diff options
author | Yanfei Xu <yanfei.xu@windriver.com> | 2020-04-09 21:00:38 +0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2020-04-13 13:53:05 -0400 |
commit | 660ffa675e6d2a6157bde5677816916ddb822630 (patch) | |
tree | 0a46c707b0e900eb0de78679f052cb0956f1cecb /recipes-containers | |
parent | 62466a75a95e2b2b936ea70920853d46b1f6ba70 (diff) | |
download | meta-virtualization-660ffa675e6d2a6157bde5677816916ddb822630.tar.gz |
lxc: uprev from 3.2.1 to 4.0.1
Update to the just released 4.0.1. And drop some patches contained
in this released.
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Diffstat (limited to 'recipes-containers')
-rw-r--r-- | recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch | 275 | ||||
-rw-r--r-- | recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch | 46 | ||||
-rw-r--r-- | recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch | 217 | ||||
-rw-r--r-- | recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch | 94 | ||||
-rw-r--r-- | recipes-containers/lxc/lxc_4.0.1.bb (renamed from recipes-containers/lxc/lxc_3.2.1.bb) | 10 |
5 files changed, 3 insertions, 639 deletions
diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch deleted file mode 100644 index 0da1be08..00000000 --- a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch +++ /dev/null | |||
@@ -1,275 +0,0 @@ | |||
1 | From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Maximilian Blenk <Maximilian.Blenk@bmw.de> | ||
3 | Date: Wed, 29 Jan 2020 17:09:50 +0100 | ||
4 | Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context | ||
5 | |||
6 | lxc set's up a new session keyring for every container by default. | ||
7 | If executed on an SELinux enabled system, by default, the keyring | ||
8 | inherits the label of the creating process. If executed with the | ||
9 | currently available SELinux policy, this means that the keyring | ||
10 | is labeled with the lxc_t type. Applications inside the container, | ||
11 | however, might expect that the keyring is labeled with a certain | ||
12 | context (and will fail to access the keyring if it's not explicitly | ||
13 | allowed in the global policy). This patch introduces the config | ||
14 | option lxc.selinux.context.keyring which enables to specify the | ||
15 | label of the newly created keyring. That is, the keyring can be | ||
16 | labeled with the label expected by the started application. | ||
17 | |||
18 | Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de> | ||
19 | --- | ||
20 | config/selinux/lxc.te | 3 +++ | ||
21 | src/lxc/conf.c | 10 +++++++++- | ||
22 | src/lxc/conf.h | 1 + | ||
23 | src/lxc/confile.c | 24 ++++++++++++++++++++++++ | ||
24 | src/lxc/lsm/lsm.c | 13 +++++++++++++ | ||
25 | src/lxc/lsm/lsm.h | 2 ++ | ||
26 | src/lxc/lsm/selinux.c | 13 +++++++++++++ | ||
27 | src/lxc/utils.c | 9 ++++++++- | ||
28 | src/lxc/utils.h | 2 +- | ||
29 | 9 files changed, 74 insertions(+), 3 deletions(-) | ||
30 | |||
31 | diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te | ||
32 | index bb4bfe3a8..d3f78d80b 100644 | ||
33 | --- a/config/selinux/lxc.te | ||
34 | +++ b/config/selinux/lxc.te | ||
35 | @@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms; | ||
36 | allow lxc_t self:rawip_socket create_socket_perms; | ||
37 | allow lxc_t self:netlink_route_socket create_netlink_socket_perms; | ||
38 | |||
39 | +# Needed to set label that the keyring will be created with | ||
40 | +allow lxc_t self:process { setkeycreate }; | ||
41 | + | ||
42 | dontaudit lxc_t sysctl_kernel_t:file write; | ||
43 | dontaudit lxc_t sysctl_modprobe_t:file write; | ||
44 | diff --git a/src/lxc/conf.c b/src/lxc/conf.c | ||
45 | index 0f8b3c928..b06fbf047 100644 | ||
46 | --- a/src/lxc/conf.c | ||
47 | +++ b/src/lxc/conf.c | ||
