1 files changed, 217 insertions, 0 deletions
diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
new file mode 100644
index 00000000..34647c80
--- /dev/null
+++ b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
@@ -0,0 +1,217 @@
+From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+Date: Thu, 30 Jan 2020 19:21:10 +0100
+Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
+ creation
+lxc set's up a new session keyring for every container by default.
+There might be valid use-cases where this is not wanted / needed
+(e.g. systemd by default creates a new session keyring anyway).
+Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+---
+ src/lxc/conf.c          | 19 ++++++++++--------
+ src/lxc/conf.h          |  1 +
+ src/lxc/confile.c       | 44 ++++++++++++++++++++++-------------------
+ src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
+ src/lxc/confile_utils.h |  2 ++
+ 5 files changed, 62 insertions(+), 28 deletions(-)
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index b06fbf047..be4761a54 100644
+--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
+@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
+        lxc_list_init(&new->lsm_aa_raw);
+        new->lsm_se_context = NULL;
+        new->lsm_se_keyring_context = NULL;
+       new->keyring_disable_session = false;
+        new->tmp_umount_proc = false;
+        new->tmp_umount_proc = 0;
+        new->shmount.path_host = NULL;
+@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
+                }
+        }
+ 
+-       if (lxc_conf->lsm_se_keyring_context) {
+-               keyring_context = lxc_conf->lsm_se_keyring_context;
+-       } else if (lxc_conf->lsm_se_context) {
+-               keyring_context = lxc_conf->lsm_se_context;
+-       }
+       if (!lxc_conf->keyring_disable_session) {
+               if (lxc_conf->lsm_se_keyring_context) {
+                       keyring_context = lxc_conf->lsm_se_keyring_context;
+               } else if (lxc_conf->lsm_se_context) {
+                       keyring_context = lxc_conf->lsm_se_context;
+               }
+ 
+-       ret = lxc_setup_keyring(keyring_context);
+-       if (ret < 0)
+-               return -1;
+               ret = lxc_setup_keyring(keyring_context);
+               if (ret < 0)
+                       return -1;
+       }
+ 
+        if (handler->ns_clone_flags & CLONE_NEWNET) {
+                ret = lxc_setup_network_in_child_namespaces(lxc_conf,
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index bb47b720e..b81786838 100644
+--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
+@@ -296,6 +296,7 @@ struct lxc_conf {
+        struct lxc_list lsm_aa_raw;
+        char *lsm_se_context;
+        char *lsm_se_keyring_context;
+       bool keyring_disable_session;
+        bool tmp_umount_proc;
+        struct lxc_seccomp seccomp;
+        int maincmd_fd;
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index df184af73..fd8b3aaba 100644
+--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
+@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
+ lxc_config_define(init_cwd);
+ lxc_config_define(init_gid);
+ lxc_config_define(init_uid);
+lxc_config_define(keyring_session);
+ lxc_config_define(log_file);
+ lxc_config_define(log_level);
+ lxc_config_define(log_syslog);
+@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
+        { "lxc.init.gid",                  set_config_init_gid,                    get_config_init_gid,                    clr_config_init_gid,                  },
+        { "lxc.init.uid",                  set_config_init_uid,                    get_config_init_uid,                    clr_config_init_uid,                  },
+        { "lxc.init.cwd",                  set_config_init_cwd,                    get_config_init_cwd,                    clr_config_init_cwd,                  },
+       { "lxc.keyring.session",           set_config_keyring_session,             get_config_keyring_session,             clr_config_keyring_session            },
+        { "lxc.log.file",                  set_config_log_file,                    get_config_log_file,                    clr_config_log_file,                  },
+        { "lxc.log.level",                 set_config_log_level,                   get_config_log_level,                   clr_config_log_level,                 },
+        { "lxc.log.syslog",                set_config_log_syslog,                  get_config_log_syslog,                  clr_config_log_syslog,                },
+@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
+        return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
+ }
+ 
+static int set_config_keyring_session(const char *key, const char *value,
