mirror_lxc

mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-25 03:13:56 +00:00

Author	SHA1	Message	Date
Christian Brauner	88c27c5352	cgroups: fix argument vetting in cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:53 +01:00
Christian Brauner	9a57778bb5	attach: fix fallback logic when attaching to cgroups Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:53 +01:00
Christian Brauner	02efd04151	cgroups: switch to fd-based cgroup mounting Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:52 +01:00
Christian Brauner	c689b58ad3	cgroups: restricted fd-only controller mountpoint creation Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:52 +01:00
Christian Brauner	315f8a4e42	cgroups: fix cgroup mounting Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:50 +01:00
Stéphane Graber	dfb71524d7	Merge pull request #3650 from brauner/2021-02-03/fixes_1 conf: harden various mount paths	2021-02-03 17:05:35 -05:00
Christian Brauner	cbc2ddf5b3	utils: harden __safe_mount_beneath_at() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 21:57:44 +01:00
Christian Brauner	952b5031b7	conf: refactor transient procfs mounting Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 21:54:52 +01:00
Christian Brauner	ccf5374124	conf: restrict open call in lxc_mount_rootfs() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 20:58:45 +01:00
Christian Brauner	e1b9d6af00	conf: make lxc_create_tmp_proc_mount() static Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 20:55:01 +01:00
Christian Brauner	fdb57ab442	conf: coding style Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 20:51:56 +01:00
Stéphane Graber	f8dcf07fd3	Merge pull request #3648 from brauner/2021-02-03/fixes conf: open hardening & fd-only operations	2021-02-03 10:38:50 -05:00
Stéphane Graber	b5e7502996	Merge pull request #3649 from brauner/2021-02-03/attach_via_pidfds attach: attach to namespaces via pidfds	2021-02-03 10:23:53 -05:00
Christian Brauner	9b31ab5859	attach: attach to namespaces via pidfds This is a feature we've enabled in kernel v5.8 and v5.9. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 15:23:56 +01:00
Christian Brauner	a26822c5d2	conf: fd-only devtps setup Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:52 +01:00
Christian Brauner	7f50ec8bd0	conf: fd-only pivot root Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:52 +01:00
Christian Brauner	99ca563299	conf: restrict open for lxc_mount_rootfs() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:52 +01:00
Christian Brauner	79019997c8	conf: fd-only operations in lxc_setup_dev_symlinks() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:52 +01:00
Christian Brauner	814983287e	conf: harden open in lxc_fill_autodev() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:51 +01:00
Christian Brauner	ce011f53d8	conf: restrict open of dev/ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:51 +01:00
Christian Brauner	fdf7314dc4	conf: remove unnecessary syscall Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:51 +01:00
Christian Brauner	531d36ad00	rexec: mark all fds as close-on-exec if possible Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:47 +01:00
Christian Brauner	e8aaef8159	syscalls: add close_range() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 09:45:30 +01:00
Christian Brauner	6b69d7f8cf	rexec: check lseek() return value Not really needed buy ok. Fixes: Coverity: 1472769 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 09:39:21 +01:00
Christian Brauner	3c981fcb78	tests: check for NULL in device_add_remove Fixes: Coverity 1472768 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 09:36:23 +01:00
Stéphane Graber	07f89a4faf	Merge pull request #3647 from brauner/2021-02-02/fixes cgroup2: only rely on command socket when getting cgroup values	2021-02-02 18:30:27 -05:00
Christian Brauner	b7aeda9691	cgroups: improve parameter vetting Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 00:00:50 +01:00
Christian Brauner	7d013cccf9	tests: support pure unified cgroup layouts in cgpath test Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:52:18 +01:00
Christian Brauner	a4f2435718	test: add logging to device_add_remove Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:40:32 +01:00
Christian Brauner	ea299bfc98	freezer: remove lxc_cmd_freeze() and lxc_cmd_unfreeze() calls We're now handling them better. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:24:28 +01:00
Christian Brauner	9d47970b9b	commands: use __cgroup_unfreeze() directly Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:21:21 +01:00
Christian Brauner	c9c814f4d4	cgroups: export __cgroup_unfreeze() for use in commands Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:21:19 +01:00
Christian Brauner	ae4fcc7b11	cgroups: use lxc_cmd_get_limiting_cgroup2_fd() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:08:04 +01:00
Christian Brauner	6f7f2966b1	commands: add missing lxc_cmd_get_limiting_cgroup2_fd() implementation Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:05:56 +01:00
Christian Brauner	44322ead39	cgpath: add logging Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	c5bac50665	attach: explicitly close seccomp notifier fd Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	5ef7547f3d	cgroups: switch back to returning ints Whick makes for easier error checking and fallback code. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	29619d419b	attach: check for ENOCGROUP2 explicitly Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	6b55ce0ed3	cgroups: return ENOCGROUP2 from cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	6407e1c244	cgroups: stricter argument vetting for cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	029d8e8801	cgroups: move down cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	739af8478c	lxccontainer: use correct error checks Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:15:43 +01:00
Christian Brauner	b57f9b1319	cgroups: vet parameters Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 21:59:04 +01:00
Christian Brauner	bfe2971ae4	cgroups: remove unused conf argument Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 21:58:09 +01:00
Christian Brauner	281c36454a	cgroups: rewind() file before polling again Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 19:29:41 +01:00
Christian Brauner	97d7b200d9	lxccontainer: use cgroup_freeze() and cgroup_unfreeze() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 18:56:23 +01:00
Christian Brauner	4639029c9f	freezer: make methods return bool Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 18:56:23 +01:00
Christian Brauner	c8af3332bc	cgroups: add cgroup_freeze() and cgroup_unfreeze() These are unified hierarchy only methods which don't need to initialize a full cgroup driver. Instead, they rely on the command socket to retrieve a cgroup2 file descriptor to the container's cgroup. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 18:56:23 +01:00
Christian Brauner	419847a8aa	freezer: use lxc_cmd_notify_state_listeners() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 18:26:57 +01:00
Christian Brauner	241670e7e9	commands_utils: add lcx_cmd_notify_state_listeners() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 18:26:29 +01:00

... 17 18 19 20 21 ...

10867 Commits