lxc: Backport patches for keyring options

The added patches allow to set the SELinux context for the session keyring that is created by lxc. In addition it is possible to disable the creation of a new session keyring completely. Upstream PR: https://github.com/lxc/lxc/pull/3260 (merged) If lxc is executed on a SELinux enabled system, these options can be used to assign the expected label to the session keyring. Signed-off-by: Maximilian Blenk <maximilian.blenk@bmw.de> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Maximilian Blenk <Maximilian.Blenk@bmw.de> 2020-02-04 15:55:28 +0100
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2020-02-13 17:21:41 -0500
commit: b8c810c6083311593b0432ede69cefeb4226cdf6 (patch)
tree: 48459fb25442b046716a6082d8414f3b94cf4ed3 /recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
parent: ad580c253d82126e8d1d0e96e0d77829ab26beec (diff)
download: meta-virtualization-b8c810c6083311593b0432ede69cefeb4226cdf6.tar.gz
1 files changed, 217 insertions, 0 deletions
diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
new file mode 100644
index 00000000..34647c80
--- /dev/null
+++ b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
@@ -0,0 +1,217 @@
+From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+Date: Thu, 30 Jan 2020 19:21:10 +0100
+Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
+ creation
+lxc set's up a new session keyring for every container by default.
+There might be valid use-cases where this is not wanted / needed
+(e.g. systemd by default creates a new session keyring anyway).
+Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+---
+ src/lxc/conf.c          | 19 ++++++++++--------
+ src/lxc/conf.h          |  1 +
+ src/lxc/confile.c       | 44 ++++++++++++++++++++++-------------------
+ src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
+ src/lxc/confile_utils.h |  2 ++
+ 5 files changed, 62 insertions(+), 28 deletions(-)
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index b06fbf047..be4761a54 100644
+--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
+@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
+        lxc_list_init(&new->lsm_aa_raw);
+        new->lsm_se_context = NULL;
+        new->lsm_se_keyring_context = NULL;
+       new->keyring_disable_session = false;
+        new->tmp_umount_proc = false;
+        new->tmp_umount_proc = 0;
+        new->shmount.path_host = NULL;
+@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
+                }
+        }
+ 
+-       if (lxc_conf->lsm_se_keyring_context) {
+-               keyring_context = lxc_conf->lsm_se_keyring_context;
+-       } else if (lxc_conf->lsm_se_context) {
+-               keyring_context = lxc_conf->lsm_se_context;
+-       }
+       if (!lxc_conf->keyring_disable_session) {
+               if (lxc_conf->lsm_se_keyring_context) {
+                       keyring_context = lxc_conf->lsm_se_keyring_context;
+               } else if (lxc_conf->lsm_se_context) {
+                       keyring_context = lxc_conf->lsm_se_context;
+               }
+ 
+-       ret = lxc_setup_keyring(keyring_context);
+-       if (ret < 0)
+-               return -1;
+               ret = lxc_setup_keyring(keyring_context);
+               if (ret < 0)
+                       return -1;
+       }
+ 
+        if (handler->ns_clone_flags & CLONE_NEWNET) {
+                ret = lxc_setup_network_in_child_namespaces(lxc_conf,
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index bb47b720e..b81786838 100644
+--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
+@@ -296,6 +296,7 @@ struct lxc_conf {
+        struct lxc_list lsm_aa_raw;
+        char *lsm_se_context;
+        char *lsm_se_keyring_context;
+       bool keyring_disable_session;
+        bool tmp_umount_proc;
+        struct lxc_seccomp seccomp;
+        int maincmd_fd;
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index df184af73..fd8b3aaba 100644
+--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
+@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
+ lxc_config_define(init_cwd);
+ lxc_config_define(init_gid);
+ lxc_config_define(init_uid);
+lxc_config_define(keyring_session);
+ lxc_config_define(log_file);
+ lxc_config_define(log_level);
+ lxc_config_define(log_syslog);
+@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
+        { "lxc.init.gid",                  set_config_init_gid,                    get_config_init_gid,                    clr_config_init_gid,                  },
+        { "lxc.init.uid",                  set_config_init_uid,                    get_config_init_uid,                    clr_config_init_uid,                  },
+        { "lxc.init.cwd",                  set_config_init_cwd,                    get_config_init_cwd,                    clr_config_init_cwd,                  },
+       { "lxc.keyring.session",           set_config_keyring_session,             get_config_keyring_session,             clr_config_keyring_session            },
+        { "lxc.log.file",                  set_config_log_file,                    get_config_log_file,                    clr_config_log_file,                  },
+        { "lxc.log.level",                 set_config_log_level,                   get_config_log_level,                   clr_config_log_level,                 },