48 | @@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void) | ||
49 | new->lsm_aa_profile = NULL; | ||
50 | lxc_list_init(&new->lsm_aa_raw); | ||
51 | new->lsm_se_context = NULL; | ||
52 | + new->lsm_se_keyring_context = NULL; | ||
53 | new->tmp_umount_proc = false; | ||
54 | new->tmp_umount_proc = 0; | ||
55 | new->shmount.path_host = NULL; | ||
56 | @@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler) | ||
57 | int ret; | ||
58 | const char *lxcpath = handler->lxcpath, *name = handler->name; | ||
59 | struct lxc_conf *lxc_conf = handler->conf; | ||
60 | + char *keyring_context = NULL; | ||
61 | |||
62 | ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath); | ||
63 | if (ret < 0) { | ||
64 | @@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler) | ||
65 | } | ||
66 | } | ||
67 | |||
68 | - ret = lxc_setup_keyring(); | ||
69 | + if (lxc_conf->lsm_se_keyring_context) { | ||
70 | + keyring_context = lxc_conf->lsm_se_keyring_context; | ||
71 | + } else if (lxc_conf->lsm_se_context) { | ||
72 | + keyring_context = lxc_conf->lsm_se_context; | ||
73 | + } | ||
74 | + | ||
75 | + ret = lxc_setup_keyring(keyring_context); | ||
76 | if (ret < 0) | ||
77 | return -1; | ||
78 | |||
79 | diff --git a/src/lxc/conf.h b/src/lxc/conf.h | ||
80 | index 2664a1527..bb47b720e 100644 | ||
81 | --- a/src/lxc/conf.h | ||
82 | +++ b/src/lxc/conf.h | ||
83 | @@ -295,6 +295,7 @@ struct lxc_conf { | ||
84 | unsigned int lsm_aa_allow_incomplete; | ||
85 | struct lxc_list lsm_aa_raw; | ||
86 | char *lsm_se_context; | ||
87 | + char *lsm_se_keyring_context; | ||
88 | bool tmp_umount_proc; | ||
89 | struct lxc_seccomp seccomp; | ||
90 | int maincmd_fd; | ||
91 | diff --git a/src/lxc/confile.c b/src/lxc/confile.c | ||
92 | index 36d62cbca..df184af73 100644 | ||
93 | --- a/src/lxc/confile.c | ||
94 | +++ b/src/lxc/confile.c | ||
95 | @@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting); | ||
96 | lxc_config_define(seccomp_notify_cookie); | ||
97 | lxc_config_define(seccomp_notify_proxy); | ||
98 | lxc_config_define(selinux_context); | ||
99 | +lxc_config_define(selinux_context_keyring); | ||
100 | lxc_config_define(signal_halt); | ||
101 | lxc_config_define(signal_reboot); | ||
102 | lxc_config_define(signal_stop); | ||
103 | @@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = { | ||
104 | { "lxc.seccomp.notify.proxy", set_config_seccomp_notify_proxy, get_config_seccomp_notify_proxy, clr_config_seccomp_notify_proxy, }, | ||
105 | { "lxc.seccomp.profile", set_config_seccomp_profile, get_config_seccomp_profile, clr_config_seccomp_profile, }, | ||
106 | { "lxc.selinux.context", set_config_selinux_context, get_config_selinux_context, clr_config_selinux_context, }, | ||
107 | + { "lxc.selinux.context.keyring", set_config_selinux_context_keyring, get_config_selinux_context_keyring, clr_config_selinux_context_keyring }, | ||
108 | { "lxc.signal.halt", set_config_signal_halt, get_config_signal_halt, clr_config_signal_halt, }, | ||
109 | { "lxc.signal.reboot", set_config_signal_reboot, get_config_signal_reboot, clr_config_signal_reboot, }, | ||
110 | { "lxc.signal.stop", set_config_signal_stop, get_config_signal_stop, clr_config_signal_stop, }, | ||
111 | @@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char *key, const char *value, | ||
112 | return set_config_string_item(&lxc_conf->lsm_se_context, value); | ||
113 | } | ||
114 | |||
115 | +static int set_config_selinux_context_keyring(const char *key, const char *value, | ||
116 | + struct lxc_conf *lxc_conf, void *data) | ||
117 | +{ | ||
118 | + return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value); | ||
119 | +} | ||
120 | + | ||
121 | static int set_config_log_file(const char *key, const char *value, | ||
122 | struct lxc_conf *c, void *data) | ||
123 | { | ||
