Hello community, here is the log from the commit of package lxc.4068 for openSUSE:13.1:Update checked in at 2015-10-10 14:35:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/lxc.4068 (Old) and /work/SRC/openSUSE:13.1:Update/.lxc.4068.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxc.4068" Changes: -------- New Changes file: --- /dev/null 2015-09-24 09:51:01.260026505 +0200 +++ /work/SRC/openSUSE:13.1:Update/.lxc.4068.new/lxc.changes 2015-10-10 14:35:03.000000000 +0200 @@ -0,0 +1,347 @@ +------------------------------------------------------------------- +Fri Oct 2 14:01:07 UTC 2015 - [email protected] + +- Added CVE-2015-1335-Protect-container-mounts-against-symlinks.patch + (bsc#946744) + +------------------------------------------------------------------- +Thu Jul 23 10:06:47 UTC 2015 - [email protected] + +- Added CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch + (bnc#938523) + +------------------------------------------------------------------- +Mon Jan 13 16:11:49 UTC 2014 - [email protected] + +- config_ipv6-run-inet_pton-on-the-addr-value-without-.patch: + config_ipv6: run inet_pton on the addr value without mask + (bnc#851760) + +------------------------------------------------------------------- +Fri Sep 20 14:46:37 UTC 2013 - [email protected] + +- lxc-opensuse-add-perl-base-to-prerequisities.patch: lxc-opensuse: + add perl-base to prerequisities (bnc#839873) + +------------------------------------------------------------------- +Tue Sep 10 15:32:28 UTC 2013 - [email protected] + +- opensuse-systemd-shutdown.patch: Fixed opensuse template to + workaround lxc-shutdown problem with systemd (bnc#839388) + +------------------------------------------------------------------- +Wed Apr 24 08:58:04 UTC 2013 - [email protected] + +- update to 0.9.0 + * configure-support-suse-s-docbook-to-man.patch: added to support + our docbook-to-man + * configure-find-seccomp-using-pkg-config.patch: add support for + our libsseccomp being under /usr/include/libseccomp... + * autogenned.patch: the two above applied by autogen.sh to the sources + * remove a ton of patches which are upstream now: + 0001-Ensure-btrfs-subvolume-is-destroyed-on-error.patch + lxc-autodev.patch + lxc-cgroup-already-running.patch + lxc-opensuse-12.2.patch + lxc-opensuse-12.3.patch + lxc-opensuse-clonefixes.patch + lxc-opensuse-extend-base.patch + lxc-opensuse-proper-failure.patch + lxc-opensuse-tmpfs.patch + pivot-root_shared.patch +- Remove obsolete info from README.SUSE + +------------------------------------------------------------------- +Thu Mar 7 15:34:34 UTC 2013 - [email protected] + +- Ensure update repository directory is correctly created + (bnc#804435). + +------------------------------------------------------------------- +Tue Feb 26 14:33:41 UTC 2013 - [email protected] + +- clean cache if a distro version in template does not match + with files in a cache (bnc#804435#c19) + +------------------------------------------------------------------- +Tue Feb 26 09:58:10 UTC 2013 - [email protected] + +- run zypper ar only if .repo file does not exists + fixes a partial created repos (bnc#804435#c16) + +------------------------------------------------------------------- +Wed Feb 20 16:21:03 UTC 2013 - [email protected] + +- Add lxc-opensuse-12.3.patch: update template to openSUSE 12.3 + +------------------------------------------------------------------- +Tue Feb 19 10:59:39 UTC 2013 - [email protected] + +- lxc-opensuse-extend-base.patch: lxc-opensuse: extend base + (bnc#804232) +- lxc-opensuse-proper-failure.patch: lxc-opensuse: proper failure +- remove change-hwaddr-on-clone.patch as it was fixed upstream + already + +------------------------------------------------------------------- +Mon Jan 21 09:26:57 UTC 2013 - [email protected] + +- Update pivot-root_shared.patch with upstream patch to build with + old version of kernel headers. +- Check for /etc/init.d/boot.cgroup presence before starting it in + %post. + +------------------------------------------------------------------- +Fri Jan 11 15:56:54 UTC 2013 - [email protected] + +- Release 0.8.0: + + add support for autodetection of gateway address + + add support for LVM2 and btrfs snapshot in lxc-clone + + add support for apparmor + + support nested cgroups + + lxc no longer depends on perl + + add support for container hooks (pre-start, mount, start, stop, + umount, post-stop) + + templates are moved to /usr/share/lxc/templates +- Remove + Accurately-detect-whether-a-system-supports-clone_children.patch: + merged upstream. +- Add lxc-opensuse-clonefixes.patch: fix openSUSE template + regarding cloning. +- Add 0001-Ensure-btrfs-subvolume-is-destroyed-on-error.patch: fix + btrfs subvolume when removing a container. +- Add lxc-autodev.patch: fill /dev when starting container (needed + for systemd). +- Update lxc-opensuse-12.2.patch: switch to systemd in container. + +------------------------------------------------------------------- +Fri Jan 11 15:30:21 UTC 2013 - [email protected] + +- Add lxc-opensuse-12.1-fixbuild.patch: fix openSUSE 12.1 container + build. +- Add lxc-opensuse-12.2.patch: + + switch openSUSE template to 12.2 + + install iputils in the default configuration + + autoconfigure gateway if possible + + detect if network is set to 0.0.0.0 and configure DHCP + + bind mount /etc/resolv.conf in container +- Add use-relative-paths-for-container.patch, + fix-lxc-clone-mount-entries.patch and update sles + template: use relative paths for container mount points, fixes + lxc-clone dropping some lxc.mount entries (bnc#789387). +- Add Requires(post) dependency on aaa_base (bnc#786970) for + openSUSE < 12.3. +- Add dhcpcd in default installation in openSUSE template (bnc#776169). +- Add change-hwaddr-on-clone.patch: modify MAC address when cloning + a container (git) +- Add wait-until-container-is-stopped.patch: if destroying