mirror_lxc

mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-12 18:20:50 +00:00

Author	SHA1	Message	Date
Stéphane Graber	fc1625fb23	Merge pull request #3948 from brauner/2021-08-24.fixes confile: return negative errno everywhere	2021-08-24 08:29:49 -04:00
Maximilian Blenk	8c5c30d175	tools: fix elevated privilege handler in lxc-attach Make sure to return an error when the user requests an LSM profile to be set while also requesting that elevated LSM privileges are to be used. Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-24 10:01:11 +02:00
Christian Brauner	d253a09f9b	confile: rework lxc_fill_elevated_privileges() Cc: Maximilian Blenk <Maximilian.Blenk@bmw.de> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-24 09:58:47 +02:00
Christian Brauner	d34bbcb71a	attach_options: add LXC_ATTACH_LSM_LABEL to LXC_ATTACH_LSM flags Cc: Maximilian Blenk <Maximilian.Blenk@bmw.de> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-24 09:58:25 +02:00
Christian Brauner	7cde4e411a	tools: align struct initialization Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-24 09:57:44 +02:00
Christian Brauner	647df91d9a	tools: fix variable declarations in lxc-attach Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-24 09:36:34 +02:00
Maximilian Blenk	b445fcb114	attach: allow LSM attach without new mnt namespace Currently, the -c command (to set the selinux context) seems to be broken because lxc-attach expects that also a new mount namespace is specified via command line. This commit remove the check for the new mount namespace to fix this issue. Please note that the --elevated-privileges option is not affected by this issue. Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-24 09:20:02 +02:00
Christian Brauner	b28be01f5c	confile: return negative errno everywhere Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-24 09:13:36 +02:00
Christian Brauner	a0738fa00b	Merge pull request #3947 from blenk92/fix-missing-seccomp config: enable seccomp profile only when compiled with libseccomp	2021-08-24 09:07:48 +02:00
Maximilian Blenk	3d46e1d1f8	config: enable seccomp profile only when compiled with libseccomp Make lxc fail if seccomp.profile is specified but lxc is compiled without seccomp support. Currently, seccomp.profile is silently ignored if is specified in such a scenario. This could lead to the false impression that the seccomp filter is applied while it actually isn't. Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>	2021-08-24 01:17:32 +02:00
Stéphane Graber	f1b5286c65	Merge pull request #3943 from brauner/2021-08-19.fixes seccomp: fix complication when !HAVE_DECL_SECCOMP_NOTIFY_FD	2021-08-19 15:18:07 -04:00
Christian Brauner	c16d194abf	seccomp: fix complication when !HAVE_DECL_SECCOMP_NOTIFY_FD [2021-08-18 05:48:26] [build-stdout] mv -f $depbase.Tpo $depbase.Po [2021-08-18 05:48:26] [build-stderr] seccomp.c: In function ‘seccomp_notify_cleanup_handler’: [2021-08-18 05:48:26] [build-stderr] seccomp.c:1367:25: error: ‘struct lxc_seccomp’ has no member named ‘notifier’ [2021-08-18 05:48:26] [build-stderr] 1367 \| if (fd == conf->seccomp.notifier.notify_fd) [2021-08-18 05:48:26] [build-stderr] \| ^ [2021-08-18 05:48:26] [build-stderr] In file included from af_unix.h:12, [2021-08-18 05:48:26] [build-stderr] from seccomp.c:14: [2021-08-18 05:48:26] [build-stderr] seccomp.c:1368:29: error: ‘struct lxc_seccomp’ has no member named ‘notifier’ [2021-08-18 05:48:26] [build-stderr] 1368 \| fd = move_fd(conf->seccomp.notifier.notify_fd); [2021-08-18 05:48:26] [build-stderr] \| ^ [2021-08-18 05:48:26] [build-stderr] macro.h:655:26: note: in definition of macro ‘move_fd’ [2021-08-18 05:48:26] [build-stderr] 655 \| int __internal_fd__ = (fd); \ [2021-08-18 05:48:26] [build-stderr] \| ^~ [2021-08-18 05:48:26] [build-stderr] seccomp.c:1368:29: error: ‘struct lxc_seccomp’ has no member named ‘notifier’ [2021-08-18 05:48:26] [build-stderr] 1368 \| fd = move_fd(conf->seccomp.notifier.notify_fd); [2021-08-18 05:48:26] [build-stderr] \| ^ [2021-08-18 05:48:26] [build-stderr] macro.h:656:4: note: in definition of macro ‘move_fd’ [2021-08-18 05:48:26] [build-stderr] 656 \| (fd) = -EBADF; \ [2021-08-18 05:48:26] [build-stderr] \| ^~ [2021-08-18 05:48:26] [build-stderr] make[3]: * [Makefile:4496: seccomp.o] Error 1 [2021-08-18 05:48:26] [build-stdout] make[3]: Leaving directory '/opt/src/src/lxc' [2021-08-18 05:48:26] [build-stdout] make[2]: Leaving directory '/opt/src/src' [2021-08-18 05:48:26] [build-stdout] make[1]: Leaving directory '/opt/src/src' [2021-08-18 05:48:26] [build-stderr] make[2]: * [Makefile:440: all-recursive] Error 1 [2021-08-18 05:48:26] [build-stderr] make[1]: * [Makefile:379: all] Error 2 [2021-08-18 05:48:26] [build-stderr] make: * [Makefile:537: all-recursive] Error 1 [2021-08-18 05:48:26] [build-stderr] + '[' -f build.ninja ']' [2021-08-18 05:48:26] [build-stdout] Semmle autobuild: no supported build system detected. [2021-08-18 05:48:26] [build-stderr] + '[' -d ../_lgtm_build_dir ']' [2021-08-18 05:48:26] [build-stderr] + for f in build build.sh [2021-08-18 05:48:26] [build-stderr] + '[' -x build ']' [2021-08-18 05:48:26] [build-stderr] + for f in build build.sh [2021-08-18 05:48:26] [build-stderr] + '[' -x build.sh ']' [2021-08-18 05:48:26] [build-stderr] + '[' -f setup.py ']' [2021-08-18 05:48:26] [build-stderr] + echo 'Semmle autobuild: no supported build system detected.' [2021-08-18 05:48:26] [build-stderr] + exit 1 [2021-08-18 05:48:26] [ERROR] Spawned process exited abnormally (code 1; tried to run: [/opt/dist/tools/linux64/preload_tracer, /opt/dist/cpp/tools/do-build]) [2021-08-18 05:48:26] [build-stderr] A fatal error occurred: Exit status 1 from command: [/opt/dist/cpp/tools/do-build] [2021-08-18 05:48:26] [build-stderr] deptrace-server: received exit command [2021-08-18 05:48:27] [ERROR] Spawned process exited abnormally (code 2; tried to run: [/opt/work/lgtm-workspace/lgtm/extract.sh]) A fatal error occurred: Exit status 2 from command: [/opt/work/lgtm-workspace/lgtm/extract.sh] Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-19 10:47:31 +02:00
Stéphane Graber	ba4339b677	Merge pull request #3940 from brauner/2021-08-16.fixes.2 tests: only rely on busybox template getting rid of all network dependencies; terminal: allow for tty allocation even when container did not request separate devpts instance	2021-08-17 12:45:57 -04:00
Christian Brauner	41ed9db898	tests: use busybox in lxc-test-usernic.in Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 17:35:48 +02:00
Christian Brauner	6c321ceada	tests: use busybox in lxc-test-unpriv Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 17:35:48 +02:00
Christian Brauner	f6a53ad2c5	tests: use busybox in lxc-test-no-new-privs Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 17:35:48 +02:00
Christian Brauner	bc84935552	test: use busybox in lxc-test-autostart Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 13:51:28 +02:00
Christian Brauner	adb14537d2	test: use busybox in lxc-test-apparmor-mount Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 13:51:27 +02:00
Christian Brauner	acd792c965	test: use busybox in lxc-test-apparmor-generated Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 13:51:27 +02:00
Christian Brauner	fd0349a7a0	tests: fix order in sys_mixed We need to set the config item after we loaded the config obviously. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 13:51:27 +02:00
Christian Brauner	03585adc0e	conf: allow for tty allocation even when container did not request separate devpts instance Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 13:51:27 +02:00
Christian Brauner	b081cb55e4	busybox: simplify Start relying on autodev for busybox template and wipe all the device creation. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 13:50:58 +02:00
Christian Brauner	8829829deb	busybox: mount sys:ro There's no udev so sys doesn't need to be read-write. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 13:49:56 +02:00
Christian Brauner	803839b8b9	terminal: use /dev/ptmx when allocating pty devices from devpts instances we didn't mount ourselves When we aren't told what devpts instance to allocate from we assume it is the one in the caller's mount namespace. This poses a slight complication, a lot of distros will change permissions on /dev/ptmx so it can be opened by unprivileged users but will not change permissions on /dev/pts/ptmx itself. In addition, /dev/ptmx can either be a symlink, a bind-mount, or a separate device node. So we need to allow for fairly lax lookup. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 11:39:17 +02:00
Christian Brauner	d06abe2f9c	file_utils: add same_device() helper Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-17 11:39:17 +02:00
Stéphane Graber	72c6d3a56d	Merge pull request #3938 from brauner/2021-08-16.fixes cgroups: simplify offline and isolated cpumask handling	2021-08-16 12:35:46 -04:00