124 | @@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen, | ||
125 | return lxc_get_conf_str(retv, inlen, c->lsm_se_context); | ||
126 | } | ||
127 | |||
128 | +static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen, | ||
129 | + struct lxc_conf *c, void *data) | ||
130 | +{ | ||
131 | + return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context); | ||
132 | +} | ||
133 | + | ||
134 | + | ||
135 | /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then | ||
136 | * just the value(s) will be printed. Since there still could be more than one, | ||
137 | * it is newline-separated. | ||
138 | @@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key, | ||
139 | return 0; | ||
140 | } | ||
141 | |||
142 | +static inline int clr_config_selinux_context_keyring(const char *key, | ||
143 | + struct lxc_conf *c, void *data) | ||
144 | +{ | ||
145 | + free(c->lsm_se_keyring_context); | ||
146 | + c->lsm_se_keyring_context = NULL; | ||
147 | + return 0; | ||
148 | +} | ||
149 | + | ||
150 | static inline int clr_config_cgroup_controller(const char *key, | ||
151 | struct lxc_conf *c, void *data) | ||
152 | { | ||
153 | @@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv, | ||
154 | strprint(retv, inlen, "dir\n"); | ||
155 | } else if (!strcmp(key, "lxc.selinux")) { | ||
156 | strprint(retv, inlen, "context\n"); | ||
157 | + strprint(retv, inlen, "context.keyring\n"); | ||
158 | } else if (!strcmp(key, "lxc.mount")) { | ||
159 | strprint(retv, inlen, "auto\n"); | ||
160 | strprint(retv, inlen, "entry\n"); | ||
161 | diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c | ||
162 | index 5538c9e84..48c22b700 100644 | ||
163 | --- a/src/lxc/lsm/lsm.c | ||
164 | +++ b/src/lxc/lsm/lsm.c | ||
165 | @@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath) | ||
166 | |||
167 | drv->cleanup(conf, lxcpath); | ||
168 | } | ||
169 | + | ||
170 | +int lsm_keyring_label_set(char *label) { | ||
171 | + | ||
172 | + if (!drv) { | ||
173 | + ERROR("LSM driver not inited"); | ||
174 | + return -1; | ||
175 | + } | ||
176 | + | ||
177 | + if (!drv->keyring_label_set) | ||
178 | + return 0; | ||
179 | + | ||
180 | + return drv->keyring_label_set(label); | ||
181 | +} | ||
182 | diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h | ||
183 | index dda740b3d..a645a2fa0 100644 | ||
184 | --- a/src/lxc/lsm/lsm.h | ||
185 | +++ b/src/lxc/lsm/lsm.h | ||
186 | @@ -38,6 +38,7 @@ struct lsm_drv { | ||
187 | char *(*process_label_get)(pid_t pid); | ||
188 | int (*process_label_set)(const char *label, struct lxc_conf *conf, | ||
189 | bool on_exec); | ||
190 | + int (*keyring_label_set)(char* label); | ||
191 | int (*prepare)(struct lxc_conf *conf, const char *lxcpath); | ||
192 | void (*cleanup)(struct lxc_conf *conf, const char *lxcpath); | ||
193 | }; | ||
194 | @@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec); | ||
195 | extern int lsm_process_label_set_at(int label_fd, const char *label, | ||
196 | bool on_exec); | ||
197 | extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath); | ||
198 | +extern int lsm_keyring_label_set(char *label); | ||
199 | |||
200 | #endif /* __LXC_LSM_H */ | ||
201 | diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c | ||
202 | index 625bcae90..b3d95c310 100644 | ||
203 | --- a/src/lxc/lsm/selinux.c | ||
204 | +++ b/src/lxc/lsm/selinux.c | ||
205 | @@ -106,11 +106,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf, | ||
206 | return 0; | ||
207 | } | ||
208 | |||
209 | +/* | ||
210 | + * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring | ||
211 | + * | ||
212 | + * @label : label string | ||
213 | + * | ||
214 | + * Returns 0 on success, < 0 on failure | ||
215 | + */ | ||
216 | +static int selinux_keyring_label_set(char *label) | ||
217 | +{ | ||
