[lxc-devel] [lxc/lxc] 72a19d: attach: stricter lookup semantics for fdopen_at() ...

Stéphane Graber Tue, 02 Feb 2021 10:29:32 -0800

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 72a19d2f382d11d3f10c6f439d35b8a8f0b16122
      https://github.com/lxc/lxc/commit/72a19d2f382d11d3f10c6f439d35b8a8f0b16122
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)


  Changed paths:
    M src/lxc/attach.c

  Log Message:
  -----------
  attach: stricter lookup semantics for fdopen_at() calls

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: 92466fe34b54940da4cb03ee616aa4cb22cebd90
      https://github.com/lxc/lxc/commit/92466fe34b54940da4cb03ee616aa4cb22cebd90
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/attach.c

  Log Message:
  -----------
  attach: move file descriptor closing into attach_context_container()

This reduces the possibility of forgetting to close the namespace file
descriptors when we change this codepath.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: e18aba7d2a706f477458098e2f014f0c0cb97f26
      https://github.com/lxc/lxc/commit/e18aba7d2a706f477458098e2f014f0c0cb97f26
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/attach.c

  Log Message:
  -----------
  attach: move loading seccomp as late as possible

We want to minimize the change that the profile blocks syscalls we need during
attach setup and has the notifier enabled.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: 4c6c4794dc0c7f51980071216c906fa586e82ebb
      https://github.com/lxc/lxc/commit/4c6c4794dc0c7f51980071216c906fa586e82ebb
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/memory_utils.h

  Log Message:
  -----------
  memory_utils: add close_prot_errno_mov()

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: bcf9793d4351cd54f2de272fe52979e9fed2c1d4
      https://github.com/lxc/lxc/commit/bcf9793d4351cd54f2de272fe52979e9fed2c1d4
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/syscall_wrappers.h

  Log Message:
  -----------
  syscall_wrappers: add PROTECT_OPEN_W_* variants

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: 87c7dbcb9c6ec987ee4f39f3ebf3132c192ee9de
      https://github.com/lxc/lxc/commit/87c7dbcb9c6ec987ee4f39f3ebf3132c192ee9de
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/file_utils.c

  Log Message:
  -----------
  file_utils: harden lxc_open_dirfd()

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: 3c5fa7f3e83f5831f6443c49e57eda5c1025a55e
      https://github.com/lxc/lxc/commit/3c5fa7f3e83f5831f6443c49e57eda5c1025a55e
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/file_utils.c

  Log Message:
  -----------
  file_utils: harden lxc_writeat()

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: 6d15354365ef2312de5a08682b3e7e6e6b73e24f
      https://github.com/lxc/lxc/commit/6d15354365ef2312de5a08682b3e7e6e6b73e24f
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/cgroups/cgroup_utils.c
    M src/lxc/cgroups/cgroup_utils.h

  Log Message:
  -----------
  cgroups: add unified_cgroup_fd() helper

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: ac01a9b83ca0ec3ee0cf4b7b983f7081eb67528c
      https://github.com/lxc/lxc/commit/ac01a9b83ca0ec3ee0cf4b7b983f7081eb67528c
  Author: Christian Brauner <christian.brau...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/cgroups/cgfsng.c

  Log Message:
  -----------
  cgroups: switch controller delegation to fd-only operations

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>


  Commit: b22ae84389391363ef5bc93bdc2be2aa26ece70b
      https://github.com/lxc/lxc/commit/b22ae84389391363ef5bc93bdc2be2aa26ece70b
  Author: Stéphane Graber <stgra...@ubuntu.com>
  Date:   2021-02-02 (Tue, 02 Feb 2021)

  Changed paths:
    M src/lxc/attach.c
    M src/lxc/cgroups/cgfsng.c
    M src/lxc/cgroups/cgroup_utils.c
    M src/lxc/cgroups/cgroup_utils.h
    M src/lxc/file_utils.c
    M src/lxc/memory_utils.h
    M src/lxc/syscall_wrappers.h

  Log Message:
  -----------
  Merge pull request #3646 from brauner/2021-02-02/fixes

attach & cgroup hardening


Compare: https://github.com/lxc/lxc/compare/c7d644983ff4...b22ae8438939
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/lxc] 72a19d: attach: stricter lookup semantics for fdopen_at() ...

Reply via email to