Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2014-06-25 21:20:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2014-06-10 14:38:30.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2014-06-25 21:20:47.000000000 +0200 @@ -1,0 +2,9 @@ +Wed Jun 25 13:42:00 UTC 2014 - [email protected] + +- lxc-keep-caps-feature.patch: allow to keep/drop additional + capabilities for LXC containers. bnc#881465 +- lxc-keep-caps-feature-conversion.patch: convert lxc.cap.drop to + the new domain configuration. +- lxc-keep-caps-feature-doc.patch: documentation for the new feature. + +------------------------------------------------------------------- New: ---- lxc-keep-caps-feature-conversion.patch lxc-keep-caps-feature-doc.patch lxc-keep-caps-feature.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.fBGSmt/_old 2014-06-25 21:20:49.000000000 +0200 +++ /var/tmp/diff_new_pack.fBGSmt/_new 2014-06-25 21:20:49.000000000 +0200 @@ -435,6 +435,9 @@ Patch103: add-nocow-to-vol-xml.patch # pending review upstream patches Patch150: libxl-migration-support.patch +Patch151: lxc-keep-caps-feature.patch +Patch152: lxc-keep-caps-feature-conversion.patch +Patch153: lxc-keep-caps-feature-doc.patch # Our patches Patch200: libvirtd-defaults.patch Patch201: libvirtd-init-script.patch @@ -951,6 +954,9 @@ %patch102 -p1 %patch103 -p1 %patch150 -p1 +%patch151 -p1 +%patch152 -p1 +%patch153 -p1 %patch200 -p1 %patch201 -p1 %patch202 -p1 ++++++ lxc-keep-caps-feature-conversion.patch ++++++ >From f199dbab24896c31c90a3291c4779daccef949ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <[email protected]> Date: Wed, 11 Jun 2014 16:43:45 +0200 Subject: [PATCH 2/3] lxc domain from xml: convert lxc.cap.drop --- src/lxc/lxc_native.c | 25 ++++++++++++++++++++++ tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml | 2 ++ tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml | 2 ++ tests/lxcconf2xmldata/lxcconf2xml-cputune.xml | 2 ++ tests/lxcconf2xmldata/lxcconf2xml-idmap.xml | 2 ++ .../lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml | 4 ++++ tests/lxcconf2xmldata/lxcconf2xml-memtune.xml | 2 ++ tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml | 4 ++++ tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml | 2 ++ tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml | 4 ++++ tests/lxcconf2xmldata/lxcconf2xml-simple.xml | 8 +++++++ tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml | 4 ++++ 12 files changed, 61 insertions(+) diff --git a/src/lxc/lxc_native.c b/src/lxc/lxc_native.c index f4c4556..29ec188 100644 --- a/src/lxc/lxc_native.c +++ b/src/lxc/lxc_native.c @@ -838,6 +838,28 @@ lxcSetBlkioTune(virDomainDefPtr def, virConfPtr properties) return 0; } +static void +lxcSetCapDrop(virDomainDefPtr def, virConfPtr properties) +{ + virConfValuePtr value; + char **toDrop = NULL; + const char *capString; + size_t i; + + if ((value = virConfGetValue(properties, "lxc.cap.drop")) && value->str) + toDrop = virStringSplit(value->str, " ", 0); + + for (i = 0; i < VIR_DOMAIN_CAPS_FEATURE_LAST; i++) { + capString = virDomainCapsFeatureTypeToString(i); + if (toDrop != NULL && virStringArrayHasString(toDrop, capString)) + def->caps_features[i] = VIR_DOMAIN_FEATURE_STATE_OFF; + } + + def->features[VIR_DOMAIN_FEATURE_CAPABILITIES] = VIR_DOMAIN_CAPABILITIES_POLICY_ALLOW; + + virStringFreeList(toDrop); +} + virDomainDefPtr lxcParseConfigString(const char *config) { @@ -935,6 +957,9 @@ lxcParseConfigString(const char *config) if (lxcSetBlkioTune(vmdef, properties) < 0) goto error; + /* lxc.cap.drop */ + lxcSetCapDrop(vmdef, properties); + goto cleanup; error: diff --git a/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml b/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml index 36b8e52..c9c0469 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml @@ -25,6 +25,8 @@ </os> <features> <privnet/> + <capabilities policy='allow'> + </capabilities> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml b/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml index 932ab61..e7863fa 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml @@ -13,6 +13,8 @@ </os> <features> <privnet/> + <capabilities policy='allow'> + </capabilities> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml b/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml index 1bab1c6..50c5358 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-cputune.xml @@ -15,6 +15,8 @@ </os> <features> <privnet/> + <capabilities policy='allow'> + </capabilities> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml b/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml index 050ccd6..80a83ff 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-idmap.xml @@ -14,6 +14,8 @@ </idmap> <features> <privnet/> + <capabilities