mirror_lxc

mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-27 06:21:08 +00:00

Author	SHA1	Message	Date
Christian Brauner	cef701ede3	coverity: #1435263 Use after free Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-30 12:18:23 +02:00
Stéphane Graber	ff62067703	Merge pull request #2297 from brauner/2018-04-29/bugfixes coverity	2018-04-30 05:29:41 -04:00
Christian Brauner	e62fd16fff	lxccontainer: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 16:58:06 +02:00
Christian Brauner	630ac7c61b	lxccontainer: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 16:56:58 +02:00
Christian Brauner	9640c6a767	lxccontainer: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 16:45:43 +02:00
Christian Brauner	7cea590585	lxccontainer: use thread-safe open() + write() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 16:42:44 +02:00
Christian Brauner	d630991d8f	lxccontainer: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 15:08:46 +02:00
Christian Brauner	e898947399	lxccontainer: do_lxcapi_unfreeze() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 14:53:12 +02:00
Christian Brauner	5df46fad0c	lxccontainer: do_lxcapi_freeze() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 14:52:40 +02:00
Christian Brauner	9e6304187b	lxccontainer: do_lxcapi_is_running() There's no need to do string comparisons. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 14:49:36 +02:00
Christian Brauner	44619b6cd2	lxccontainer: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 14:48:08 +02:00
Christian Brauner	5647455516	lxccontainer: use thread-safe _OFD_ locks If they aren't available fallback to BSD flock()s. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 13:56:15 +02:00
Christian Brauner	0e14584db8	lxccontainer: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 13:39:16 +02:00
Christian Brauner	d2b5acecea	coverity: #1426734 Argument cannot be negative Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 01:10:54 +02:00
Christian Brauner	ba1de6dbfe	coverity: #1435198 Unchecked return value Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 00:50:50 +02:00
Christian Brauner	205fc0103b	coverity: #1435200 Resource leak Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 00:49:30 +02:00
Christian Brauner	c1768f3f25	coverity: #1435203 Resource leak Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 00:43:34 +02:00
Christian Brauner	dbdf8cf420	coverity: #1435205 Unchecked return value Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 00:38:29 +02:00
Christian Brauner	46768cced9	coverity: #1435206 Time of check time of use Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 00:36:24 +02:00
Christian Brauner	91ae555c99	coverity: #1435207 Unchecked return value Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 00:22:54 +02:00
Christian Brauner	8186c5c7c3	coverity: #1435208 Unused value Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 00:21:33 +02:00
Christian Brauner	13939498ed	coverity: #1435210 Logically dead code Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-29 00:16:05 +02:00
Christian Brauner	ad38dca193	Merge pull request #2279 from kunkku/create-umask do_lxcapi_create: set umask	2018-04-28 23:23:27 +02:00
Christian Brauner	61068d39af	Merge pull request #2293 from pkun/master Fix tool_utils.c build when HAVE_SETNS is unset	2018-04-26 18:36:46 +02:00
Serj Kalichev	09e6e41e05	Fix tool_utils.c build when HAVE_SETNS is unset Add inline setns() function to tool_utils.h. Without it tool_utils.c can't be build when HAVE_SETNS is unset. Signed-off-by: Serj Kalichev <serj.kalichev@gmail.com>	2018-04-26 16:20:30 +03:00
Christian Brauner	fca96eb6da	Merge pull request #2289 from lifeng68/Fix_mem_leak_list_active_containers Fix memory leak in list_active_containers	2018-04-24 15:14:25 +02:00
LiFeng	e07eafa839	Fix memory leak in list_active_containers Signed-off-by: LiFeng <lifeng68@huawei.com>	2018-04-24 15:26:32 -04:00
LiFeng	71cb9afb44	Fix the memory leak in cgfsng_attach Signed-off-by: LiFeng <lifeng68@huawei.com>	2018-04-24 12:53:57 -04:00
Christian Brauner	48d02a2f03	Merge pull request #2288 from lifeng68/Fix_mem_leak_cgfsng_attach Fix the memory leak in cgfsng_attach	2018-04-24 10:40:22 +02:00
Christian Brauner	d31660efe7	Merge pull request #2287 from thyth/master Also pass action scripts to CRIU on checkpointing	2018-04-24 10:16:04 +02:00
Daniel Selifonov	497a78630c	Also pass action scripts to CRIU on checkpointing Signed-off-by: Daniel Selifonov <ds@thyth.com>	2018-04-23 23:03:44 -07:00
Christian Brauner	31283a46ac	Merge pull request #2284 from 3XX0/pamcgfs-ignore-umask pam-cgfs: ignore the system umask when creating the cgroup hierarchy	2018-04-23 23:09:39 +02:00
Jonathan Calmels	c4a4578fa0	pam-cgfs: ignore the system umask when creating the cgroup hierarchy Fixes: #2277 Signed-off-by: Jonathan Calmels <jcalmels@nvidia.com>	2018-04-23 13:24:11 -07:00