a + running container, wait until it is stopped before destroying it. +- Ensure lxc-createconfig uses opensuse template by default. +- Ensure lxc-createconfig correctly detect cidr (bnc#773234). +- Add pivot-root_shared.patch: fix pivot root when / is mounted as + shared (default on 12.3 and later). + +------------------------------------------------------------------- +Fri Apr 20 13:53:41 UTC 2012 - [email protected] + +- Add various fixes to opensuse template : + + create /etc/hostname as symlink to /etc/HOSTNAME + (lxc-clone fix) + + fix inadequate space in lxc.mount config (lxc-clone fix) + + disable network in container if not configured + + configure network scripts properly +- Add lxc-snapshot-btrfs-lvm.patch: backport snapshot support, + using btrfs or lvm2. +- Add lxc-opensuse-tmpfs.patch: ensure container shutting down is + correctly detected by LXC. + +------------------------------------------------------------------- +Fri Apr 13 11:36:16 UTC 2012 - [email protected] + +- Add lxc-createconfig script to easy LXC configuration + (bnc#723950). + +------------------------------------------------------------------- +Tue Mar 6 21:11:54 CET 2012 - [email protected] + +- Accurately detect whether a system supports clone_children + (bnc#750470) + +------------------------------------------------------------------- +Tue Jan 10 15:41:45 UTC 2012 - [email protected] + +- Drop lxc-file_caps.patch, it is SLES specific, since openSUSE is + now shipping with file capabilities enabled. + +------------------------------------------------------------------- +Fri Jan 6 15:51:32 UTC 2012 - [email protected] + +- Update lxc-opensuse-12.1.patch to correctly generate containers + on x86 (bnc#739315). +- Backport some fixes from SLES 11 SP2: + - Add lxc-checkconfig-kernel-3.patch and lxc-file_caps.patch: + fix detection of kernel 3.x and file capabilities (bnc#720845). + - Fix example path in manpages (bnc#723946). + +------------------------------------------------------------------- +Tue Oct 25 11:35:10 UTC 2011 - [email protected] + +- Add console to opensuse securetty, since we are in a container. + +------------------------------------------------------------------- +Tue Oct 25 09:32:01 UTC 2011 - [email protected] + +- Add lxc-opensuse-12.1.patch: create openSUSE 12.1 containers now +- Add Recommends on build package, which is used by opensuse + template. +- Update README.SUSE to current status for cgroups mountpoint ++++ 150 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.lxc.4068.new/lxc.changes New: ---- CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch CVE-2015-1335-Protect-container-mounts-against-symlinks.patch README.SUSE autogenned.patch config_ipv6-run-inet_pton-on-the-addr-value-without-.patch configure-find-seccomp-using-pkg-config.patch configure-support-suse-s-docbook-to-man.patch lxc-0.9.0.tar.gz lxc-createconfig.in lxc-opensuse-add-perl-base-to-prerequisities.patch lxc.changes lxc.spec opensuse-systemd-shutdown.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ # # spec file for package lxc # # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: lxc Version: 0.9.0 Release: 0 Url: http://lxc.sourceforge.net/ Summary: Linux containers implementation License: LGPL-2.1+ Group: System/Management Source: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz Source1: README.SUSE Source2: lxc-createconfig.in #see autogenned.patch for these two: Source3: configure-support-suse-s-docbook-to-man.patch Source4: configure-find-seccomp-using-pkg-config.patch Patch0: autogenned.patch Patch1: opensuse-systemd-shutdown.patch Patch2: lxc-opensuse-add-perl-base-to-prerequisities.patch Patch3: config_ipv6-run-inet_pton-on-the-addr-value-without-.patch Patch4: CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch Patch5: CVE-2015-1335-Protect-container-mounts-against-symlinks.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: docbook-utils BuildRequires: docbook2x BuildRequires: libapparmor-devel BuildRequires: libcap-devel %ifarch %ix86 x86_64 %if 0%{?suse_version} >= 1230 BuildRequires: libseccomp-devel %endif %endif BuildRequires: libxslt BuildRequires: lsb-release BuildRequires: pkg-config %if 0%{?suse_version} >= 1130 BuildRequires: linux-glibc-devel %else BuildRequires: linux-kernel-headers %endif Requires: /sbin/setcap Requires: rsync %if 0%{?suse_version} < 1230 Requires(post): aaa_base %endif # needed to create openSUSE containers using template Recommends: build %description It provides commands to create and manage containers. It contains a full featured container with the isolation/virtualization of the pids, the ipc, the utsname, the mount points, /proc, /sys, the network and it takes into account the control groups. It is very light, flexible, and provides a set of tools around the container like the monitoring with asynchronous events notification, or the freeze of the container. This package is useful to create Virtual Private Server, or to run isolated applications like bash or sshd. %package devel Summary: Development library for lxc License: LGPL-2.1 Group: Development/Libraries/C and C++ Requires: %name = %version %description devel Lxc header files and library needed for development of containers. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %build %configure --disable-examples %__make %{?_smp_mflags} %__cp %{SOURCE1} . %__rm -rf .doc %__mkdir_p .doc/examples %__cp doc/examples/*.conf .doc/examples %install %makeinstall install -d -m 755 %{buildroot}/var/lib/lxc find %buildroot -type f -name '*.la' -delete ./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:2} chmod a+x %{buildroot}%{_bindir}/lxc-createconfig %clean %__rm -rf %buildroot %post /sbin/ldconfig %if 0%{?suse_version} < 1230 if [ -x /etc/init.d/boot.cgroup ]; then %fillup_and_insserv -f -Y boot.cgroup /etc/init.d/boot.cgroup start 2>/dev/null >/dev/null || : fi %endif %postun /sbin/ldconfig %if 0%{?suse_version} < 1230 %insserv_cleanup %endif %files %defattr(-,root,root) %doc AUTHORS MAINTAINERS COPYING README doc/FAQ.txt %doc README.SUSE %doc .doc/examples %dir %{_sysconfdir}/%{name}/ %config %{_sysconfdir}/%{name}/default.conf %{_libdir}/lib%{name}.so.