+        { "lxc.log.syslog",                set_config_log_syslog,                  get_config_log_syslog,                  clr_config_log_syslog,                },
+@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
+        return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
+ }
+ 
+static int set_config_keyring_session(const char *key, const char *value,
+                                     struct lxc_conf *lxc_conf, void *data)
+{
+       return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
+}
+
+ static int set_config_log_file(const char *key, const char *value,
+                              struct lxc_conf *c, void *data)
+ {
+@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
+ static int set_config_rootfs_managed(const char *key, const char *value,
+                                     struct lxc_conf *lxc_conf, void *data)
+ {
+-       unsigned int val = 0;
+-
+-       if (lxc_config_value_empty(value)) {
+-               lxc_conf->rootfs.managed = true;
+-               return 0;
+-       }
+-
+-       if (lxc_safe_uint(value, &val) < 0)
+-               return -EINVAL;
+-
+-       switch (val) {
+-       case 0:
+-               lxc_conf->rootfs.managed = false;
+-               return 0;
+-       case 1:
+-               lxc_conf->rootfs.managed = true;
+-               return 0;
+-       }
+-
+-       return -EINVAL;
+       return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
+ }
+ 
+ static int set_config_rootfs_mount(const char *key, const char *value,
+@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
+        return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
+ }
+ 
+static int get_config_keyring_session(const char *key, char *retv, int inlen,
+                                     struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
+}
+
+ 
+ /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
+  * just the value(s) will be printed. Since there still could be more than one,
+@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
+        return 0;
+ }
+ 
+static inline int clr_config_keyring_session(const char *key,
+                                            struct lxc_conf *c, void *data)
+{
+       c->keyring_disable_session = false;
+       return 0;
+}
+
+ static inline int clr_config_cgroup_controller(const char *key,
+                                               struct lxc_conf *c, void *data)
+ {
+@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
+                strprint(retv, inlen, "order\n");
+        } else if (!strcmp(key, "lxc.monitor")) {
+                strprint(retv, inlen, "unshare\n");
+       } else if (!strcmp(key, "lxc.keyring")) {
+               strprint(retv, inlen, "session\n");
+        } else {
+                fulllen = -1;
+        }
+diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
+index 6941f4026..02e48454b 100644
+--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
+@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
+        return set_config_string_item_max(conf_item, value, PATH_MAX);
+ }
+ 
+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
+{
+       unsigned int val = 0;
+
+       if (lxc_config_value_empty(value)) {
+               *conf_item = empty_conf_action;
+               return 0;
+       }
+
+       if (lxc_safe_uint(value, &val) < 0)
+               return -EINVAL;
+
+       switch (val) {
+       case 0:
+               *conf_item = false;
+               return 0;
+       case 1:
+               *conf_item = true;
+               return 0;
+       }
+
+       return -EINVAL;
+}
+
+ int config_ip_prefix(struct in_addr *addr)
+ {
+        if (IN_CLASSA(addr->s_addr))
+diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
+index f68f9604f..83d49bace 100644
+--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
+@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
+ extern int set_config_string_item_max(char **conf_item, const char *value,
+                                      size_t max);
+ extern int set_config_path_item(char **conf_item, const char *value);
+extern int set_config_bool_item(bool *conf_item, const char *value,
+                                bool empty_conf_action);
+ extern int config_ip_prefix(struct in_addr *addr);
+ extern int network_ifname(char *valuep, const char *value, size_t size);
+ extern void rand_complete_hwaddr(char *hwaddr);
+-- 
+2.24.1
author	Maximilian Blenk <Maximilian.Blenk@bmw.de>	2020-02-04 15:55:28 +0100
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2020-02-13 17:21:41 -0500
commit	b8c810c6083311593b0432ede69cefeb4226cdf6 (patch)
tree	48459fb25442b046716a6082d8414f3b94cf4ed3 /recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
parent	ad580c253d82126e8d1d0e96e0d77829ab26beec (diff)
download	meta-virtualization-b8c810c6083311593b0432ede69cefeb4226cdf6.tar.gz

diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch new file mode 100644 index 00000000..34647c80 --- /dev/null +++ b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
@@ -0,0 +1,217 @@
	1	From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
	2	From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
	3	Date: Thu, 30 Jan 2020 19:21:10 +0100
	4	Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
	5	creation
	6
	7	lxc set's up a new session keyring for every container by default.
