Re: [lxc-devel] [PATCH 0/5] Signal stuff v2 and some documentation

On 06/09/2010 07:56 PM, Ferenc Wagner wrote: Hi, here are basically the same patches, with some obvious errors corrected and some unrelated documentation added. It actually survived some targeted testing in the past days and seems to behave as expected, ie. # lxc-start -n s -- sh -c trap

[lxc-devel] [patch -lxc 2/6] add a macro to wrap a privilegied function

This macro is a helper to call a function into a [un]privilegied section. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- src/lxc/caps.h | 33 ++--- 1 files changed, 30 insertions(+), 3 deletions(-) diff --git a/src/lxc/caps.h b/src/lxc/caps.h index

[lxc-devel] [patch -lxc 5/6] fix console overwrite any file

Prevent to specify a file not belonging to us as the output for the console Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- src/lxc/console.c | 11 ++- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/lxc/console.c b/src/lxc/console.c index 1ab2b29..edefc41

[lxc-devel] fix security holes when running lxc as non-root

Thanks all for the feedbacks. The following patchset provides an intermediate solution between all the remarks about the security aspects when running lxc with the capabilities. It has the advantage to be compatible with the setuid bit root set on the lxc-start and lxc-execute. More work has to

[lxc-devel] [patch -lxc 6/6] Remove dead code

This function is no longer used. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- src/lxc/state.c |8 1 files changed, 0 insertions(+), 8 deletions(-) diff --git a/src/lxc/state.c b/src/lxc/state.c index b29ae09..6720011 100644 --- a/src/lxc/state.c +++ b/src/lxc/state.c @@

[lxc-devel] [patch -lxc 3/6] initialize capabilities for lxc-start and lxc-execute

Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- src/lxc/lxc_execute.c |5 - src/lxc/lxc_start.c |4 2 files changed, 8 insertions(+), 1 deletions(-) diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c index c3a0cd7..f480859 100644 --- a/src/lxc/lxc_execute.c +++

[lxc-devel] [patch -lxc 4/6] fix log appending to any file

With the capabilities, the open of the log file can be done on any file, making possible to modifify the content of the file. Let's drop the privilege when opening the file, so we ensure that is no longer possible. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- src/lxc/log.c |6

[lxc-devel] [patch -lxc 1/6] remove/restore effective capabilities

This patch adds the functions to drop the 'effective' capabilities and restore them from the 'permitted' capabilities. When the command is run as 'root' we do nothing. When the command is run as 'lambda' user, we drop the effective capabilities When the command is run as 'root' but real uid is

[lxc-devel] [GIT] lxc branch, master, updated. d1c383f39064969b647fd632f8e6614b49fd6cf2

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via d1c383f39064969b647fd632f8e6614b49fd6cf2 (commit) via

Re: [lxc-devel] [PATCH 2/2] Must unfreeze while stopping container

On 07/10/2010 04:52 AM, Sukadev Bhattiprolu wrote: [ ... ] + if (!answer.ret) { + ret = lxc_unfreeze(handler-name); + if (!ret) + return 0; [ ... ] gcc -DHAVE_CONFIG_H -I. -I../../src -fPIC -DPIC -I../../src -g -O2 -Wall -MT