* %{_libexecdir}/%name %{_libdir}/%name %{_datadir}/%name %dir /var/lib/lxc %{_bindir}/%{name}-* %{_mandir}/man[^3]/* %files devel %defattr(-,root,root) %{_includedir}/%name %{_libdir}/lib%{name}.so %{_libdir}/pkgconfig/%{name}.pc %changelog ++++++ CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch ++++++ From: =?UTF-8?q?St=C3=A9phane=20Graber?= <[email protected]> Date: Thu, 16 Jul 2015 16:37:51 -0400 Subject: CVE-2015-1334: Don't use the container's /proc during attach MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes Git-commit: 5c3fcae78b63ac9dd56e36075903921bd9461f9e References: bnc#938523 A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by: Stéphane Graber <[email protected]> Signed-off-by: Jiri Slaby <[email protected]> [backport to 0.9] --- src/lxc/lxc_attach.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) --- a/src/lxc/lxc_attach.c +++ b/src/lxc/lxc_attach.c @@ -24,9 +24,11 @@ #define _GNU_SOURCE #include <unistd.h> #include <errno.h> +#include <fcntl.h> #include <pwd.h> #include <stdlib.h> #include <sys/param.h> +#include <sys/stat.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/wait.h> @@ -140,6 +142,48 @@ Options :\n\ .checker = NULL, }; +static int lsm_set_label_at(int procfd, char *lsm_label) +{ + int labelfd = -1; + int ret = 0; + int size; + char *command = NULL; + + labelfd = openat(procfd, "self/attr/current", O_RDWR); + if (labelfd < 0) { + SYSERROR("Unable to open LSM label"); + ret = -1; + goto out; + } + + command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); + if (!command) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + size = sprintf(command, "changeprofile %s", lsm_label); + if (size < 0) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + if (write(labelfd, command, size + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } +out: + free(command); + + if (labelfd != -1) + close(labelfd); + + return ret; +} + int main(int argc, char *argv[]) { int ret; @@ -395,10 +439,17 @@ int main(int argc, char *argv[]) close(cgroup_ipc_sockets[1]); if ((namespace_flags & CLONE_NEWNS)) { - if (attach_apparmor(init_ctx->aa_profile) < 0) { + int procfd = open("/proc", O_DIRECTORY | O_RDONLY); + if (procfd < 0) { + SYSERROR("Unable to open /proc"); + return -1; + } + if (lsm_set_label_at(procfd, init_ctx->aa_profile) < 0) { ERROR("failed switching apparmor profiles"); return -1; } + /* we don't need proc anymore */ + close(procfd); } /* A description of the purpose of this functionality is ++++++ CVE-2015-1335-Protect-container-mounts-against-symlinks.patch ++++++ >From cd8a89eb7e991442afb4cfb879fb2eb59ffd6f86 Mon Sep 17 00:00:00 2001 From: Serge Hallyn <[email protected]> Date: Mon, 31 Aug 2015 12:57:20 -0500 Subject: [PATCH 1/1] Protect container mounts against symlinks When a container starts up, lxc sets up the container's inital fstree by doing a bunch of mounting, guided by the container configuration file. The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container. To prevent this, 1. do not allow mounts to paths containing symbolic links 2. do not allow bind mounts from relative paths containing symbolic links. Details: Define safe_mount which ensures that the container has not inserted any symbolic links into any mount targets for mounts to be done during container setup. The host's mount path may contain symbolic links. As it is under the control of the administrator, that's ok. So safe_mount begins the check for symbolic links after the rootfs->mount, by opening that directory. It opens each directory along the path using openat() relative to the parent directory using O_NOFOLLOW. When the target is reached, it mounts onto /proc/self/fd/<targetfd>. Use safe_mount() in mount_entry(), when mounting container proc, and when needed. In particular, safe_mount() need not be used in any case where: 1. the mount is done in the container's namespace 2. the mount is for the container's rootfs 3. the mount is relative to a tmpfs or proc/sysfs which we have just safe_mount()ed ourselves Since we were using proc/net as a temporary placeholder for /proc/sys/net during container startup, and proc/net is a symbolic link, use proc/tty instead. Update the lxc.container.conf manpage with details about the new restrictions. Finally, add a testcase to test some symbolic link possibilities. Signed-off-by: Serge Hallyn <[email protected]> --- doc/lxc.container.conf.sgml.in | 12 +++ src/lxc/cgfs.c | 5 +- src/lxc/cgmanager.c | 4 +- src/lxc/conf.c | 35 +++--- src/lxc/utils.c | 235 ++++++++++++++++++++++++++++++++++++++++- src/lxc/utils.h | 2 + src/tests/Makefile.am | 2 + src/tests/lxc-test-symlink | 88 +++++++++++++++ 8 files changed, 363 insertions(+), 20 deletions(-) create mode 100755 src/tests/lxc-test-symlink Index: lxc-0.9.0/src/lxc/conf.c =================================================================== --- lxc-0.9.0.orig/src/lxc/conf.c +++ lxc-0.9.0/src/lxc/conf.c @@ -953,7 +953,7 @@ static int mount_autodev(char *root) ret = snprintf(path, MAXPATHLEN, "%s/dev", root); if (ret < 0 || ret > MAXPATHLEN) return -1; - ret = mount("none", path, "tmpfs", 0, "size=100000"); + ret = safe_mount("none", path, "tmpfs", 0, "size=100000", root); if (ret) { SYSERROR("Failed to mount /dev at %s\n", root); return -1; @@ -1264,7 +1264,7 @@ static int setup_dev_console(const struc return -1; } - if (mount(console->name, path, "none", MS_BIND, 0)) { + if (safe_mount(console->name, path, "none", MS_BIND, 0, rootfs->mount)) { ERROR("failed to mount '%s' on '%s'", console->name, path); return -1; } @@ -1318,7 +1318,7 @@ static int