Christian Brauner	12a0f27dfe	Merge pull request #3939 from Cypresslin/fix-test-exec-bit tests: set lxc-test-automount/createconfig/snapdeps as executable	2021-08-16 12:06:16 +02:00
Po-Hsu Lin	02f00bdc3e	tests: set lxc-test-automount/createconfig/snapdeps as executable The debian/tests/exercise script will skip those non-executable tests in src/test, thus these three tests were never get tested. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>	2021-08-16 17:34:20 +08:00
Christian Brauner	4d8f68fb97	cgroups: simplify offline and isolated cpu handling Don't create separate cpumask arrays for them. Just clear the ones that are set in the original cpumask array. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-16 11:11:43 +02:00
Christian Brauner	0627ffc0c6	cgroups: use semantically clean check in cpuset1_cpus_initialize() The variable is a pointer not a integer. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-16 10:56:51 +02:00
Stéphane Graber	6f76b9e528	Merge pull request #3937 from brauner/2021-08-13.fixes cgroups: cpumask fixes	2021-08-14 11:12:27 -04:00
Christian Brauner	f5bc57d23c	cgroups: fix cpumask handling Link: https://discuss.linuxcontainers.org/t/lxc-4-0-9-lxc-start-sigabrt-on-systems-with-defined-offline-cpus-and-a-total-number-of-cpus-divisible-by-32 Signed-off-by: Jim Ferrigno <jim.ferrigno@oracle.com> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-14 00:39:03 +02:00
Christian Brauner	21e84b0205	cgroups: fix comments in cpuset1_initialize() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-13 21:37:02 +02:00
Christian Brauner	f6949b6993	Revert "cgroups: fix cpu bitmasks" This reverts commit `e0f7296a6d`. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-13 21:35:30 +02:00
Christian Brauner	fb40641cac	Merge pull request #3934 from brauner/2021-08-12.fixes cgroups: cpumask fixes	2021-08-12 10:12:45 +02:00
Christian Brauner	7e80755d0c	cgroups: s/calloc/zalloc/g Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-12 09:00:00 +02:00
Jim Ferrigno	e0f7296a6d	cgroups: fix cpu bitmasks Link: https://discuss.linuxcontainers.org/t/lxc-4-0-9-lxc-start-sigabrt-on-systems-with-defined-offline-cpus-and-a-total-number-of-cpus-divisible-by-32 Signed-off-by: Jim Ferrigno <jim.ferrigno@oracle.com> Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-12 08:56:04 +02:00
Stéphane Graber	cf92aaac1c	Merge pull request #3899 from denisfa/master Improve bash completion experience.	2021-08-11 13:42:18 -04:00
Stéphane Graber	ef10e680d5	Merge pull request #3932 from brauner/2021-08-11.fixes mainloop: further io_uring fixes	2021-08-11 13:22:48 -04:00
Christian Brauner	82abff81b6	mainloop: disable IORING_SETUP_SQPOLL for now It's a bit more complicated to use then I envisioned here. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-11 17:47:39 +02:00
Christian Brauner	c9d1f58725	mainloop: add comments about multishot and oneshot cleanup Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-11 17:47:39 +02:00
Christian Brauner	e5e7c954c5	mainloop: s/handler_name/name/g Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-11 17:47:39 +02:00
Stéphane Graber	34a16b88c6	Merge pull request #3931 from brauner/2021-08-11.fixes memory_utils: make cleanup handler as unused	2021-08-11 10:58:21 -04:00
Christian Brauner	96348aa8ab	mainloop: move variables into tighter scope Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-11 15:52:12 +02:00
Christian Brauner	f7050a2d87	memory_utils: make cleanup handler as unused They are sometimes used to just clean something up automatically at end of scope but the variables themselves might not be actually used. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-11 15:43:18 +02:00
Stéphane Graber	d5b6db61e2	Merge pull request #3930 from brauner/2021-08-10.fixes mainloop: io_uring cleanup handling fixes	2021-08-11 09:08:09 -04:00
Christian Brauner	4f142001a8	mainloop: fix io_uring cleanup handling Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-11 11:03:13 +02:00
Christian Brauner	cba2278a10	mainloop: remove CANCEL_RAISE flag This is really not needed since we're not checking it anywhere anyway. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-10 17:57:26 +02:00
Christian Brauner	80aa5876b3	mainloop: minor fixes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-08-10 17:42:41 +02:00
Christian Brauner	fa21f71fef	Merge pull request #3928 from simondeziel/download-user-agent lxc-download: customize the user-agent to include LXC package version and compat level	2021-08-10 17:09:06 +02:00

... 2 3 4 5 6 ...

11085 Commits