Commit Graph

8609 Commits

Author SHA1 Message Date
Wolfgang Bumiller
4a094eec4a seccomp: update notify api
The previous API doesn't reflect the fact that
`seccomp_notif` and `seccomp_notif_resp` are allocatd
dynamically with sizes figured out at runtime.

We now query the sizes via the seccomp(2) syscall and change
`struct seccomp_notify_proxy_msg` to contain the sizes
instead of the data, with the data following afterwards.

Additionally it did not provide a convenient way to identify
the container the message originated from, for which we now
include a cookie configured via `lxc.seccomp.notify.cookie`.

Since we currently always send exactly one request and await
the response immediately, verify the `id` in the client's
response.

Finally, the proxy message's "version" field is removed, and
we reserve 64 bits in its place.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-07-09 12:25:10 +02:00
Wolfgang Bumiller
84cf6d259b conf: add lxc.seccomp.notify.cookie
This is an arbitrary string to to be included in proxied
seccomp notification messages.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-07-09 12:25:10 +02:00
Wolfgang Bumiller
99d03dec11 file_utils: add lxc_recvmsg_nointr_iov
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-07-09 12:25:10 +02:00
Wolfgang Bumiller
970ef13dd2 af_unix: add lxc_unix_connect_type
we want to use SOCK_SEQPACKET and in the future perhaps
SOCK_DATAGRAM as well

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-07-09 12:25:10 +02:00
Christian Brauner
dc85e31eca af_unix: add lxc_abstract_unix_recv_fds_iov()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-09 12:25:10 +02:00
Wolfgang Bumiller
e1726045d4 af_unix: add lxc_abstract_unix_send_fds_iov
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-07-09 11:13:27 +02:00
Christian Brauner
cfc3b34209
Merge pull request #3085 from Blub/pidfd_send_signal-fixup
pidf_send_signal: fix return value
2019-07-08 23:33:58 +02:00
Wolfgang Bumiller
cf38fe06ac pidf_send_signal: fix return value
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2019-07-08 18:12:29 +02:00
Stéphane Graber
aab6e3eb73
Merge pull request #3083 from brauner/2019-07-07/mount_api
lxccontainer: properly cleanup on mount injection failure
2019-07-07 12:39:49 -04:00
Christian Brauner
1f77c35ecb
lxccontainer: properly cleanup on mount injection failure
Closes: #3082
Reported-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-07 18:24:55 +02:00
Christian Brauner
9c238bc6bf
Merge pull request #3081 from brauner/2019-07-05/network_unification_fixes
start: call lxc_find_gateway_addresses early
2019-07-05 11:44:45 +02:00
Thomas Parrott
03ca4af8fa
start: call lxc_find_gateway_addresses early
This restores the lxc.net.x.ipv4.gateway = auto and
lxc.net.x.ipv6.gateway = auto functionality.

When the child is created the parent and child have different views of
struct lxc_handler since - obviously - virtual memory is duplicated. So any
changes to done by the parent that the child should see need to be IPCed to it.
For any non-actual device creation stuff this does not make much sense. This
includes finding gateway addresses. Move it back prior to clone().