+                                     struct lxc_conf *lxc_conf, void *data)
+{
+       return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
+}
+
+ static int set_config_log_file(const char *key, const char *value,
+                              struct lxc_conf *c, void *data)
+ {
+@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
+ static int set_config_rootfs_managed(const char *key, const char *value,
+                                     struct lxc_conf *lxc_conf, void *data)
+ {
+-       unsigned int val = 0;
+-
+-       if (lxc_config_value_empty(value)) {
+-               lxc_conf->rootfs.managed = true;
+-               return 0;
+-       }
+-
+-       if (lxc_safe_uint(value, &val) < 0)
+-               return -EINVAL;
+-
+-       switch (val) {
+-       case 0:
+-               lxc_conf->rootfs.managed = false;
+-               return 0;
+-       case 1:
+-               lxc_conf->rootfs.managed = true;
+-               return 0;
+-       }
+-
+-       return -EINVAL;
+       return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
+ }
+ 
+ static int set_config_rootfs_mount(const char *key, const char *value,
+@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
+        return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
+ }
+ 
+static int get_config_keyring_session(const char *key, char *retv, int inlen,
+                                     struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
+}
+
+ 
+ /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
+  * just the value(s) will be printed. Since there still could be more than one,
+@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
+        return 0;
+ }
+ 
+static inline int clr_config_keyring_session(const char *key,
+                                            struct lxc_conf *c, void *data)
+{
+       c->keyring_disable_session = false;
+       return 0;
+}
+
+ static inline int clr_config_cgroup_controller(const char *key,
+                                               struct lxc_conf *c, void *data)
+ {
+@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
+                strprint(retv, inlen, "order\n");
+        } else if (!strcmp(key, "lxc.monitor")) {
+                strprint(retv, inlen, "unshare\n");
+       } else if (!strcmp(key, "lxc.keyring")) {
+               strprint(retv, inlen, "session\n");
+        } else {
+                fulllen = -1;
+        }
+diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
+index 6941f4026..02e48454b 100644
+--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
+@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
+        return set_config_string_item_max(conf_item, value, PATH_MAX);
+ }
+ 
+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
+{
+       unsigned int val = 0;
+
+       if (lxc_config_value_empty(value)) {
+               *conf_item = empty_conf_action;
+               return 0;
+       }
+
+       if (lxc_safe_uint(value, &val) < 0)
+               return -EINVAL;
+
+       switch (val) {
+       case 0:
+               *conf_item = false;
+               return 0;
+       case 1:
+               *conf_item = true;
+               return 0;
+       }
+
+       return -EINVAL;
+}
+
+ int config_ip_prefix(struct in_addr *addr)
+ {
+        if (IN_CLASSA(addr->s_addr))
+diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
+index f68f9604f..83d49bace 100644
+--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
+@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
+ extern int set_config_string_item_max(char **conf_item, const char *value,
+                                      size_t max);
+ extern int set_config_path_item(char **conf_item, const char *value);
+extern int set_config_bool_item(bool *conf_item, const char *value,
+                                bool empty_conf_action);
+ extern int config_ip_prefix(struct in_addr *addr);
+ extern int network_ifname(char *valuep, const char *value, size_t size);
+ extern void rand_complete_hwaddr(char *hwaddr);
+-- 
+2.24.1

diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch new file mode 100644 index 00000000..34647c80 --- /dev/null +++ b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
@@ -0,0 +1,217 @@
	1	From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
	2	From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
	3	Date: Thu, 30 Jan 2020 19:21:10 +0100
	4	Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
	5	creation
	6
	7	lxc set's up a new session keyring for every container by default.
	8	There might be valid use-cases where this is not wanted / needed
	9	(e.g. systemd by default creates a new session keyring anyway).
