mirror_lxc

mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-26 02:38:45 +00:00

Author	SHA1	Message	Date
Christian Brauner	66beb49fa6	lsm: twek apparmor_process_label_get() Fixes: Coverity 1473189 Fixes: Coverity 1473190 Fixes: `47f4914d88` ("apparmor: prefer /proc/.../attr/apparmor/current over legacy interface") Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:54 +01:00
Christian Brauner	580253dc83	file_utils: allow fd_to_buf() to fail for real Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:52 +01:00
Aleksa Sarai	843e8d49d6	apparmor: prefer /proc/.../attr/apparmor/current over legacy interface It turns out that since Linux 5.1 there are now per-LSM subdirectories for major LSMs, which users are recommended to use over the "legacy" top-level /proc/$pid/attr/... files[1]: > Process attributes associated with “major” security modules should be > accessed and maintained using the special files in /proc/.../attr. A > security module may maintain a module specific subdirectory there, > named after the module. /proc/.../attr/smack is provided by the Smack > security module and contains all its special files. The files directly > in /proc/.../attr remain as legacy interfaces for modules that provide > subdirectories. AppArmor has had such a directory since Linux 5.8[2], and it turns out that with certain CONFIG_LSM configurations you can end up with AppArmor files not being accessible from the legacy interface. Arch Linux recently added BPF as one of the enabled LSM in their configuration, and this broke runc[3] and LXC. The solution is to first try to use /proc/$pid/attr/apparmor/current and fall back to /proc/$pid/attr/current if the former is not available. [1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html [2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs") [3]: https://github.com/opencontainers/runc/issues/2801 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>	2021-02-26 21:27:51 +01:00
Aleksa Sarai	38c072c1e2	apparmor: clean up apparmor_process_label_get Rather than open-coding file reading and retry semantics and implementing the path generation logic separately to apparmor_process_label_fd_get, refactor the logic so that it looks closer to the pidfd version. This will make it easier to implement the two-step handling for /proc/self/attr/apparmor/current and makes this code slightly less confusing. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>	2021-02-26 21:27:50 +01:00
Christian Brauner	2ec2c3d24d	conf: don't log garbage Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:50 +01:00
Christian Brauner	5842f3413f	start: fix non-daemonized and application containers Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:49 +01:00
Christian Brauner	e0538d90ec	conf: use saner mode for console Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:48 +01:00
Christian Brauner	34c6d6d463	bpf: simplify bpf (device) program freeing Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:48 +01:00
Christian Brauner	e35d7545ef	bpf: make bpf_program_cgroup_attach() static Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:47 +01:00
Christian Brauner	021833dd10	bpf: prevent double-close Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:46 +01:00
Christian Brauner	2763000998	cgroups: use close_equal() and free_equal() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:46 +01:00
Christian Brauner	de6dc23c39	memory_utils: add close_equal() and free_equal() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:45 +01:00
Christian Brauner	bf9d59e019	lxccontainer: fix reboot logging Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:45 +01:00
Christian Brauner	021770b81f	bpf: rework live device cgroup update Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:44 +01:00
Christian Brauner	baadb3cd36	compiler: fix fallthrough attribute Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:43 +01:00
Christian Brauner	741c4835d5	bpf: fix return values in bpf_program_cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:43 +01:00
Christian Brauner	ca5c34f456	bpf: let bpf_list_add_device() take the device list directly Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:42 +01:00
Christian Brauner	277d80c5c5	bpf: add and use bpf_cgroup_devices_attach() helper Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:41 +01:00
Christian Brauner	6f5af027da	cgroups: remove compile-time bpf support detection Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:41 +01:00
Christian Brauner	64aa4275ad	bpf: vendor bpf headers Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:40 +01:00
Christian Brauner	98a1d49f81	bpf: handling missing defines Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:39 +01:00
Christian Brauner	e1c8bab320	bpf: rework bpf_program_cgroup_detach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:39 +01:00
Christian Brauner	0b9ce041e7	commands: rework bpf devices BPF_F_REPLACE codepath Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:38 +01:00
Christian Brauner	6e43674706	bpf: don't close invalid fd, simply swap Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:37 +01:00
Christian Brauner	2fa19f298f	bpf: use __u32 not uint32_t Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:37 +01:00
Christian Brauner	61a492b3e3	macro: add swap helper Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:36 +01:00
Christian Brauner	a4ade8461b	commands: replace bpf program on update Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:35 +01:00
Christian Brauner	b76873a51e	commands: improve bpf device program management Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:35 +01:00
Christian Brauner	72a27f0654	cgroups: improve bpf device program management Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:34 +01:00
Christian Brauner	35cca0f8c1	bpf: add helpers for better bpf device program management Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:33 +01:00
Christian Brauner	795313a6fb	cgroups: improve bpf device program handling Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:33 +01:00
Christian Brauner	7708e2d272	cgroups: make device cgroups semantics clearer Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:32 +01:00
Christian Brauner	9b7d34a22c	bpf: enable helpers to let caller replace existing bpf programs Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:31 +01:00
Christian Brauner	54c17d39fa	bpf: align struct initialization Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:31 +01:00
Christian Brauner	e490acc44f	bpf: use return macros Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:30 +01:00
Christian Brauner	789bf479cb	conf: introduce lxc_bpf_devices_rule_t type Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:29 +01:00
Christian Brauner	e0542702d7	bpf: use cgroup fd directly instead of paths Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:29 +01:00
Christian Brauner	e4f23a0f88	cgroups: kill monitor_full_path Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:28 +01:00
Christian Brauner	c0fb6f36b3	cgroups: free correct path Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:27 +01:00
Christian Brauner	4e771848a6	utils: fix print_r() debugging helper Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:26 +01:00
Christian Brauner	5bd52b014d	cgroups: fix error values Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:25 +01:00
Christian Brauner	3bb6756de1	cgroups: don't overwrite type Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:25 +01:00
Christian Brauner	b9a9768c45	cgroups: make it extremely obvious that we're transitioning from a flag to a type Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:24 +01:00
Christian Brauner	6194bad77c	cgroups: create controller directories if missing Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:23 +01:00
Christian Brauner	4ab1d9a6c1	cgroups: use non-flag based checking now that we switched all codepaths over Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:22 +01:00
Christian Brauner	0679efa089	conf: use brackets to clarify check semantics Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:22 +01:00
Christian Brauner	16ed808675	cgroups: validate that only a single cgroup mount type is set Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:21 +01:00
Christian Brauner	d6614b806a	cgroups: prevent cgroup mount type overwrite Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:20 +01:00
Christian Brauner	3a72de5011	cgroups: ensure that cgroup_root is initialized in legacy codepaths Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:19 +01:00
Christian Brauner	b7967f52bb	cgroups: distinguish between tmpfs and unified based cgroup layouts file descriptors Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-26 21:27:19 +01:00

... 13 14 15 16 17 ...

10680 Commits