218 | + return setkeycreatecon_raw(label); | ||
219 | +}; | ||
220 | + | ||
221 | static struct lsm_drv selinux_drv = { | ||
222 | .name = "SELinux", | ||
223 | .enabled = is_selinux_enabled, | ||
224 | .process_label_get = selinux_process_label_get, | ||
225 | .process_label_set = selinux_process_label_set, | ||
226 | + .keyring_label_set = selinux_keyring_label_set, | ||
227 | }; | ||
228 | |||
229 | struct lsm_drv *lsm_selinux_drv_init(void) | ||
230 | diff --git a/src/lxc/utils.c b/src/lxc/utils.c | ||
231 | index bf4a9c2cb..90852eb87 100644 | ||
232 | --- a/src/lxc/utils.c | ||
233 | +++ b/src/lxc/utils.c | ||
234 | @@ -48,6 +48,7 @@ | ||
235 | |||
236 | #include "config.h" | ||
237 | #include "log.h" | ||
238 | +#include "lsm/lsm.h" | ||
239 | #include "lxclock.h" | ||
240 | #include "memory_utils.h" | ||
241 | #include "namespace.h" | ||
242 | @@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname) | ||
243 | return r; | ||
244 | } | ||
245 | |||
246 | -int lxc_setup_keyring(void) | ||
247 | +int lxc_setup_keyring(char *keyring_label) | ||
248 | { | ||
249 | key_serial_t keyring; | ||
250 | int ret = 0; | ||
251 | |||
252 | + if (keyring_label) { | ||
253 | + if (lsm_keyring_label_set(keyring_label) < 0) { | ||
254 | + ERROR("Couldn't set keyring label"); | ||
255 | + } | ||
256 | + } | ||
257 | + | ||
258 | /* Try to allocate a new session keyring for the container to prevent | ||
259 | * information leaks. | ||
260 | */ | ||
261 | diff --git a/src/lxc/utils.h b/src/lxc/utils.h | ||
262 | index dd6404f0b..7560711b7 100644 | ||
263 | --- a/src/lxc/utils.h | ||
264 | +++ b/src/lxc/utils.h | ||
265 | @@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n); | ||
266 | extern int lxc_set_death_signal(int signal, pid_t parent); | ||
267 | extern int fd_cloexec(int fd, bool cloexec); | ||
268 | extern int recursive_destroy(char *dirname); | ||
269 | -extern int lxc_setup_keyring(void); | ||
270 | +extern int lxc_setup_keyring(char *keyring_label); | ||
271 | |||
272 | #endif /* __LXC_UTILS_H */ | ||
273 | -- | ||
274 | 2.24.1 | ||
275 | |||
diff --git a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch b/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch deleted file mode 100644 index 9d5b5b8a..00000000 --- a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From b1694cccddadc8b084cd9eb502d9e86e0728709b Mon Sep 17 00:00:00 2001 | ||
2 | From: Patrick Havelange <patrick.havelange@essensium.com> | ||
3 | Date: Tue, 22 Oct 2019 12:29:54 +0200 | ||
4 | Subject: [PATCH v2] syscall_wrappers: rename internal memfd_create to | ||
5 | memfd_create_lxc | ||
6 | |||
7 | In case the internal memfd_create has to be used, make sure we don't | ||
8 | clash with the already existing memfd_create function from glibc. | ||
9 | |||
10 | This can happen if this glibc function is a stub. In this case, at | ||
11 | ./configure time, the test for this function will return false, however | ||
12 | the declaration of that function is still available. This leads to | ||
13 | compilation errors. | ||
14 | |||
15 | Upstream-Status: Backport [lxc-3.2.1 https://github.com/lxc/lxc/pull/3168] | ||
16 | |||
17 | Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com> | ||
18 | (cherry picked from commit 40b06c78773dfd5e12e568a576b1abb133f61b71) | ||
19 | Signed-off-by: Oleksii Kurochko <olkuroch@cisco.com> | ||
20 | --- | ||
21 | v2: added Upstream-Status | ||
22 | |||
23 | src/lxc/syscall_wrappers.h | 3 ++- | ||
24 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
25 | |||
26 | diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h | ||
27 | index ce67da5b5308..b7edba63f5d7 100644 | ||
28 | --- a/src/lxc/syscall_wrappers.h | ||
29 | +++ b/src/lxc/syscall_wrappers.h | ||
30 | @@ -74,7 +74,7 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3, | ||