Fixes #3078

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>
[christian.brauner@ubuntu.com: non-functional changes and update commit message]
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-05 11:05:38 +02:00
Stéphane Graber
306ca14a29
Merge pull request #3077 from brauner/2019-07-03/network_fixes
network: simplify lxc_network_move_created_netdev_priv()
2019-07-03 18:13:20 -04:00
Christian Brauner
24190194c1
network: simplify lxc_network_move_created_netdev_priv()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 23:55:57 +02:00
Stéphane Graber
a70d78cdc8
Merge pull request #3076 from brauner/2019-07-03/network_fixes
network: fixes after unifying network creation
2019-07-03 17:43:54 -04:00
Christian Brauner
3c09b97cd5
network: send names for all non-trivial network types
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 23:28:58 +02:00
Christian Brauner
61302ef7dc
network: record created_name for instantiate_phys()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:48:20 +02:00
Christian Brauner
75b074eea0
network: simplify instantiate_phys()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:46:37 +02:00
Christian Brauner
83530dba89
network: record created_name for instantiate_vlan()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:44:52 +02:00
Christian Brauner
d4d684109c
network: simplify instantiate_vlan()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:44:19 +02:00
Christian Brauner
e7fdd504e9
network: record created_name for instantiate_ipvlan()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:43:19 +02:00
Christian Brauner
dd1192068d
network: simplify instantiate_ipvlan()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:42:59 +02:00
Christian Brauner
a9704f0521
network: stash created_name in instantiate_macvlan()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:39:54 +02:00
Christian Brauner
8021de2564
network: simplify instantiate_macvlan()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:39:24 +02:00
Christian Brauner
3ebffb9896
network: s/loDev/loop_device/g
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 21:37:37 +02:00
Stéphane Graber
113ca42933
Merge pull request #3075 from brauner/2019-07-03/cgroups
cgroups: hande cpuset initialization race
2019-07-03 12:23:50 -04:00
Christian Brauner
b28c281086
cgroups: hande cpuset initialization race
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 17:57:48 +02:00
Stéphane Graber
0f03b15592
Merge pull request #3074 from brauner/2019-07-03/fix_phys_network_creation
network: remove faulty restriction
2019-07-03 11:44:25 -04:00
Christian Brauner
e318f2c1a3
network: remove faulty restriction
Reported-by: Thomas Parrott <thomas.parrott@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-03 15:48:09 +02:00
Stéphane Graber
4f71ecb85e
Merge pull request #3069 from brauner/2019-07-01/network_creation
start: unify network creation
2019-07-02 11:46:55 -04:00
Christian Brauner
1871e6465b
start: expose LXC_PID to network hooks too
Closes #3066.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-02 13:49:33 +02:00
Christian Brauner
e389f2afd8
start: unify and simplify network creation
Make sure that network creation happens at the same time for containers started
by privileged and unprivileged users. The only reason we didn't do this so far
was to avoid sending network device ifindices around in the privileged case.

Link: https://github.com/lxc/lxc/issues/3066
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-07-02 13:49:27 +02:00
Stéphane Graber
c83ad424ab
Merge pull request #3064 from brauner/2019-06-27/cleanup_macros
bugfixes
2019-07-01 22:06:23 -04:00
Stéphane Graber
dfce2c76be
Merge pull request #3059 from brauner/2019-06-21/seccomp_notify
lxccontainer: rework seccomp notify api function
2019-07-01 22:04:20 -04:00
Christian Brauner
33d7d28f45
Merge pull request #3067 from Rachid-Koucha/patch-1
Move code/variable in smaller scope
2019-06-30 18:13:30 +02:00
Rachid Koucha
2806a87dcc
Move code/variable in smaller scope
In start.c, do not fill path[] table if not necessary

Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
2019-06-29 23:21:14 +02:00
Christian Brauner
9752e3a9e7
Merge pull request #3065 from lifeng68/fix_memory_leak
fix memory leak in do_storage_create
2019-06-28 11:53:52 +02:00
LiFeng
8ea91347b8 fix memory leak in do_storage_create
Signed-off-by: LiFeng <lifeng68@huawei.com>
2019-06-27 23:49:08 -04:00
Christian Brauner
6a720d7480
cgroups: move variable into tighter scope
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 16:08:21 +02:00
Christian Brauner
f6b54668ef
cgroups: correctly order variables
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 16:08:21 +02:00
Christian Brauner
dfa835ac21
cgroups: move variable into tighter scope
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 16:08:21 +02:00
Christian Brauner
3312a94ff4
cgroups: simplify cgfsng_nrtasks()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 16:08:21 +02:00
Christian Brauner
779b3d82e6
cgroups: move variable into tighter scope
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 16:08:18 +02:00
Christian Brauner
81b5d48a34
cgroups: move variable into tighter scope
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 14:27:58 +02:00
Christian Brauner
c05b17bd66
cgroups: use __do_free in cgfsng_attach()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 14:27:39 +02:00
Christian Brauner
6280d4c97d
cgroups: simplify cgfsng_setup_limits()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 14:26:38 +02:00
Christian Brauner
431e2c547f
cgroups: move variables into tighter scope
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 14:26:14 +02:00
Christian Brauner
a64edc1c8d
cgroups: use __do_free
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
2019-06-27 14:25:53 +02:00
Christian Brauner
c121b3000f
Merge pull request #3063 from lifeng68/fix_memory_leak
cgfsng: fix memory leak in lxc_cpumask_to_cpulist
2019-06-27 09:40:55 +02:00
LiFeng
24cac6aff1 cgfsng: fix memory leak in lxc_cpumask_to_cpulist
Signed-off-by: LiFeng <lifeng68@huawei.com>
2019-06-27 00:00:09 -04:00