mirror_lxc

mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-15 10:12:24 +00:00

Author	SHA1	Message	Date
Aleksa Sarai	47f4914d88	apparmor: prefer /proc/.../attr/apparmor/current over legacy interface It turns out that since Linux 5.1 there are now per-LSM subdirectories for major LSMs, which users are recommended to use over the "legacy" top-level /proc/$pid/attr/... files[1]: > Process attributes associated with “major” security modules should be > accessed and maintained using the special files in /proc/.../attr. A > security module may maintain a module specific subdirectory there, > named after the module. /proc/.../attr/smack is provided by the Smack > security module and contains all its special files. The files directly > in /proc/.../attr remain as legacy interfaces for modules that provide > subdirectories. AppArmor has had such a directory since Linux 5.8[2], and it turns out that with certain CONFIG_LSM configurations you can end up with AppArmor files not being accessible from the legacy interface. Arch Linux recently added BPF as one of the enabled LSM in their configuration, and this broke runc[3] and LXC. The solution is to first try to use /proc/$pid/attr/apparmor/current and fall back to /proc/$pid/attr/current if the former is not available. [1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html [2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs") [3]: https://github.com/opencontainers/runc/issues/2801 Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>	2021-02-19 20:53:50 +11:00
Aleksa Sarai	301a5f8e78	apparmor: clean up apparmor_process_label_get Rather than open-coding file reading and retry semantics and implementing the path generation logic separately to apparmor_process_label_fd_get, refactor the logic so that it looks closer to the pidfd version. This will make it easier to implement the two-step handling for /proc/self/attr/apparmor/current and makes this code slightly less confusing. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>	2021-02-19 20:46:01 +11:00
Stéphane Graber	35a68d6df2	Merge pull request #3681 from brauner/2021-02-18/cgroups cgroups: fixes & bpf rework	2021-02-18 11:52:52 -05:00
Stéphane Graber	599a0c6c9c	Merge pull request #3682 from brauner/2021-02-18/fixes console: fixes	2021-02-18 11:42:17 -05:00
Christian Brauner	f640c8187a	conf: don't log garbage Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 17:08:11 +01:00
Christian Brauner	f3dff08054	start: fix non-daemonized and application containers Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 17:01:59 +01:00
Christian Brauner	1dd71c90e8	conf: use saner mode for console Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 17:01:59 +01:00
Christian Brauner	ad755295f1	bpf: simplify bpf (device) program freeing Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 16:26:16 +01:00
Christian Brauner	25903ba9c0	bpf: make bpf_program_cgroup_attach() static Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 16:21:04 +01:00
Christian Brauner	da03dc28e1	bpf: prevent double-close Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 16:13:45 +01:00
Christian Brauner	8c49586f0d	cgroups: use close_equal() and free_equal() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 15:55:24 +01:00
Christian Brauner	284868b249	memory_utils: add close_equal() and free_equal() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 15:52:35 +01:00
Christian Brauner	3d01776c50	lxccontainer: fix reboot logging Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 15:39:27 +01:00
Christian Brauner	0a150695b4	bpf: rework live device cgroup update Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 14:56:01 +01:00
Christian Brauner	fd1cf1b1ab	compiler: fix fallthrough attribute Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 14:42:39 +01:00
Christian Brauner	d202c500d6	bpf: fix return values in bpf_program_cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 14:42:15 +01:00
Christian Brauner	354d21c491	bpf: let bpf_list_add_device() take the device list directly Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 13:35:03 +01:00
Christian Brauner	7da502de6a	bpf: add and use bpf_cgroup_devices_attach() helper Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 13:29:26 +01:00
Christian Brauner	928937b114	cgroups: remove compile-time bpf support detection Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 12:42:34 +01:00
Christian Brauner	7fc77b1ae0	bpf: vendor bpf headers Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 12:34:51 +01:00
Christian Brauner	34683e39b9	bpf: handling missing defines Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 12:02:54 +01:00
Christian Brauner	7aec2bd3cd	bpf: rework bpf_program_cgroup_detach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:33 +01:00
Christian Brauner	9a2a38b313	commands: rework bpf devices BPF_F_REPLACE codepath Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:33 +01:00
Christian Brauner	c38e5c4fd2	bpf: don't close invalid fd, simply swap Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:32 +01:00
Christian Brauner	281f42afaa	bpf: use __u32 not uint32_t Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:32 +01:00
Christian Brauner	a38a34f888	macro: add swap helper Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:32 +01:00
Christian Brauner	79bc22bd24	commands: replace bpf program on update Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:32 +01:00
Christian Brauner	934bb475e2	commands: improve bpf device program management Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:32 +01:00
Christian Brauner	413e074bbe	cgroups: improve bpf device program management Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:32 +01:00
Christian Brauner	df1a5345cd	bpf: add helpers for better bpf device program management Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 11:54:20 +01:00
Christian Brauner	e41afad55e	cgroups: improve bpf device program handling Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 10:51:07 +01:00
Christian Brauner	69885a7656	cgroups: make device cgroups semantics clearer Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 10:51:07 +01:00
Christian Brauner	0d450efcf2	bpf: enable helpers to let caller replace existing bpf programs Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 10:50:45 +01:00
Christian Brauner	8828c61a8b	bpf: align struct initialization Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 10:50:03 +01:00
Christian Brauner	bee6ee17b0	bpf: use return macros Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 10:50:03 +01:00
Christian Brauner	4b9dc703d2	conf: introduce lxc_bpf_devices_rule_t type Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 10:50:03 +01:00
Christian Brauner	7c37e93740	bpf: use cgroup fd directly instead of paths Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 10:50:03 +01:00
Christian Brauner	7064ee3a92	cgroups: kill monitor_full_path Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 00:39:22 +01:00
Christian Brauner	11e5c6783e	cgroups: free correct path Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-18 00:39:22 +01:00
Christian Brauner	05fe99f3a9	utils: fix print_r() debugging helper Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 23:30:12 +01:00
Christian Brauner	bce04069bc	cgroups: fix error values Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 22:48:56 +01:00
Christian Brauner	2c4348bd1c	cgroups: don't overwrite type Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 18:49:20 +01:00
Christian Brauner	bd09ee987d	cgroups: make it extremely obvious that we're transitioning from a flag to a type Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 18:48:58 +01:00
Stéphane Graber	cca7d405fe	Merge pull request #3680 from brauner/2021-02-17/cgroups_2 cgroups: fourth batch of cgroup fixes	2021-02-17 12:30:57 -05:00
Christian Brauner	77410c983c	cgroups: create controller directories if missing Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 16:56:55 +01:00
Christian Brauner	51feb8dbb7	cgroups: use non-flag based checking now that we switched all codepaths over Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 16:56:55 +01:00
Christian Brauner	9394b6dc97	conf: use brackets to clarify check semantics Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 16:30:15 +01:00
Christian Brauner	69c296739d	cgroups: validate that only a single cgroup mount type is set Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 16:30:15 +01:00
Christian Brauner	8186eb8e8a	cgroups: prevent cgroup mount type overwrite Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 16:30:15 +01:00
Christian Brauner	f1921f351e	cgroups: ensure that cgroup_root is initialized in legacy codepaths Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-17 16:29:56 +01:00

... 13 14 15 16 17 ...

10927 Commits