	8	There might be valid use-cases where this is not wanted / needed
	9	(e.g. systemd by default creates a new session keyring anyway).
	10
	11	Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
	12	---
	13	src/lxc/conf.c \| 19 ++++++++++--------
	14	src/lxc/conf.h \| 1 +
	15	src/lxc/confile.c \| 44 ++++++++++++++++++++++-------------------
	16	src/lxc/confile_utils.c \| 24 ++++++++++++++++++++++
	17	src/lxc/confile_utils.h \| 2 ++
	18	5 files changed, 62 insertions(+), 28 deletions(-)
	19
	20	diff --git a/src/lxc/conf.c b/src/lxc/conf.c
	21	index b06fbf047..be4761a54 100644
	22	--- a/src/lxc/conf.c
	23	+++ b/src/lxc/conf.c
	24	@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
	25	lxc_list_init(&new->lsm_aa_raw);
	26	new->lsm_se_context = NULL;
	27	new->lsm_se_keyring_context = NULL;
	28	+ new->keyring_disable_session = false;
	29	new->tmp_umount_proc = false;
	30	new->tmp_umount_proc = 0;
	31	new->shmount.path_host = NULL;
	32	@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
	33	}
	34	}
	35
	36	- if (lxc_conf->lsm_se_keyring_context) {
	37	- keyring_context = lxc_conf->lsm_se_keyring_context;
	38	- } else if (lxc_conf->lsm_se_context) {
	39	- keyring_context = lxc_conf->lsm_se_context;
	40	- }
	41	+ if (!lxc_conf->keyring_disable_session) {
	42	+ if (lxc_conf->lsm_se_keyring_context) {
	43	+ keyring_context = lxc_conf->lsm_se_keyring_context;
	44	+ } else if (lxc_conf->lsm_se_context) {
	45	+ keyring_context = lxc_conf->lsm_se_context;
	46	+ }
	47
	48	- ret = lxc_setup_keyring(keyring_context);
	49	- if (ret < 0)
	50	- return -1;
	51	+ ret = lxc_setup_keyring(keyring_context);
	52	+ if (ret < 0)
	53	+ return -1;
	54	+ }
	55
	56	if (handler->ns_clone_flags & CLONE_NEWNET) {
	57	ret = lxc_setup_network_in_child_namespaces(lxc_conf,
	58	diff --git a/src/lxc/conf.h b/src/lxc/conf.h
	59	index bb47b720e..b81786838 100644
	60	--- a/src/lxc/conf.h
	61	+++ b/src/lxc/conf.h
	62	@@ -296,6 +296,7 @@ struct lxc_conf {
	63	struct lxc_list lsm_aa_raw;
	64	char *lsm_se_context;
	65	char *lsm_se_keyring_context;
	66	+ bool keyring_disable_session;
	67	bool tmp_umount_proc;
	68	struct lxc_seccomp seccomp;
	69	int maincmd_fd;
	70	diff --git a/src/lxc/confile.c b/src/lxc/confile.c
	71	index df184af73..fd8b3aaba 100644
	72	--- a/src/lxc/confile.c
	73	+++ b/src/lxc/confile.c
	74	@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
	75	lxc_config_define(init_cwd);
	76	lxc_config_define(init_gid);
	77	lxc_config_define(init_uid);
	78	+lxc_config_define(keyring_session);
	79	lxc_config_define(log_file);
	80	lxc_config_define(log_level);
	81	lxc_config_define(log_syslog);
	82	@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
	83	{ "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, },
	84	{ "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, },
	85	{ "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, },
	86	+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session },
	87	{ "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, },
	88	{ "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, },
	89	{ "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, },
	90	@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char key, const char value
	91	return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
	92	}
	93
	94	+static int set_config_keyring_session(const char key, const char value,
	95	+ struct lxc_conf lxc_conf, void data)
	96	+{
	97	+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
	98	+}
	99	+
	100	static int set_config_log_file(const char key, const char value,
	101	struct lxc_conf c, void data)
	102	{
	103	@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char key, const char value,