31 | #endif | ||
32 | |||
33 | #ifndef HAVE_MEMFD_CREATE | ||
34 | -static inline int memfd_create(const char *name, unsigned int flags) { | ||
35 | +static inline int memfd_create_lxc(const char *name, unsigned int flags) { | ||
36 | #ifndef __NR_memfd_create | ||
37 | #if defined __i386__ | ||
38 | #define __NR_memfd_create 356 | ||
39 | @@ -113,6 +113,7 @@ static inline int memfd_create(const char *name, unsigned int flags) { | ||
40 | return -1; | ||
41 | #endif | ||
42 | } | ||
43 | +#define memfd_create memfd_create_lxc | ||
44 | #else | ||
45 | extern int memfd_create(const char *name, unsigned int flags); | ||
46 | #endif | ||
diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch deleted file mode 100644 index 34647c80..00000000 --- a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch +++ /dev/null | |||
@@ -1,217 +0,0 @@ | |||
1 | From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001 | ||
2 | From: Maximilian Blenk <Maximilian.Blenk@bmw.de> | ||
3 | Date: Thu, 30 Jan 2020 19:21:10 +0100 | ||
4 | Subject: [PATCH 3/3] container.conf: Add option to disable session keyring | ||
5 | creation | ||
6 | |||
7 | lxc set's up a new session keyring for every container by default. | ||
8 | There might be valid use-cases where this is not wanted / needed | ||
9 | (e.g. systemd by default creates a new session keyring anyway). | ||
10 | |||
11 | Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de> | ||
12 | --- | ||
13 | src/lxc/conf.c | 19 ++++++++++-------- | ||
14 | src/lxc/conf.h | 1 + | ||
15 | src/lxc/confile.c | 44 ++++++++++++++++++++++------------------- | ||
16 | src/lxc/confile_utils.c | 24 ++++++++++++++++++++++ | ||
17 | src/lxc/confile_utils.h | 2 ++ | ||
18 | 5 files changed, 62 insertions(+), 28 deletions(-) | ||
19 | |||
20 | diff --git a/src/lxc/conf.c b/src/lxc/conf.c | ||
21 | index b06fbf047..be4761a54 100644 | ||
22 | --- a/src/lxc/conf.c | ||
23 | +++ b/src/lxc/conf.c | ||
24 | @@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void) | ||
25 | lxc_list_init(&new->lsm_aa_raw); | ||
26 | new->lsm_se_context = NULL; | ||
27 | new->lsm_se_keyring_context = NULL; | ||
28 | + new->keyring_disable_session = false; | ||
29 | new->tmp_umount_proc = false; | ||
30 | new->tmp_umount_proc = 0; | ||
31 | new->shmount.path_host = NULL; | ||
32 | @@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler) | ||
33 | } | ||
34 | } | ||
35 | |||
36 | - if (lxc_conf->lsm_se_keyring_context) { | ||
37 | - keyring_context = lxc_conf->lsm_se_keyring_context; | ||
38 | - } else if (lxc_conf->lsm_se_context) { | ||
39 | - keyring_context = lxc_conf->lsm_se_context; | ||
40 | - } | ||
41 | + if (!lxc_conf->keyring_disable_session) { | ||
42 | + if (lxc_conf->lsm_se_keyring_context) { | ||
43 | + keyring_context = lxc_conf->lsm_se_keyring_context; | ||
44 | + } else if (lxc_conf->lsm_se_context) { | ||
45 | + keyring_context = lxc_conf->lsm_se_context; | ||
46 | + } | ||
47 | |||
48 | - ret = lxc_setup_keyring(keyring_context); | ||
49 | - if (ret < 0) | ||
50 | - return -1; | ||
51 | + ret = lxc_setup_keyring(keyring_context); | ||
52 | + if (ret < 0) | ||
53 | + return -1; | ||
54 | + } | ||
55 | |||
56 | if (handler->ns_clone_flags & CLONE_NEWNET) { | ||
57 | ret = lxc_setup_network_in_child_namespaces(lxc_conf, | ||
58 | diff --git a/src/lxc/conf.h b/src/lxc/conf.h | ||
59 | index bb47b720e..b81786838 100644 | ||
60 | --- a/src/lxc/conf.h | ||
61 | +++ b/src/lxc/conf.h | ||
62 | @@ -296,6 +296,7 @@ struct lxc_conf { | ||
63 | struct lxc_list lsm_aa_raw; | ||
64 | char *lsm_se_context; | ||
65 | char *lsm_se_keyring_context; | ||
66 | + bool keyring_disable_session; | ||
67 | bool tmp_umount_proc; | ||
68 | struct lxc_seccomp seccomp; | ||
69 | int maincmd_fd; | ||