	10
	11	Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
	12	---
	13	src/lxc/conf.c \| 19 ++++++++++--------
	14	src/lxc/conf.h \| 1 +
	15	src/lxc/confile.c \| 44 ++++++++++++++++++++++-------------------
	16	src/lxc/confile_utils.c \| 24 ++++++++++++++++++++++
	17	src/lxc/confile_utils.h \| 2 ++
	18	5 files changed, 62 insertions(+), 28 deletions(-)
	19
	20	diff --git a/src/lxc/conf.c b/src/lxc/conf.c
	21	index b06fbf047..be4761a54 100644
	22	--- a/src/lxc/conf.c
	23	+++ b/src/lxc/conf.c
	24	@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
	25	lxc_list_init(&new->lsm_aa_raw);
	26	new->lsm_se_context = NULL;
	27	new->lsm_se_keyring_context = NULL;
	28	+ new->keyring_disable_session = false;
	29	new->tmp_umount_proc = false;
	30	new->tmp_umount_proc = 0;
	31	new->shmount.path_host = NULL;
	32	@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
	33	}
	34	}
	35
	36	- if (lxc_conf->lsm_se_keyring_context) {
	37	- keyring_context = lxc_conf->lsm_se_keyring_context;
	38	- } else if (lxc_conf->lsm_se_context) {
	39	- keyring_context = lxc_conf->lsm_se_context;
	40	- }
	41	+ if (!lxc_conf->keyring_disable_session) {
	42	+ if (lxc_conf->lsm_se_keyring_context) {
	43	+ keyring_context = lxc_conf->lsm_se_keyring_context;
	44	+ } else if (lxc_conf->lsm_se_context) {
	45	+ keyring_context = lxc_conf->lsm_se_context;
	46	+ }
	47
	48	- ret = lxc_setup_keyring(keyring_context);
	49	- if (ret < 0)
	50	- return -1;
	51	+ ret = lxc_setup_keyring(keyring_context);
	52	+ if (ret < 0)
	53	+ return -1;
	54	+ }
	55
	56	if (handler->ns_clone_flags & CLONE_NEWNET) {
	57	ret = lxc_setup_network_in_child_namespaces(lxc_conf,
	58	diff --git a/src/lxc/conf.h b/src/lxc/conf.h
	59	index bb47b720e..b81786838 100644
	60	--- a/src/lxc/conf.h
	61	+++ b/src/lxc/conf.h
	62	@@ -296,6 +296,7 @@ struct lxc_conf {
	63	struct lxc_list lsm_aa_raw;
	64	char *lsm_se_context;
	65	char *lsm_se_keyring_context;
	66	+ bool keyring_disable_session;
	67	bool tmp_umount_proc;
	68	struct lxc_seccomp seccomp;
	69	int maincmd_fd;
	70	diff --git a/src/lxc/confile.c b/src/lxc/confile.c
	71	index df184af73..fd8b3aaba 100644
	72	--- a/src/lxc/confile.c
	73	+++ b/src/lxc/confile.c
	74	@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
	75	lxc_config_define(init_cwd);
	76	lxc_config_define(init_gid);
	77	lxc_config_define(init_uid);
	78	+lxc_config_define(keyring_session);
	79	lxc_config_define(log_file);
	80	lxc_config_define(log_level);
	81	lxc_config_define(log_syslog);
	82	@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
	83	{ "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, },
	84	{ "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, },
	85	{ "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, },
	86	+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session },
	87	{ "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, },
	88	{ "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, },
	89	{ "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, },
	90	@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char key, const char value
	91	return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
	92	}
	93
	94	+static int set_config_keyring_session(const char key, const char value,
	95	+ struct lxc_conf lxc_conf, void data)
	96	+{
	97	+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
	98	+}
	99	+
	100	static int set_config_log_file(const char key, const char value,
	101	struct lxc_conf c, void data)
	102	{
	103	@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char key, const char value,
	104	static int set_config_rootfs_managed(const char key, const char value,