Christian Brauner	5dfc91865b	Merge pull request #2285 from tpetazzoni/offsetof-stddef-fix lxc/tools/lxc_monitor: include missing <stddef.h>	2018-04-20 13:00:07 +02:00
Thomas Petazzoni	77d407537f	lxc/tools/lxc_monitor: include missing <stddef.h> lxc_monitor.c uses offsetof(), so it should include <stddef.h>. Otherwise the build fails with the musl C library: tools/lxc_monitor.c: In function ‘lxc_abstract_unix_connect’: tools/lxc_monitor.c:324:9: warning: implicit declaration of function ‘offsetof’ [-Wimplicit-function-declaration] offsetof(struct sockaddr_un, sun_path) + len + 1); ^~~~~~~~ tools/lxc_monitor.c:324:18: error: expected expression before ‘struct’ offsetof(struct sockaddr_un, sun_path) + len + 1); ^~~~~~ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>	2018-04-20 12:26:33 +02:00
Christian Brauner	7d675310ae	Merge pull request #2283 from flx42/lxc-oci-mkdir-download-directory lxc-oci: mkdir the download directory	2018-04-19 15:07:05 +02:00
Felix Abecassis	8c7536ecf2	lxc-oci: mkdir the download directory Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>	2018-04-18 14:12:55 -07:00
Serge Hallyn	a5fb69a3f1	Merge pull request #2281 from brauner/2018-04-15/seccomp_fixes seccomp: handle arch inversion - The Architecture Strikes Back	2018-04-18 11:35:11 -05:00
Christian Brauner	eca6736eb0	seccomp: handle arch inversion II LXC generates and loads the seccomp-bpf filter in the host/container which spawn the new container. In other words, userspace N is responsible for generating and loading the seccomp-bpf filter which restricts userspace N + 1. Assume 64bit kernel and 32bit userspace running a 64bit container. In this case the 32-bit x86 userspace is used to create a seccomp-bpf filter for a 64-bit userspace. Unless one explicitly adds the 64-bit ABI to the libseccomp filter, or adjusts the default behavior for "BAD_ARCH", all 64-bit x86 syscalls will be blocked. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Suggested-by: Paul Moore <paul@paul-moore.com>	2018-04-18 16:00:54 +02:00
Christian Brauner	7e84441ec3	seccomp: non-functional changes Rename "compat_ctx" to "contexts" and "compat_arch" to "architectures". Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-18 14:40:49 +02:00
Christian Brauner	4160ef02e5	tools: document -d/--daemonize for lxc-execute Closes #2280. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-15 22:43:21 +02:00
Christian Brauner	94d5605414	seccomp: improve logging Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-15 22:39:07 +02:00
Christian Brauner	d648e178f1	seccomp: cleanup compat architecture handling Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-15 22:12:51 +02:00
Kaarle Ritvanen	51f0f73b4f	do_lxcapi_create: set umask Always use 022 as the umask when creating the rootfs directory and executing the template. A too loose umask may cause security issues. A too strict umask may cause programs to fail inside the container. Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2018-04-15 16:09:41 +03:00
Stéphane Graber	a55e2ad107	Merge pull request #2275 from brauner/2018-04-13/improve_seccomp seccomp: handle all errors	2018-04-13 18:20:33 +02:00
Christian Brauner	adfee3a873	seccomp: handle all errors Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-13 18:00:23 +02:00
Serge Hallyn	2c80e9cf15	Merge pull request #2274 from brauner/2018-04-13/fix_seccomp_with_personality_and_64bit_kernel_32_bit_userspace seccomp: handle arch inversion	2018-04-13 10:29:18 -05:00
Christian Brauner	b5ed021bbc	seccomp: handle arch inversion This commit deals with different kernel and userspace layouts and nesting. Here are three examples: 1. 64bit kernel and 64bit userspace running 32bit containers 2. 64bit kernel and 32bit userspace running 64bit containers 3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers Two things to lookout for: 1. The compat arch that is detected might have already been present in the main context. So check that it actually hasn't been and only then add it. 2. The contexts don't need merging if the architectures are the same and also can't be. With these changes I can run all crazy/weird combinations with proper seccomp isolation. Closes #654. Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366 Reported-by: Chirantan Ekbote <chirantan@chromium.org> Reported-by: Sonny Rao <sonnyrao@chromium.org> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2018-04-13 14:11:09 +02:00
Christian Brauner	bf5afb0174	Merge pull request #2273 from aither64/master conf: fix net type checks in run_script_argv()	2018-04-13 10:39:05 +02:00
Jakub Skokan	a81442634e	conf: fix net type checks in run_script_argv() Signed-off-by: Jakub Skokan <jakub.skokan@havefun.cz>	2018-04-13 09:03:20 +02:00

... 3 4 5 6 7 ...

7055 Commits