70 | diff --git a/src/lxc/confile.c b/src/lxc/confile.c | ||
71 | index df184af73..fd8b3aaba 100644 | ||
72 | --- a/src/lxc/confile.c | ||
73 | +++ b/src/lxc/confile.c | ||
74 | @@ -110,6 +110,7 @@ lxc_config_define(init_cmd); | ||
75 | lxc_config_define(init_cwd); | ||
76 | lxc_config_define(init_gid); | ||
77 | lxc_config_define(init_uid); | ||
78 | +lxc_config_define(keyring_session); | ||
79 | lxc_config_define(log_file); | ||
80 | lxc_config_define(log_level); | ||
81 | lxc_config_define(log_syslog); | ||
82 | @@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = { | ||
83 | { "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, }, | ||
84 | { "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, }, | ||
85 | { "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, }, | ||
86 | + { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session }, | ||
87 | { "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, }, | ||
88 | { "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, }, | ||
89 | { "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, }, | ||
90 | @@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value | ||
91 | return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value); | ||
92 | } | ||
93 | |||
94 | +static int set_config_keyring_session(const char *key, const char *value, | ||
95 | + struct lxc_conf *lxc_conf, void *data) | ||
96 | +{ | ||
97 | + return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false); | ||
98 | +} | ||
99 | + | ||
100 | static int set_config_log_file(const char *key, const char *value, | ||
101 | struct lxc_conf *c, void *data) | ||
102 | { | ||
103 | @@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value, | ||
104 | static int set_config_rootfs_managed(const char *key, const char *value, | ||
105 | struct lxc_conf *lxc_conf, void *data) | ||
106 | { | ||
107 | - unsigned int val = 0; | ||
108 | - | ||
109 | - if (lxc_config_value_empty(value)) { | ||
110 | - lxc_conf->rootfs.managed = true; | ||
111 | - return 0; | ||
112 | - } | ||
113 | - | ||
114 | - if (lxc_safe_uint(value, &val) < 0) | ||
115 | - return -EINVAL; | ||
116 | - | ||
117 | - switch (val) { | ||
118 | - case 0: | ||
119 | - lxc_conf->rootfs.managed = false; | ||
120 | - return 0; | ||
121 | - case 1: | ||
122 | - lxc_conf->rootfs.managed = true; | ||
123 | - return 0; | ||
124 | - } | ||
125 | - | ||
126 | - return -EINVAL; | ||
127 | + return set_config_bool_item(&lxc_conf->rootfs.managed, value, true); | ||
128 | } | ||
129 | |||
130 | static int set_config_rootfs_mount(const char *key, const char *value, | ||
131 | @@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i | ||
132 | return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context); | ||
133 | } | ||
134 | |||
135 | +static int get_config_keyring_session(const char *key, char *retv, int inlen, | ||
136 | + struct lxc_conf *c, void *data) | ||
137 | +{ | ||
138 | + return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session); | ||
139 | +} | ||
140 | + | ||
141 | |||
142 | /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then | ||
143 | * just the value(s) will be printed. Since there still could be more than one, | ||
144 | @@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key, | ||
145 | return 0; | ||
146 | } | ||
147 | |||
148 | +static inline int clr_config_keyring_session(const char *key, | ||
149 | + struct lxc_conf *c, void *data) | ||
150 | +{ | ||
151 | + c->keyring_disable_session = false; | ||
152 | + return 0; | ||
153 | +} | ||
154 | + | ||
155 | static inline int clr_config_cgroup_controller(const char *key, | ||
156 | struct lxc_conf *c, void *data) | ||
157 | { | ||
158 | @@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv, | ||
159 | strprint(retv, inlen, "order\n"); | ||