	105	struct lxc_conf lxc_conf, void data)
	106	{
	107	- unsigned int val = 0;
	108	-
	109	- if (lxc_config_value_empty(value)) {
	110	- lxc_conf->rootfs.managed = true;
	111	- return 0;
	112	- }
	113	-
	114	- if (lxc_safe_uint(value, &val) < 0)
	115	- return -EINVAL;
	116	-
	117	- switch (val) {
	118	- case 0:
	119	- lxc_conf->rootfs.managed = false;
	120	- return 0;
	121	- case 1:
	122	- lxc_conf->rootfs.managed = true;
	123	- return 0;
	124	- }
	125	-
	126	- return -EINVAL;
	127	+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
	128	}
	129
	130	static int set_config_rootfs_mount(const char key, const char value,
	131	@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char key, char retv, int i
	132	return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
	133	}
	134
	135	+static int get_config_keyring_session(const char key, char retv, int inlen,
	136	+ struct lxc_conf c, void data)
	137	+{
	138	+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
	139	+}
	140	+
	141
	142	/* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
	143	* just the value(s) will be printed. Since there still could be more than one,
	144	@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
	145	return 0;
	146	}
	147
	148	+static inline int clr_config_keyring_session(const char *key,
	149	+ struct lxc_conf c, void data)
	150	+{
	151	+ c->keyring_disable_session = false;
	152	+ return 0;
	153	+}
	154	+
	155	static inline int clr_config_cgroup_controller(const char *key,
	156	struct lxc_conf c, void data)
	157	{
	158	@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf conf, const char key, char *retv,
	159	strprint(retv, inlen, "order\n");
	160	} else if (!strcmp(key, "lxc.monitor")) {
	161	strprint(retv, inlen, "unshare\n");
	162	+ } else if (!strcmp(key, "lxc.keyring")) {
	163	+ strprint(retv, inlen, "session\n");
	164	} else {
	165	fulllen = -1;
	166	}
	167	diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
	168	index 6941f4026..02e48454b 100644
	169	--- a/src/lxc/confile_utils.c
	170	+++ b/src/lxc/confile_utils.c
	171	@@ -666,6 +666,30 @@ int set_config_path_item(char *conf_item, const char value)
	172	return set_config_string_item_max(conf_item, value, PATH_MAX);
	173	}
	174
	175	+int set_config_bool_item(bool conf_item, const char value, bool empty_conf_action)
	176	+{
	177	+ unsigned int val = 0;
	178	+
	179	+ if (lxc_config_value_empty(value)) {
	180	+ *conf_item = empty_conf_action;
	181	+ return 0;
	182	+ }
	183	+
	184	+ if (lxc_safe_uint(value, &val) < 0)
	185	+ return -EINVAL;
	186	+
	187	+ switch (val) {
	188	+ case 0:
	189	+ *conf_item = false;
	190	+ return 0;
	191	+ case 1:
	192	+ *conf_item = true;
	193	+ return 0;
	194	+ }
	195	+
	196	+ return -EINVAL;
	197	+}
	198	+
	199	int config_ip_prefix(struct in_addr *addr)
	200	{
	201	if (IN_CLASSA(addr->s_addr))
	202	diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
	203	index f68f9604f..83d49bace 100644
	204	--- a/src/lxc/confile_utils.h
	205	+++ b/src/lxc/confile_utils.h
	206	@@ -68,6 +68,8 @@ extern int set_config_string_item(char *conf_item, const char value);
	207	extern int set_config_string_item_max(char *conf_item, const char value,
	208	size_t max);
	209	extern int set_config_path_item(char *conf_item, const char value);
	210	+extern int set_config_bool_item(bool conf_item, const char value,
	211	+ bool empty_conf_action);
	212	extern int config_ip_prefix(struct in_addr *addr);
	213	extern int network_ifname(char valuep, const char value, size_t size);
	214	extern void rand_complete_hwaddr(char *hwaddr);
	215	--
	216	2.24.1
	217