setup_ttydir_console(const st return 0; } - if (mount(console->name, lxcpath, "none", MS_BIND, 0)) { + if (safe_mount(console->name, lxcpath, "none", MS_BIND, 0, rootfs->mount)) { ERROR("failed to mount '%s' on '%s'", console->name, lxcpath); return -1; } @@ -1471,9 +1471,9 @@ static int parse_mntopts(const char *mnt static int mount_entry(const char *fsname, const char *target, const char *fstype, unsigned long mountflags, - const char *data) + const char *data, const char *rootfs) { - if (mount(fsname, target, fstype, mountflags & ~MS_REMOUNT, data)) { + if (safe_mount(fsname, target, fstype, mountflags & ~MS_REMOUNT, data, rootfs)) { SYSERROR("failed to mount '%s' on '%s'", fsname, target); return -1; } @@ -1484,7 +1484,7 @@ static int mount_entry(const char *fsnam fsname, target); if (mount(fsname, target, fstype, - mountflags | MS_REMOUNT, data)) { + mountflags | MS_REMOUNT, data) < 0) { SYSERROR("failed to mount '%s' on '%s'", fsname, target); return -1; @@ -1508,7 +1508,7 @@ static inline int mount_entry_on_systemf } ret = mount_entry(mntent->mnt_fsname, mntent->mnt_dir, - mntent->mnt_type, mntflags, mntdata); + mntent->mnt_type, mntflags, mntdata, NULL); if (hasmntopt(mntent, "optional") != NULL) ret = 0; @@ -1572,7 +1572,7 @@ skipabs: ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, - mntflags, mntdata); + mntflags, mntdata, rootfs->mount); if (hasmntopt(mntent, "optional") != NULL) ret = 0; @@ -1603,7 +1603,7 @@ static int mount_entry_on_relative_rootf } ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, - mntflags, mntdata); + mntflags, mntdata, rootfs); if (hasmntopt(mntent, "optional") != NULL) ret = 0; Index: lxc-0.9.0/src/lxc/utils.c =================================================================== --- lxc-0.9.0.orig/src/lxc/utils.c +++ lxc-0.9.0/src/lxc/utils.c @@ -26,6 +26,7 @@ #include <unistd.h> #include <stdlib.h> #include <stddef.h> +#include <stdbool.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/mman.h> @@ -250,3 +251,236 @@ out: fclose(fin); return default_lxcpath; } + + /* + * @path: a pathname where / replaced with '\0'. + * @offsetp: pointer to int showing which path segment was last seen. + * Updated on return to reflect the next segment. + * @fulllen: full original path length. + * Returns a pointer to the next path segment, or NULL if done. + */ +static char *get_nextpath(char *path, int *offsetp, int fulllen) +{ + int offset = *offsetp; + + if (offset >= fulllen) + return NULL; + + while (path[offset] != '\0' && offset < fulllen) + offset++; + while (path[offset] == '\0' && offset < fulllen) + offset++; + + *offsetp = offset; + return (offset < fulllen) ? &path[offset] : NULL; +} + +/* + * Check that @subdir is a subdir of @dir. @len is the length of + * @dir (to avoid having to recalculate it). + */ +static bool is_subdir(const char *subdir, const char *dir, size_t len) +{ + size_t subdirlen = strlen(subdir); + + if (subdirlen < len) + return false; + if (strncmp(subdir, dir, len) != 0) + return false; + if (dir[len-1] == '/') + return true; + if (subdir[len] == '/' || subdirlen == len) + return true; + return false; +} + +/* + * Check if the open fd is a symlink. Return -ELOOP if it is. Return + * -ENOENT if we couldn't fstat. Return 0 if the fd is ok. + */ +static int check_symlink(int fd) +{ + struct stat sb; + int ret = fstat(fd, &sb); + if (ret < 0) + return -ENOENT; + if (S_ISLNK(sb.st_mode)) + return -ELOOP; + return 0; +} + +/* + * Open a file or directory, provided that it contains no symlinks. + * + * CAVEAT: This function must not be used for other purposes than container + * setup before executing the container's init + */ +static int open_if_safe(int dirfd, const char *nextpath) +{ + int newfd = openat(dirfd, nextpath, O_RDONLY | O_NOFOLLOW); + if (newfd >= 0) // was not a symlink, all good + return newfd; + + if (errno == ELOOP) + return newfd; + + if (errno == EPERM || errno == EACCES) { + /* we're not root (cause we got EPERM) so + try opening with O_PATH */ + newfd = openat(dirfd, nextpath, O_PATH | O_NOFOLLOW); + if (newfd >= 0) { + /* O_PATH will return an fd for symlinks. We know + * nextpath wasn't a symlink at last openat, so if fd + * is now a link, then something * fishy is going on + */ + int ret = check_symlink(newfd); + if (ret < 0) { + close(newfd); + newfd = ret; + } + } + } + + return newfd; +} + +/* + * Open a path intending for mounting, ensuring that the final path + * is inside the container's rootfs. + * + * CAVEAT: This function must not be used for other purposes than container + * setup before executing the container's init + * + * @target: path to be opened + * @prefix_skip: a part of @target in which to ignore symbolic links. This + * would be the container's rootfs. + * + * Return an open fd for the path, or <0 on error. + */ +static int open_without_symlink(const char *target, const char *prefix_skip) +{ + int curlen = 0, dirfd, fulllen, i; + char *dup = NULL; + + fulllen = strlen(target); + + /* make sure prefix-skip makes sense */ + if (prefix_skip) { + curlen = strlen(prefix_skip); + if (!is_subdir(target, prefix_skip, curlen)) { + ERROR("WHOA there - target '%s' didn't start with prefix '%s'", + target, prefix_skip); + return -EINVAL; + } + /* + * get_nextpath() expects the curlen argument to be + * on a (turned into \0) / or before it, so decrement + * curlen to make sure that happens + */ + if (curlen) + curlen--; + } else { + prefix_skip = "/"; + curlen = 0; + } + + /* Make a copy of target which we can hack up, and tokenize it */ + if ((dup = strdup(target)) == NULL) { + SYSERROR("Out of memory checking for symbolic link"); + return -ENOMEM; + } + for (i = 0; i < fulllen; i++) { + if (dup[i] == '/') + dup[i] = '\0'; + } + + dirfd = open(prefix_skip, O_RDONLY); + if (dirfd < 0) + goto out; + while (1) { + int newfd, saved_errno; + char *nextpath; + + if ((nextpath = get_nextpath(dup, &curlen, fulllen)) == NULL) + goto out; + newfd = open_if_safe(dirfd, nextpath); + saved_errno = errno; + close(dirfd); + dirfd = newfd; + if (newfd < 0) { + errno = saved_errno; + if (errno == ELOOP) + SYSERROR("%s in %s was a symbolic link!", nextpath, target); + else + SYSERROR("Error examining %s in %s", nextpath, target); + goto out; + } + } + +out: + free(dup); + return dirfd; +} + +/* + * Safely mount a path into a container, ensuring that the mount target + * is under the container's @rootfs. (If @rootfs is NULL, then the container + * uses the host's /) + * + * CAVEAT: This function must not be used for other purposes than container + * setup before executing the container's init + */ +int safe_mount(const char *src, const char *dest, const char *fstype, + unsigned long flags, const void *data, const char *rootfs) +{ + int srcfd = -1, destfd, ret, saved_errno; + char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/<fd> + const char *mntsrc = src; + + if (!rootfs) + rootfs = ""; + + /* todo - allow symlinks for relative paths if 'allowsymlinks' option is passed */ + if (flags & MS_BIND && src && src[0] != '/') { + INFO("this is a relative bind mount"); + srcfd = open_without_symlink(src, NULL); + if (srcfd < 0) + return srcfd; + ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); + if (ret < 0 || ret > 50) { + close(srcfd); + ERROR("Out of memory"); + return -EINVAL; + } + mntsrc = srcbuf; + } + + destfd = open_without_symlink(dest, rootfs); + if (destfd < 0) { + if (srcfd != -1) + close(srcfd); + return destfd; + } + + ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); + if (ret < 0 || ret > 50) { + if (srcfd != -1) + close(srcfd); + close(destfd); + ERROR("Out of memory"); + return -EINVAL; + } + + ret = mount(mntsrc, destbuf, fstype, flags, data); + saved_errno = errno; + if (srcfd != -1) + close(srcfd); + close(destfd); + if (ret < 0) { + errno = saved_errno; + SYSERROR("Failed to mount %s onto %s", src, dest); + return ret; + } + + return 0; +} Index: lxc-0.9.0/src/lxc/utils.h =================================================================== --- lxc-0.9.0.orig/src/lxc/utils.h +++ lxc-0.9.0/src/lxc/utils.h @@ -33,4 +33,8 @@ extern int mkdir_p(const char *dir, mode */ extern const char *default_lxc_path(void); +int safe_mount(const char *src, const char *dest, const char *fstype, + unsigned long flags, const void *data, const char *rootfs); + + #endif Index: lxc-0.9.0/src/tests/Makefile.am =================================================================== --- lxc-0.9.0.orig/src/tests/Makefile.am +++ lxc-0.9.0/src/tests/Makefile.am @@ -36,6 +36,7 @@ EXTRA_DIST = \ getkeys.c \ locktests.c \ lxcpath.c \ + lxc-test-symlink \ saveconfig.c \ shutdowntest.c \ startone.c Index: lxc-0.9.0/src/tests/lxc-test-symlink =================================================================== --- /dev/null +++ lxc-0.9.0/src/tests/lxc-test-symlink @@ -0,0 +1,88 @@ +#!/bin/bash + +set -ex + +# lxc: linux Container library + +# Authors: +# Serge Hallyn <[email protected]> +# +# This is a regression test for symbolic links + +dirname=`mktemp -d` +fname=`mktemp` +fname2=`mktemp` + +lxcpath=/var/lib/lxcsym1 + +cleanup() { + lxc-destroy -P $lxcpath -f -n symtest1 || true + rm -f $lxcpath + rmdir $dirname || true + rm -f $fname || true + rm -f $fname2 || true +} + +trap cleanup EXIT SIGHUP SIGINT SIGTERM + +testrun() { + expected=$1 + run=$2 + pass="pass" + lxc-start -P $lxcpath -n symtest1 -l trace -o $lxcpath/log || pass="fail" + [ $pass = "pass" ] && lxc-wait -P $lxcpath -n symtest1 -t 10 -s RUNNING || pass="fail" + if [ "$pass" != "$expected" ]; then + echo "Test $run: expected $expected but container did not. Start log:" + cat $lxcpath/log + echo "FAIL: Test $run: expected $expected but container did not." + false + fi + lxc-stop -P $lxcpath -n symtest1 -k || true +} + +# make lxcpath a symlink - this should NOT cause failure +ln -s /var/lib/lxc $lxcpath + +lxc-destroy -P $lxcpath -f -n symtest1 || true +lxc-create -P $lxcpath -t busybox -n symtest1 + +cat >> /var/lib/lxc/symtest1/config << EOF +lxc.mount.entry = $dirname opt/xxx/dir none bind,create=dir +lxc.mount.entry = $fname opt/xxx/file none bind,create=file +lxc.mount.entry = $fname2 opt/xxx/file2 none bind +EOF + +# Regular - should succeed +mkdir -p /var/lib/lxc/symtest1/rootfs/opt/xxx +touch /var/lib/lxc/symtest1/rootfs/opt/xxx/file2 +testrun pass 1 + +# symlink - should fail +rm -rf /var/lib/lxc/symtest1/rootfs/opt/xxx +mkdir -p /var/lib/lxc/symtest1/rootfs/opt/xxx2 +ln -s /var/lib/lxc/symtest1/rootfs/opt/xxx2 /var/lib/lxc/symtest1/rootfs/opt/xxx +touch /var/lib/lxc/symtest1/rootfs/opt/xxx/file2 +testrun fail 2 + +# final final symlink - should fail +rm -rf $lxcpath/symtest1/rootfs/opt/xxx +mkdir -p $lxcpath/symtest1/rootfs/opt/xxx +mkdir -p $lxcpath/symtest1/rootfs/opt/xxx/dir +touch $lxcpath/symtest1/rootfs/opt/xxx/file +touch $lxcpath/symtest1/rootfs/opt/xxx/file2src +ln -s $lxcpath/symtest1/rootfs/opt/xxx/file2src $lxcpath/symtest1/rootfs/opt/xxx/file2 +testrun fail 3 + +# Ideally we'd also try a loop device, but that won't work in nested containers +# anyway - TODO + +# what about /proc itself + +rm -rf $lxcpath/symtest1/rootfs/opt/xxx +mkdir -p $lxcpath/symtest1/rootfs/opt/xxx +touch $lxcpath/symtest1/rootfs/opt/xxx/file2 +mv $lxcpath/symtest1/rootfs/proc $lxcpath/symtest1/rootfs/proc1 +ln -s $lxcpath/symtest1/rootfs/proc1 $lxcpath/symtest1/rootfs/proc +testrun fail 4 + +echo "all tests passed" Index: lxc-0.9.0/src/tests/Makefile.in =================================================================== --- lxc-0.9.0.orig/src/tests/Makefile.in +++ lxc-0.9.0/src/tests/Makefile.in @@ -314,6 +314,7 @@ EXTRA_DIST = \ getkeys.c \ locktests.c \ lxcpath.c \ + lxc-test-symlink \ saveconfig.c \ shutdowntest.c \ startone.c Index: lxc-0.9.0/doc/lxc.conf.sgml.in =================================================================== --- lxc-0.9.0.orig/doc/lxc.conf.sgml.in +++ lxc-0.9.0/doc/lxc.conf.sgml.in @@ -581,6 +581,18 @@ Foundation, Inc., 59 Temple Place, Suite container. This is useful to mount /etc, /var or /home for examples. </para> + <para> + NOTE - LXC will generally ensure that mount targets and relative + bind-mount sources are properly confined under the container + root, to avoid attacks involving over-mounting host directories + and files. (Symbolic links in absolute mount sources are ignored) + However, if the container configuration first mounts a directory which + is under the control of the container user, such as /home/joe, into + the container at some <filename>path</filename>, and then mounts + under <filename>path</filename>, then a TOCTTOU attack would be + possible where the container user modifies a symbolic link under + his home directory at just the right time. + </para> <variablelist> <varlistentry> <term> ++++++ README.SUSE ++++++ To mount the control group file system just run: /sbin/insserv boot.cgroup and /sys/fs/cgroup will be mounted for cgroup automatically. ++++++ autogenned.patch ++++++ It contains the effect of these patches: configure-find-seccomp-using-pkg-config.patch configure-support-suse-s-docbook-to-man.patch diff --git a/configure b/configure index dfb8e42..ee5faae 100755 --- a/configure +++ b/configure @@ -659,9 +659,6 @@ ENABLE_LUA_FALSE ENABLE_LUA_TRUE PYTHONDEV_LIBS PYTHONDEV_CFLAGS -PKG_CONFIG_LIBDIR -PKG_CONFIG_PATH -PKG_CONFIG pkgpyexecdir pyexecdir pkgpythondir @@ -676,6 +673,10 @@ ENABLE_PYTHON_TRUE ENABLE_EXAMPLES_FALSE ENABLE_EXAMPLES_TRUE SECCOMP_LIBS +SECCOMP_CFLAGS +PKG_CONFIG_LIBDIR +PKG_CONFIG_PATH +PKG_CONFIG ENABLE_SECCOMP_FALSE ENABLE_SECCOMP_TRUE APPARMOR_LIBS @@ -806,10 +807,12 @@ LDFLAGS LIBS CPPFLAGS CPP -PYTHON PKG_CONFIG PKG_CONFIG_PATH PKG_CONFIG_LIBDIR +SECCOMP_CFLAGS +SECCOMP_LIBS +PYTHON PYTHONDEV_CFLAGS PYTHONDEV_LIBS LUA_CFLAGS @@ -1468,12 +1471,16 @@ Some influential environment variables: CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if you have headers in a nonstandard directory <include dir> CPP C preprocessor - PYTHON the Python interpreter PKG_CONFIG path to pkg-config utility PKG_CONFIG_PATH directories to add to pkg-config's search path PKG_CONFIG_LIBDIR path overriding pkg-config's built-in search path + SECCOMP_CFLAGS + C compiler flags for SECCOMP, overriding pkg-config + SECCOMP_LIBS + linker flags for SECCOMP, overriding pkg-config + PYTHON the Python interpreter PYTHONDEV_CFLAGS C compiler flags for PYTHONDEV, overriding pkg-config PYTHONDEV_LIBS @@ -4821,7 +4828,7 @@ if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for docbook2x-man" >&5 $as_echo_n "checking for docbook2x-man... " >&6; } - for name in docbook2x-man db2x_docbook2man; do + for name in docbook2x-man db2x_docbook2man docbook-to-man; do if "$name" --help >/dev/null 2>&1; then db2xman="$name" break; @@ -5034,113 +5041,6 @@ else fi -if test -z "$ENABLE_SECCOMP_TRUE"; then : - ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" -if test "x$ac_cv_header_seccomp_h" = xyes; then : - -else - as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 -fi - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 -$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } -if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lseccomp $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char seccomp_init (); -int -main () -{ -return seccomp_init (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_seccomp_seccomp_init=yes -else - ac_cv_lib_seccomp_seccomp_init=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 -$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } -if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBSECCOMP 1 -_ACEOF - - LIBS="-lseccomp $LIBS" - -else - as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 -fi - - SECCOMP_LIBS=-lseccomp - -fi - -# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 -ac_fn_c_check_type "$LINENO" "scmp_filter_ctx" "ac_cv_type_scmp_filter_ctx" "#include <seccomp.h> -" -if test "x$ac_cv_type_scmp_filter_ctx" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_SCMP_FILTER_CTX 1 -_ACEOF - - -fi - - -# Configuration examples -# Check whether --enable-examples was given. -if test "${enable_examples+set}" = set; then : - enableval=$enable_examples; -else - enable_examples=yes -fi - - if test "x$enable_examples" = "xyes"; then - ENABLE_EXAMPLES_TRUE= - ENABLE_EXAMPLES_FALSE='#' -else - ENABLE_EXAMPLES_TRUE='#' - ENABLE_EXAMPLES_FALSE= -fi - - -# Python3 module and scripts -# Check whether --enable-python was given. -if test "${enable_python+set}" = set; then : - enableval=$enable_python; enable_python=yes -else - enable_python=no -fi - - if test "x$enable_python" = "xyes"; then - ENABLE_PYTHON_TRUE= - ENABLE_PYTHON_FALSE='#' -else - ENABLE_PYTHON_TRUE='#' - ENABLE_PYTHON_FALSE= -fi - - @@ -5261,6 +5161,247 @@ $as_echo "no" >&6; } PKG_CONFIG="" fi fi +if test -z "$ENABLE_SECCOMP_TRUE"; then : + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SECCOMP" >&5 +$as_echo_n "checking for SECCOMP... " >&6; } + +if test -n "$SECCOMP_CFLAGS"; then + pkg_cv_SECCOMP_CFLAGS="$SECCOMP_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libseccomp\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libseccomp") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SECCOMP_CFLAGS=`$PKG_CONFIG --cflags "libseccomp" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$SECCOMP_LIBS"; then + pkg_cv_SECCOMP_LIBS="$SECCOMP_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libseccomp\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libseccomp") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SECCOMP_LIBS=`$PKG_CONFIG --libs "libseccomp" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SECCOMP_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libseccomp" 2>&1` + else + SECCOMP_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libseccomp" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$SECCOMP_PKG_ERRORS" >&5 + + + ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" +if test "x$ac_cv_header_seccomp_h" = xyes; then : + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 +$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } +if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lseccomp $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char seccomp_init (); +int +main () +{ +return seccomp_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_seccomp_seccomp_init=yes +else + ac_cv_lib_seccomp_seccomp_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 +$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } +if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSECCOMP 1 +_ACEOF + + LIBS="-lseccomp $LIBS" + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + SECCOMP_LIBS=-lseccomp + + +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" +if test "x$ac_cv_header_seccomp_h" = xyes; then : + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 +$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } +if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lseccomp $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char seccomp_init (); +int +main () +{ +return seccomp_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_seccomp_seccomp_init=yes +else + ac_cv_lib_seccomp_seccomp_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 +$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } +if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSECCOMP 1 +_ACEOF + + LIBS="-lseccomp $LIBS" + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + SECCOMP_LIBS=-lseccomp + + +else + SECCOMP_CFLAGS=$pkg_cv_SECCOMP_CFLAGS + SECCOMP_LIBS=$pkg_cv_SECCOMP_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi + +fi + +# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 +OLD_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS $SECCOMP_CFLAGS" +ac_fn_c_check_type "$LINENO" "scmp_filter_ctx" "ac_cv_type_scmp_filter_ctx" "#include <seccomp.h> +" +if test "x$ac_cv_type_scmp_filter_ctx" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_SCMP_FILTER_CTX 1 +_ACEOF + + +fi + +CFLAGS="$OLD_CFLAGS" + +# Configuration examples +# Check whether --enable-examples was given. +if test "${enable_examples+set}" = set; then : + enableval=$enable_examples; +else + enable_examples=yes +fi + + if test "x$enable_examples" = "xyes"; then + ENABLE_EXAMPLES_TRUE= + ENABLE_EXAMPLES_FALSE='#' +else + ENABLE_EXAMPLES_TRUE='#' + ENABLE_EXAMPLES_FALSE= +fi + + +# Python3 module and scripts +# Check whether --enable-python was given. +if test "${enable_python+set}" = set; then : + enableval=$enable_python; enable_python=yes +else + enable_python=no +fi + + if test "x$enable_python" = "xyes"; then + ENABLE_PYTHON_TRUE= + ENABLE_PYTHON_FALSE='#' +else + ENABLE_PYTHON_TRUE='#' + ENABLE_PYTHON_FALSE= +fi + + if test -z "$ENABLE_PYTHON_TRUE"; then : diff --git a/src/lxc/Makefile.in b/src/lxc/Makefile.in index d6841c6..b97b429 100644 --- a/src/lxc/Makefile.in +++ b/src/lxc/Makefile.in @@ -65,7 +65,7 @@ so_PROGRAMS = liblxc.so$(EXEEXT) @HAVE_FGETLN_TRUE@@HAVE_GETLINE_FALSE@am__append_4 = ../include/getline.c ../include/getline.h @ENABLE_APPARMOR_TRUE@am__append_5 = -DHAVE_APPARMOR @USE_CONFIGPATH_LOGS_TRUE@am__append_6 = -DUSE_CONFIGPATH_LOGS -@ENABLE_SECCOMP_TRUE@am__append_7 = -DHAVE_SECCOMP +@ENABLE_SECCOMP_TRUE@am__append_7 = -DHAVE_SECCOMP $(SECCOMP_CFLAGS) @ENABLE_SECCOMP_TRUE@am__append_8 = seccomp.c @ENABLE_PYTHON_TRUE@am__append_9 = lxc-device lxc-ls \ @ENABLE_PYTHON_TRUE@ lxc-start-ephemeral @@ -344,6 +344,7 @@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +SECCOMP_CFLAGS = @SECCOMP_CFLAGS@ SECCOMP_LIBS = @SECCOMP_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ ++++++ config_ipv6-run-inet_pton-on-the-addr-value-without-.patch ++++++ From: Serge Hallyn <[email protected]> Date: Fri, 23 Aug 2013 12:45:15 -0500 Subject: config_ipv6: run inet_pton on the addr value without mask Patch-mainline: no References: bnc#851760 otherwise a "$addr/$mask" results in failure. Signed-off-by: Serge Hallyn <[email protected]> Signed-off-by: Jiri Slaby <[email protected]> --- src/lxc/confile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: lxc-0.9.0/src/lxc/confile.c =================================================================== --- lxc-0.9.0.orig/src/lxc/confile.c +++ lxc-0.9.0/src/lxc/confile.c @@ -745,8 +745,8 @@ static int config_network_ipv6(const cha inet6dev->prefix = atoi(netmask); } - if (!inet_pton(AF_INET6, value, &inet6dev->addr)) { - SYSERROR("invalid ipv6 address: %s", value); + if (!inet_pton(AF_INET6, valdup, &inet6dev->addr)) { + SYSERROR("invalid ipv6 address: %s", valdup); free(valdup); return -1; } ++++++ configure-find-seccomp-using-pkg-config.patch ++++++ From: Jiri Slaby <[email protected]> Date: Wed, 24 Apr 2013 10:46:21 +0200 Subject: configure: find seccomp using pkg-config Patch-mainline: no On suse we have the header in a subdir inside /usr/include, so pkgconfig has t obe used to find out proper CFLAGS. Signed-off-by: Jiri Slaby <[email protected]> --- configure.ac | 12 +++++++++--- src/lxc/Makefile.am | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index ef6122e..630027a 100644 --- a/configure.ac +++ b/configure.ac @@ -113,12 +113,18 @@ fi AM_CONDITIONAL([ENABLE_SECCOMP], [test "x$enable_seccomp" = "xyes"]) AM_COND_IF([ENABLE_SECCOMP], - [AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) - AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) - AC_SUBST([SECCOMP_LIBS], [-lseccomp])]) + [PKG_CHECK_MODULES([SECCOMP],[libseccomp],[],[ + AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) + AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) + AC_SUBST([SECCOMP_LIBS], [-lseccomp]) + ]) + ]) # HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 +OLD_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS $SECCOMP_CFLAGS" AC_CHECK_TYPES([scmp_filter_ctx], [], [], [#include <seccomp.h>]) +CFLAGS="$OLD_CFLAGS" # Configuration examples AC_ARG_ENABLE([examples], diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index ebeca466..5798c93 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -104,7 +104,7 @@ AM_CFLAGS += -DUSE_CONFIGPATH_LOGS endif if ENABLE_SECCOMP -AM_CFLAGS += -DHAVE_SECCOMP +AM_CFLAGS += -DHAVE_SECCOMP $(SECCOMP_CFLAGS) liblxc_so_SOURCES += seccomp.c endif -- 1.8.2.1 ++++++ configure-support-suse-s-docbook-to-man.patch ++++++ From: Jiri Slaby <[email protected]> Date: Wed, 24 Apr 2013 10:33:34 +0200 Subject: configure: support suse's docbook-to-man Patch-mainline: no When finding docbook2x-man... Signed-off-by: Jiri Slaby <[email protected]> --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/configure.ac +++ b/configure.ac @@ -67,7 +67,7 @@ if test "x$enable_doc" = "xyes" -o "x$en db2xman="" AC_MSG_CHECKING(for docbook2x-man) - for name in docbook2x-man db2x_docbook2man; do + for name in docbook2x-man db2x_docbook2man docbook-to-man; do if "$name" --help >/dev/null 2>&1; then db2xman="$name" break; ++++++ lxc-createconfig.in ++++++ #!/bin/bash # # lxc: linux Container library # Authors: # Mike Friesenegger <[email protected]> # Daniel Lezcano <[email protected]> # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA usage() { echo "usage: lxc-createconfig -n <name> [-i <ipaddr/cidr>] [-b <bridge>] [-t <template]" } help() { usage echo echo "creates a lxc container config file which can be in" echo "turn used by lxc-create to create the lxc system object." echo echo "Options:" echo "name : name of the container" echo "ipaddr : ip address/cidr of the container" echo "bridge : bridge device for container (br0 if undefined)" echo "template : template is an accessible template script (opensuse if undefined)" } shortoptions='hn:i:b:t:' longoptions='help,name:,ipaddr:,bridge:,template:' lxc_confpath=$HOME templatedir=@LXCTEMPLATEDIR@ lxc_bridge=br0 lxc_template=opensuse getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") if [ $? != 0 ]; then usage exit 1; fi eval set -- "$getopt" while true; do case "$1" in -h|--help) help exit 1 ;; -n|--name) shift lxc_name=$1 lxc_confname=$lxc_name.config shift ;; -i|--ipaddr) shift lxc_ipaddr=$1 shift ;; -b|--bridge) shift lxc_bridge=$1 shift ;; -t|--template) shift lxc_template=$1 shift ;; --) shift break;; *) echo $1 usage exit 1 ;; esac done if [ -z "$lxc_name" ]; then echo "no container name specified" usage exit 1 fi if [ -f "$lxc_confpath/$lxc_confname" ]; then echo "'$lxc_confname' already exists" exit 1 fi if [ ! -z "$lxc_ipaddr" ]; then echo $lxc_ipaddr | grep -E '/(([^C9]{0,1}[0-9])|(3[0-2]))$' if [ $? -ne 0 ]; then echo "$lxc_ipaddr is missing a cidr" usage exit 1 fi fi if [ -z "$lxc_ipaddr" ]; then lxc_ipaddr=DHCP fi if [ ! -z $lxc_bridge ]; then brctl show | grep $lxc_bridge >/dev/null if [ $? -ne 0 ]; then echo "$lxc_bridge not defined" exit 1 fi fi if [ ! -z $lxc_template ]; then type ${templatedir}/lxc-$lxc_template >/dev/null if [ $? -ne 0 ]; then echo "unknown template '$lxc_template'" exit 1 fi fi echo echo "Container Name = " $lxc_name echo "IP Address = " $lxc_ipaddr echo "Bridge = " $lxc_bridge echo echo -n "Create container config? (n): " read ANSWER if [ "$ANSWER" != "y" -a "$ANSWER" != "Y" ] then exit 1 fi echo echo "Creating container config $lxc_confpath/$lxc_confname" # generate a MAC for the IP lxc_hwaddr="02:00:`(date ; cat /proc/interrupts ) | md5sum | sed -r 's/^(.{8}).*$/\1/;s/([0-9a-f]{2})/\1:/g;s/:$//;'`" cat >"$lxc_confpath/$lxc_confname" <<%% lxc.network.type = veth lxc.network.flags = up lxc.network.link = $lxc_bridge lxc.network.hwaddr = $lxc_hwaddr %% if [ ! $lxc_ipaddr = "DHCP" ]; then cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.ipv4 = $lxc_ipaddr %% fi cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.name = eth0 %% echo echo "Run 'lxc-create -n $lxc_name -f $lxc_confpath/$lxc_confname -t $lxc_template' to create the lxc system object." ++++++ lxc-opensuse-add-perl-base-to-prerequisities.patch ++++++ From: Jiri Slaby <[email protected]> Date: Fri, 20 Sep 2013 16:39:50 +0200 Subject: lxc-opensuse: add perl-base to prerequisities Patch-mainline: submitted sep 20 2013 References: bnc#839873 It is needed by insserv-compat. Signed-off-by: Jiri Slaby <[email protected]> --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 1fc7e21..3005e40 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -125,7 +125,7 @@ download_opensuse() zypper --root $cache/partial-$arch-packages --non-interactive in --auto-agree-with-licenses --download-only zypper lxc patterns-openSUSE-base bash iputils sed tar rsyslog || return 1 cat > $cache/partial-$arch-packages/opensuse.conf << EOF Preinstall: aaa_base bash coreutils diffutils -Preinstall: filesystem fillup glibc grep insserv-compat +Preinstall: filesystem fillup glibc grep insserv-compat perl-base Preinstall: libbz2-1 libgcc_s1 libncurses5 pam Preinstall: permissions libreadline6 rpm sed tar libz1 libselinux1 Preinstall: liblzma5 libcap2 libacl1 libattr1 -- 1.8.4 ++++++ opensuse-systemd-shutdown.patch ++++++ diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 77ef6b2..7c614c2 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -88,6 +88,9 @@ EOF ln -s ../[email protected] $rootfs/etc/systemd/system/getty.target.wants/[email protected] ln -s ../[email protected] $rootfs/etc/systemd/system/getty.target.wants/[email protected] + # copy host poweroff target as sigpwr target to make shutdown work + # see https://wiki.archlinux.org/index.php/Linux_Containers#Container_cannot_be_shutdown_if_using_systemd + cp /usr/lib/systemd/system/poweroff.target $rootfs/usr/lib/systemd/system/sigpwr.target touch $rootfs/etc/sysconfig/kernel