160 | } else if (!strcmp(key, "lxc.monitor")) { | ||
161 | strprint(retv, inlen, "unshare\n"); | ||
162 | + } else if (!strcmp(key, "lxc.keyring")) { | ||
163 | + strprint(retv, inlen, "session\n"); | ||
164 | } else { | ||
165 | fulllen = -1; | ||
166 | } | ||
167 | diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c | ||
168 | index 6941f4026..02e48454b 100644 | ||
169 | --- a/src/lxc/confile_utils.c | ||
170 | +++ b/src/lxc/confile_utils.c | ||
171 | @@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value) | ||
172 | return set_config_string_item_max(conf_item, value, PATH_MAX); | ||
173 | } | ||
174 | |||
175 | +int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action) | ||
176 | +{ | ||
177 | + unsigned int val = 0; | ||
178 | + | ||
179 | + if (lxc_config_value_empty(value)) { | ||
180 | + *conf_item = empty_conf_action; | ||
181 | + return 0; | ||
182 | + } | ||
183 | + | ||
184 | + if (lxc_safe_uint(value, &val) < 0) | ||
185 | + return -EINVAL; | ||
186 | + | ||
187 | + switch (val) { | ||
188 | + case 0: | ||
189 | + *conf_item = false; | ||
190 | + return 0; | ||
191 | + case 1: | ||
192 | + *conf_item = true; | ||
193 | + return 0; | ||
194 | + } | ||
195 | + | ||
196 | + return -EINVAL; | ||
197 | +} | ||
198 | + | ||
199 | int config_ip_prefix(struct in_addr *addr) | ||
200 | { | ||
201 | if (IN_CLASSA(addr->s_addr)) | ||
202 | diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h | ||
203 | index f68f9604f..83d49bace 100644 | ||
204 | --- a/src/lxc/confile_utils.h | ||
205 | +++ b/src/lxc/confile_utils.h | ||
206 | @@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value); | ||
207 | extern int set_config_string_item_max(char **conf_item, const char *value, | ||
208 | size_t max); | ||
209 | extern int set_config_path_item(char **conf_item, const char *value); | ||
210 | +extern int set_config_bool_item(bool *conf_item, const char *value, | ||
211 | + bool empty_conf_action); | ||
212 | extern int config_ip_prefix(struct in_addr *addr); | ||
213 | extern int network_ifname(char *valuep, const char *value, size_t size); | ||
214 | extern void rand_complete_hwaddr(char *hwaddr); | ||
215 | -- | ||
216 | 2.24.1 | ||
217 | |||
diff --git a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch b/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch deleted file mode 100644 index aa1aecd4..00000000 --- a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch +++ /dev/null | |||
@@ -1,94 +0,0 @@ | |||
1 | From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Brauner <christian.brauner@ubuntu.com> | ||
3 | Date: Fri, 26 Jul 2019 08:20:02 +0200 | ||
4 | Subject: [PATCH] network: restore ability to move nl80211 devices | ||
5 | |||
6 | Closes #3105. | ||
7 | Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> | ||
8 | --- | ||
9 | src/lxc/network.c | 31 +++++++++++++++++-------------- | ||
10 | 1 file changed, 17 insertions(+), 14 deletions(-) | ||
11 | |||
12 | diff --git a/src/lxc/network.c b/src/lxc/network.c | ||
13 | index 9755116..7684f95 100644 | ||
14 | --- a/src/lxc/network.c | ||
15 | +++ b/src/lxc/network.c | ||
16 | @@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old, | ||
17 | static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid, | ||
18 | const char *newname) | ||
19 | { | ||
20 | - char *cmd; | ||
21 | + __do_free char *cmd = NULL; | ||
22 | pid_t fpid; | ||
23 | - int err = -1; | ||
24 | |||
25 | /* Move phyN into the container. TODO - do this using netlink. | ||
26 | * However, IIUC this involves a bit more complicated work to talk to | ||
27 | * the 80211 module, so for now just call out to iw. | ||
28 | */ | ||
29 | cmd = on_path("iw", NULL); | ||
30 | - if (!cmd) | ||
31 | - goto out1; | ||
32 | - free(cmd); | ||
33 | + if (!cmd) { | ||
