proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-16 22:12:36 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
11,443 Commits 6 Branches 17 Tags 29 MiB
16ebb29dcc
Commit Graph

11443 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Christian Brauner
3c981fcb78
tests: check for NULL in device_add_remove 
Fixes: Coverity 1472768
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-03 09:36:23 +01:00
Stéphane Graber
07f89a4faf
Merge pull request #3647 from brauner/2021-02-02/fixes 
cgroup2: only rely on command socket when getting cgroup values
 2021-02-02 18:30:27 -05:00
Christian Brauner
b7aeda9691
cgroups: improve parameter vetting 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-03 00:00:50 +01:00
Christian Brauner
7d013cccf9
tests: support pure unified cgroup layouts in cgpath test 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 23:52:18 +01:00
Christian Brauner
a4f2435718
test: add logging to device_add_remove 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 23:40:32 +01:00
Christian Brauner
ea299bfc98
freezer: remove lxc_cmd_freeze() and lxc_cmd_unfreeze() calls 
We're now handling them better.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 23:24:28 +01:00
Christian Brauner
9d47970b9b
commands: use __cgroup_unfreeze() directly 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 23:21:21 +01:00
Christian Brauner
c9c814f4d4
cgroups: export __cgroup_unfreeze() for use in commands 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 23:21:19 +01:00
Christian Brauner
ae4fcc7b11
cgroups: use lxc_cmd_get_limiting_cgroup2_fd() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 23:08:04 +01:00
Christian Brauner
6f7f2966b1
commands: add missing lxc_cmd_get_limiting_cgroup2_fd() implementation 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 23:05:56 +01:00
Christian Brauner
44322ead39
cgpath: add logging 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 22:56:10 +01:00
Christian Brauner
c5bac50665
attach: explicitly close seccomp notifier fd 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 22:56:10 +01:00
Christian Brauner
5ef7547f3d
cgroups: switch back to returning ints 
Whick makes for easier error checking and fallback code.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 22:56:10 +01:00
Christian Brauner
29619d419b
attach: check for ENOCGROUP2 explicitly 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 22:56:10 +01:00
Christian Brauner
6b55ce0ed3
cgroups: return ENOCGROUP2 from cgroup_attach() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 22:56:10 +01:00
Christian Brauner
6407e1c244
cgroups: stricter argument vetting for cgroup_attach() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 22:56:10 +01:00
Christian Brauner
029d8e8801
cgroups: move down cgroup_attach() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 22:56:10 +01:00
Christian Brauner
739af8478c
lxccontainer: use correct error checks 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 22:15:43 +01:00
Christian Brauner
b57f9b1319
cgroups: vet parameters 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 21:59:04 +01:00
Christian Brauner
bfe2971ae4
cgroups: remove unused conf argument 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 21:58:09 +01:00
Christian Brauner
281c36454a
cgroups: rewind() file before polling again 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 19:29:41 +01:00
Christian Brauner
97d7b200d9
lxccontainer: use cgroup_freeze() and cgroup_unfreeze() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:56:23 +01:00
Christian Brauner
4639029c9f
freezer: make methods return bool 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:56:23 +01:00
Christian Brauner
c8af3332bc
cgroups: add cgroup_freeze() and cgroup_unfreeze() 
These are unified hierarchy only methods which don't need to initialize a full
cgroup driver. Instead, they rely on the command socket to retrieve a cgroup2
file descriptor to the container's cgroup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:56:23 +01:00
Christian Brauner
419847a8aa
freezer: use lxc_cmd_notify_state_listeners() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:26:57 +01:00
Christian Brauner
241670e7e9
commands_utils: add lcx_cmd_notify_state_listeners() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:26:29 +01:00
Christian Brauner
751a624fb5
cgroups: annotate cgroup_get()/cgroup_set() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:09:29 +01:00
Christian Brauner
be835470f3
cgroups: move functions after methods 
This makes it more obvious that they are separate.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:08:14 +01:00
Christian Brauner
69edb51d07
lxccontainer: use cgroup_set() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:03:41 +01:00
Christian Brauner
efb4b3e80f
lxccontainer: use correct variable ordering 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 18:02:47 +01:00
Christian Brauner
983b1db09d
cgroups: add croup_set() 
This is a unified hierarchy only method which doesn't need to initialize a full
cgroup driver. Instead, it relies on the command socket to retrieve a cgroup2
file descriptor to the container's cgroup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 17:40:30 +01:00
Christian Brauner
3baf0fc8b9
cgroups: reorder cgroup_get() arguments 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 17:40:08 +01:00
Christian Brauner
a29cc280c7
lxccontainer: use cgroup_get() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 17:10:12 +01:00
Christian Brauner
b135642488
cgroups: add cgroup_get() 
This is a unified hierarchy only method which doesn't need to initialize a full
cgroup driver. Instead, it relies on the command socket to retrieve a cgroup2
file descriptor to the container's cgroup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 17:10:10 +01:00
Christian Brauner
2b5e0b8bd2
file_utils: add lxc_read_try_buf_at() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 16:59:14 +01:00
Christian Brauner
6de35cd959
macro: abuse ENOMEDIUM as ENOCGROUP2 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 16:58:45 +01:00
Stéphane Graber
b22ae84389
Merge pull request #3646 from brauner/2021-02-02/fixes 
attach & cgroup hardening
 2021-02-02 09:28:50 -05:00
Christian Brauner
ac01a9b83c
cgroups: switch controller delegation to fd-only operations 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 13:51:00 +01:00
Christian Brauner
6d15354365
cgroups: add unified_cgroup_fd() helper 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 13:46:03 +01:00
Christian Brauner
3c5fa7f3e8
file_utils: harden lxc_writeat() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 13:45:26 +01:00
Christian Brauner
87c7dbcb9c
file_utils: harden lxc_open_dirfd() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 13:45:11 +01:00
Christian Brauner
bcf9793d43
syscall_wrappers: add PROTECT_OPEN_W_* variants 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 13:44:37 +01:00
Christian Brauner
4c6c4794dc
memory_utils: add close_prot_errno_mov() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 13:44:13 +01:00
Christian Brauner
e18aba7d2a
attach: move loading seccomp as late as possible 
We want to minimize the change that the profile blocks syscalls we need during
attach setup and has the notifier enabled.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 10:51:06 +01:00
Christian Brauner
92466fe34b
attach: move file descriptor closing into attach_context_container() 
This reduces the possibility of forgetting to close the namespace file
descriptors when we change this codepath.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 10:51:03 +01:00
Christian Brauner
72a19d2f38
attach: stricter lookup semantics for fdopen_at() calls 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-02 09:54:10 +01:00
Stéphane Graber
c7d644983f
Merge pull request #3645 from brauner/2021-02-01/fixes_4 
attach: bugfixes
 2021-02-01 17:13:37 -05:00
Christian Brauner
4ac35afb78
confile_utils: use lxc_log_trace() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-01 22:54:47 +01:00
Christian Brauner
62fef886dc
conf: use lxc_log_trace() 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-01 22:53:56 +01:00
Christian Brauner
570e117338
commands_utils: don't leak memory 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
 2021-02-01 22:47:19 +01:00