managed = true;
		123	- return 0;
		124	- }
		125	-
		126	- return -EINVAL;
		127	+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
		128	}
		129
		130	static int set_config_rootfs_mount(const char key, const char value,
		131	@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char key, char retv, int i
		132	return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
		133	}
		134
		135	+static int get_config_keyring_session(const char key, char retv, int inlen,
		136	+ struct lxc_conf c, void data)
		137	+{
		138	+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
		139	+}
		140	+
		141
		142	/* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
		143	* just the value(s) will be printed. Since there still could be more than one,
		144	@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
		145	return 0;
		146	}
		147
		148	+static inline int clr_config_keyring_session(const char *key,
		149	+ struct lxc_conf c, void data)
		150	+{
		151	+ c->keyring_disable_session = false;
		152	+ return 0;
		153	+}
		154	+
		155	static inline int clr_config_cgroup_controller(const char *key,
		156	struct lxc_conf c, void data)
		157	{
		158	@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf conf, const char key, char *retv,
		159	strprint(retv, inlen, "order\n");
		160	} else if (!strcmp(key, "lxc.monitor")) {
		161	strprint(retv, inlen, "unshare\n");
		162	+ } else if (!strcmp(key, "lxc.keyring")) {
		163	+ strprint(retv, inlen, "session\n");
		164	} else {
		165	fulllen = -1;
		166	}
		167	diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
		168	index 6941f4026..02e48454b 100644
		169	--- a/src/lxc/confile_utils.c
		170	+++ b/src/lxc/confile_utils.c
		171	@@ -666,6 +666,30 @@ int set_config_path_item(char *conf_item, const char value)
		172	return set_config_string_item_max(conf_item, value, PATH_MAX);
		173	}
		174
		175	+int set_config_bool_item(bool conf_item, const char value, bool empty_conf_action)
		176	+{
		177	+ unsigned int val = 0;
		178	+
		179	+ if (lxc_config_value_empty(value)) {
		180	+ *conf_item = empty_conf_action;
		181	+ return 0;
		182	+ }
		183	+
		184	+ if (lxc_safe_uint(value, &val) < 0)
		185	+ return -EINVAL;
		186	+
		187	+ switch (val) {
		188	+ case 0:
		189	+ *conf_item = false;
		190	+ return 0;
		191	+ case 1:
		192	+ *conf_item = true;
		193	+ return 0;
		194	+ }
		195	+
		196	+ return -EINVAL;
		197	+}
		198	+
		199	int config_ip_prefix(struct in_addr *addr)
		200	{
		201	if (IN_CLASSA(addr->s_addr))
		202	diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
		203	index f68f9604f..83d49bace 100644
		204	--- a/src/lxc/confile_utils.h
		205	+++ b/src/lxc/confile_utils.h
		206	@@ -68,6 +68,8 @@ extern int set_config_string_item(char *conf_item, const char value);
		207	extern int set_config_string_item_max(char *conf_item, const char value,
		208	size_t max);
		209	extern int set_config_path_item(char *conf_item, const char value);
		210	+extern int set_config_bool_item(bool conf_item, const char value,
		211	+ bool empty_conf_action);
		212	extern int config_ip_prefix(struct in_addr *addr);
		213	extern int network_ifname(char valuep, const char value, size_t size);
		214	extern void rand_complete_hwaddr(char *hwaddr);
		215	--
		216	2.24.1
		217


diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_3.2.1.bb index b8525156..bedcf137 100644 --- a/recipes-containers/lxc/lxc_3.2.1.bb +++ b/recipes-containers/lxc/lxc_3.2.1.bb
@@ -45,6 +45,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
45	file://tests-our-init-is-not-busybox.patch \	45	file://tests-our-init-is-not-busybox.patch \
46	file://tests-add-no-validate-when-using-download-template.patch \	46	file://tests-add-no-validate-when-using-download-template.patch \
47	file://network-restore-ability-to-move-nl80211-devices.patch \	47	file://network-restore-ability-to-move-nl80211-devices.patch \
		48	file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \
		49	file://0002-container.conf-Add-option-to-disable-session-keyring.patch \
48	file://dnsmasq.conf \	50	file://dnsmasq.conf \
49	file://lxc-net \	51	file://lxc-net \
50	"	52	"