34 | + return -1; | ||
35 | + } | ||
36 | |||
37 | fpid = fork(); | ||
38 | if (fpid < 0) | ||
39 | - goto out1; | ||
40 | + return -1; | ||
41 | |||
42 | if (fpid == 0) { | ||
43 | char pidstr[30]; | ||
44 | @@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid, | ||
45 | } | ||
46 | |||
47 | if (wait_for_pid(fpid)) | ||
48 | - goto out1; | ||
49 | + return -1; | ||
50 | |||
51 | - err = 0; | ||
52 | if (newname) | ||
53 | - err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname); | ||
54 | + return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname); | ||
55 | |||
56 | -out1: | ||
57 | - free(physname); | ||
58 | - return err; | ||
59 | + return 0; | ||
60 | } | ||
61 | |||
62 | int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname) | ||
63 | { | ||
64 | + __do_free char *physname = NULL; | ||
65 | int index; | ||
66 | - char *physname; | ||
67 | |||
68 | if (!ifname) | ||
69 | return -EINVAL; | ||
70 | @@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler) | ||
71 | return 0; | ||
72 | |||
73 | lxc_list_for_each(iterator, network) { | ||
74 | + __do_free char *physname = NULL; | ||
75 | int ret; | ||
76 | struct lxc_netdev *netdev = iterator->elem; | ||
77 | |||
78 | if (!netdev->ifindex) | ||
79 | continue; | ||
80 | |||
81 | - ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL); | ||
82 | + if (netdev->type == LXC_NET_PHYS) | ||
83 | + physname = is_wlan(netdev->link); | ||
84 | + | ||
85 | + if (physname) | ||
86 | + ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL); | ||
87 | + else | ||
88 | + ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL); | ||
89 | if (ret) { | ||
90 | errno = -ret; | ||
91 | SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d", | ||
92 | -- | ||
93 | 2.7.4 | ||
94 | |||
diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_4.0.1.bb index 9592dd9b..a3de38ef 100644 --- a/recipes-containers/lxc/lxc_3.2.1.bb +++ b/recipes-containers/lxc/lxc_4.0.1.bb | |||
@@ -1,7 +1,7 @@ | |||
1 | DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object" | 1 | DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object" |
2 | SECTION = "console/utils" | 2 | SECTION = "console/utils" |
3 | LICENSE = "LGPLv2.1" | 3 | LICENSE = "LGPLv2.1" |
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" | 4 | LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" |
5 | DEPENDS = "libxml2 libcap" | 5 | DEPENDS = "libxml2 libcap" |
6 | RDEPENDS_${PN} = " \ | 6 | RDEPENDS_${PN} = " \ |
7 | rsync \ | 7 | rsync \ |
@@ -44,16 +44,12 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \ | |||
44 | file://templates-use-curl-instead-of-wget.patch \ | 44 | file://templates-use-curl-instead-of-wget.patch \ |
45 | file://tests-our-init-is-not-busybox.patch \ | 45 | file://tests-our-init-is-not-busybox.patch \ |
46 | file://tests-add-no-validate-when-using-download-template.patch \ | 46 | file://tests-add-no-validate-when-using-download-template.patch \ |
47 | file://network-restore-ability-to-move-nl80211-devices.patch \ | ||
48 | file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \ | ||
49 | file://0002-container.conf-Add-option-to-disable-session-keyring.patch \ | ||
50 | file://dnsmasq.conf \ | 47 | file://dnsmasq.conf \ |
51 | file://lxc-net \ | 48 | file://lxc-net \ |
52 | file://0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch \ | ||
53 | " | 49 | " |
54 | 50 | ||
55 | SRC_URI[md5sum] = "4886c8d1c8e221fe526eefcb47857b85" | 51 | SRC_URI[md5sum] = "5f19f13eafdde24c75ba459fc6c28156" |
56 | SRC_URI[sha256sum] = "5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4" | 52 | SRC_URI[sha256sum] = "70bbaac1df097f32ee5493a5e67a52365f7cdda28529f40197d6160bbec4139d" |
57 | 53 | ||
58 | S = "${WORKDIR}/${BPN}-${PV}" | 54 | S = "${WORKDIR}/${BPN}-${PV}" |
59 | 55 | ||