policy='allow'> + </capabilities> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml index 996c0f7..3105b8c 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml @@ -8,6 +8,10 @@ <type>exe</type> <init>/sbin/init</init> </os> + <features> + <capabilities policy='allow'> + </capabilities> + </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml b/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml index b7c919e..7df1ef0 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-memtune.xml @@ -15,6 +15,8 @@ </os> <features> <privnet/> + <capabilities policy='allow'> + </capabilities> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml index 6d9e16d..e002b99 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml @@ -8,6 +8,10 @@ <type>exe</type> <init>/sbin/init</init> </os> + <features> + <capabilities policy='allow'> + </capabilities> + </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml index 101324a..dc9d635 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml @@ -10,6 +10,8 @@ </os> <features> <privnet/> + <capabilities policy='allow'> + </capabilities> </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml index 5fe1b03..cfaceb5 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml @@ -8,6 +8,10 @@ <type>exe</type> <init>/sbin/init</init> </os> + <features> + <capabilities policy='allow'> + </capabilities> + </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-simple.xml b/tests/lxcconf2xmldata/lxcconf2xml-simple.xml index b3c3659..549fc39 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-simple.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-simple.xml @@ -8,6 +8,14 @@ <type arch='i686'>exe</type> <init>/sbin/init</init> </os> + <features> + <capabilities policy='allow'> + <mac_admin state='off'/> + <mac_override state='off'/> + <mknod state='off'/> + <sys_module state='off'/> + </capabilities> + </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> diff --git a/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml b/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml index 45348ed..712be3e 100644 --- a/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml +++ b/tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml @@ -8,6 +8,10 @@ <type>exe</type> <init>/sbin/init</init> </os> + <features> + <capabilities policy='allow'> + </capabilities> + </features> <clock offset='utc'/> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> -- 1.8.4.5 ++++++ lxc-keep-caps-feature-doc.patch ++++++ >From b6f1f5a3be5b2643b255882effdca2e903d9d738 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <[email protected]> Date: Wed, 11 Jun 2014 17:01:11 +0200 Subject: [PATCH 3/3] lxc: update doc to mention features/capabilities/* domain configuration --- docs/drvlxc.html.in | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in index fc4bc20..403ce24 100644 --- a/docs/drvlxc.html.in +++ b/docs/drvlxc.html.in @@ -540,6 +540,53 @@ debootstrap, whatever) under /opt/vm-1-root: </domain> </pre> +<h2><a name="capabilities">Altering the available capabilities</a></h2> + +<p> +By default the libvirt LXC driver drops some capabilities among which CAP_MKNOD. +However <span class="since">since 1.2.6</span> libvirt can be told to keep or +drop some capabilities using a domain configuration like the following: +</p> +<pre> +... +<features> + <capabilities policy='default'> + <mknod state='on'/> + <sys_chroot state='off'/> + </capabilities> +</features> +... +</pre> +<p> +The capabilities children elements are named after the capabilities as defined in +<code>man 7 capabilities</code>. An <code>off</code> state tells libvirt to drop the +capability, while an <code>on</code> state will force to keep the capability even though +this one is dropped by default. +</p> +<p> +The <code>policy</code> attribute can be one of <code>default</code>, <code>allow</code> +or <code>deny</code>. It defines the default rules for capabilities: either keep the +default behavior that is dropping a few selected capabilities, or keep all capabilities +or drop all capabilities. The interest of <code>allow</code> and <code>deny</code> is that +they guarantee that all capabilities will be kept (or removed) even if new ones are added +later. +</p> +<p> +The following example, drops all capabilities but CAP_MKNOD: +</p> +<pre> +... +<features> + <capabilities policy='deny'> + <mknod state='on'/> + </capabilities> +</features> +... +</pre> +<p> +Note that allowing capabilities that are normally dropped by default can seriously +affect the security of the container and the host. +</p> <h2><a name="usage">Container usage / management</a></h2> -- 1.8.4.5 ++++++ lxc-keep-caps-feature.patch ++++++ ++++ 863 lines (skipped) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