	104	static int set_config_rootfs_managed(const char key, const char value,
	105	struct lxc_conf lxc_conf, void data)
	106	{
	107	- unsigned int val = 0;
	108	-
	109	- if (lxc_config_value_empty(value)) {
	110	- lxc_conf->rootfs.managed = true;
	111	- return 0;
	112	- }
	113	-
	114	- if (lxc_safe_uint(value, &val) < 0)
	115	- return -EINVAL;
	116	-
	117	- switch (val) {
	118	- case 0:
	119	- lxc_conf->rootfs.managed = false;
	120	- return 0;
	121	- case 1:
	122	- lxc_conf->rootfs.managed = true;
	123	- return 0;
	124	- }
	125	-
	126	- return -EINVAL;
	127	+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
	128	}
	129
	130	static int set_config_rootfs_mount(const char key, const char value,
	131	@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char key, char retv, int i
	132	return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
	133	}
	134
	135	+static int get_config_keyring_session(const char key, char retv, int inlen,
	136	+ struct lxc_conf c, void data)
	137	+{
	138	+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
	139	+}
	140	+
	141
	142	/* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
	143	* just the value(s) will be printed. Since there still could be more than one,
	144	@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
	145	return 0;
	146	}
	147
	148	+static inline int clr_config_keyring_session(const char *key,
	149	+ struct lxc_conf c, void data)
	150	+{
	151	+ c->keyring_disable_session = false;
	152	+ return 0;
	153	+}
	154	+
	155	static inline int clr_config_cgroup_controller(const char *key,
	156	struct lxc_conf c, void data)
	157	{
	158	@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf conf, const char key, char *retv,
	159	strprint(retv, inlen, "order\n");
	160	} else if (!strcmp(key, "lxc.monitor")) {
	161	strprint(retv, inlen, "unshare\n");
	162	+ } else if (!strcmp(key, "lxc.keyring")) {
	163	+ strprint(retv, inlen, "session\n");
	164	} else {
	165	fulllen = -1;
	166	}
	167	diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
	168	index 6941f4026..02e48454b 100644
	169	--- a/src/lxc/confile_utils.c
	170	+++ b/src/lxc/confile_utils.c
	171	@@ -666,6 +666,30 @@ int set_config_path_item(char *conf_item, const char value)
	172	return set_config_string_item_max(conf_item, value, PATH_MAX);
	173	}
	174
	175	+int set_config_bool_item(bool conf_item, const char value, bool empty_conf_action)
	176	+{
	177	+ unsigned int val = 0;
	178	+
	179	+ if (lxc_config_value_empty(value)) {
	180	+ *conf_item = empty_conf_action;
	181	+ return 0;
	182	+ }
	183	+
	184	+ if (lxc_safe_uint(value, &val) < 0)
	185	+ return -EINVAL;
	186	+
	187	+ switch (val) {
	188	+ case 0:
	189	+ *conf_item = false;
	190	+ return 0;
	191	+ case 1:
	192	+ *conf_item = true;
	193	+ return 0;
	194	+ }
	195	+
	196	+ return -EINVAL;
	197	+}
	198	+
	199	int config_ip_prefix(struct in_addr *addr)
	200	{
	201	if (IN_CLASSA(addr->s_addr))
	202	diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
	203	index f68f9604f..83d49bace 100644
	204	--- a/src/lxc/confile_utils.h
	205	+++ b/src/lxc/confile_utils.h
	206	@@ -68,6 +68,8 @@ extern int set_config_string_item(char *conf_item, const char value);
	207	extern int set_config_string_item_max(char *conf_item, const char value,
	208	size_t max);
	209	extern int set_config_path_item(char *conf_item, const char value);
	210	+extern int set_config_bool_item(bool conf_item, const char value,
	211	+ bool empty_conf_action);
	212	extern int config_ip_prefix(struct in_addr *addr);
	213	extern int network_ifname(char valuep, const char value, size_t size);
	214	extern void rand_complete_hwaddr(char *hwaddr);
	215	--
	216	2.24.1
	217