mirror_lxc

mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-16 14:01:38 +00:00

Author	SHA1	Message	Date
Christian Brauner	ea11a215dc	tree-wide: s/dfd_root_host/dfd_host/g Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 19:51:26 +01:00
Christian Brauner	ea57e42409	tree-wide: s/mntpt_fd/dfd_mnt/g Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 19:50:11 +01:00
Christian Brauner	a5a08920ee	tree-wide: s/dev_mntpt_fd/dfd_dev/g Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 19:50:10 +01:00
Christian Brauner	8ea5110c9c	syscall_wrappers: fix PROTECT_OPEN_W macro Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 19:49:32 +01:00
Christian Brauner	927ea337a4	conf: restricted fd-only lxc_fill_autodev() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 19:49:32 +01:00
Christian Brauner	a370f16bcd	conf: start stashing dfd to host's / during container setup Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 19:49:22 +01:00
Christian Brauner	86087bd6bf	conf: fix lxc_setup_dev_console() We were printing garbage on accident. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 18:45:32 +01:00
Christian Brauner	977687db1c	utils: add mount_from_at() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 18:45:32 +01:00
Christian Brauner	7043e2b470	cgroups: restrict open calls in cgroup_attach_create_leaf() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 18:45:32 +01:00
Christian Brauner	6e2078de11	cgroups: improve error handling and logging in cgroup_attach_leaf() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:53 +01:00
Christian Brauner	88c27c5352	cgroups: fix argument vetting in cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:53 +01:00
Christian Brauner	9a57778bb5	attach: fix fallback logic when attaching to cgroups Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:53 +01:00
Christian Brauner	02efd04151	cgroups: switch to fd-based cgroup mounting Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:52 +01:00
Christian Brauner	c689b58ad3	cgroups: restricted fd-only controller mountpoint creation Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:52 +01:00
Christian Brauner	315f8a4e42	cgroups: fix cgroup mounting Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-04 15:59:50 +01:00
Stéphane Graber	dfb71524d7	Merge pull request #3650 from brauner/2021-02-03/fixes_1 conf: harden various mount paths	2021-02-03 17:05:35 -05:00
Christian Brauner	cbc2ddf5b3	utils: harden __safe_mount_beneath_at() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 21:57:44 +01:00
Christian Brauner	952b5031b7	conf: refactor transient procfs mounting Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 21:54:52 +01:00
Christian Brauner	ccf5374124	conf: restrict open call in lxc_mount_rootfs() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 20:58:45 +01:00
Christian Brauner	e1b9d6af00	conf: make lxc_create_tmp_proc_mount() static Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 20:55:01 +01:00
Christian Brauner	fdb57ab442	conf: coding style Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 20:51:56 +01:00
Stéphane Graber	f8dcf07fd3	Merge pull request #3648 from brauner/2021-02-03/fixes conf: open hardening & fd-only operations	2021-02-03 10:38:50 -05:00
Stéphane Graber	b5e7502996	Merge pull request #3649 from brauner/2021-02-03/attach_via_pidfds attach: attach to namespaces via pidfds	2021-02-03 10:23:53 -05:00
Christian Brauner	9b31ab5859	attach: attach to namespaces via pidfds This is a feature we've enabled in kernel v5.8 and v5.9. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 15:23:56 +01:00
Christian Brauner	a26822c5d2	conf: fd-only devtps setup Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:52 +01:00
Christian Brauner	7f50ec8bd0	conf: fd-only pivot root Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:52 +01:00
Christian Brauner	99ca563299	conf: restrict open for lxc_mount_rootfs() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:52 +01:00
Christian Brauner	79019997c8	conf: fd-only operations in lxc_setup_dev_symlinks() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:52 +01:00
Christian Brauner	814983287e	conf: harden open in lxc_fill_autodev() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:51 +01:00
Christian Brauner	ce011f53d8	conf: restrict open of dev/ Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:51 +01:00
Christian Brauner	fdf7314dc4	conf: remove unnecessary syscall Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:51 +01:00
Christian Brauner	531d36ad00	rexec: mark all fds as close-on-exec if possible Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 11:49:47 +01:00
Christian Brauner	e8aaef8159	syscalls: add close_range() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 09:45:30 +01:00
Christian Brauner	6b69d7f8cf	rexec: check lseek() return value Not really needed buy ok. Fixes: Coverity: 1472769 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 09:39:21 +01:00
Christian Brauner	3c981fcb78	tests: check for NULL in device_add_remove Fixes: Coverity 1472768 Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 09:36:23 +01:00
Stéphane Graber	07f89a4faf	Merge pull request #3647 from brauner/2021-02-02/fixes cgroup2: only rely on command socket when getting cgroup values	2021-02-02 18:30:27 -05:00
Christian Brauner	b7aeda9691	cgroups: improve parameter vetting Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-03 00:00:50 +01:00
Christian Brauner	7d013cccf9	tests: support pure unified cgroup layouts in cgpath test Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:52:18 +01:00
Christian Brauner	a4f2435718	test: add logging to device_add_remove Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:40:32 +01:00
Christian Brauner	ea299bfc98	freezer: remove lxc_cmd_freeze() and lxc_cmd_unfreeze() calls We're now handling them better. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:24:28 +01:00
Christian Brauner	9d47970b9b	commands: use __cgroup_unfreeze() directly Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:21:21 +01:00
Christian Brauner	c9c814f4d4	cgroups: export __cgroup_unfreeze() for use in commands Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:21:19 +01:00
Christian Brauner	ae4fcc7b11	cgroups: use lxc_cmd_get_limiting_cgroup2_fd() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:08:04 +01:00
Christian Brauner	6f7f2966b1	commands: add missing lxc_cmd_get_limiting_cgroup2_fd() implementation Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 23:05:56 +01:00
Christian Brauner	44322ead39	cgpath: add logging Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	c5bac50665	attach: explicitly close seccomp notifier fd Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	5ef7547f3d	cgroups: switch back to returning ints Whick makes for easier error checking and fallback code. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	29619d419b	attach: check for ENOCGROUP2 explicitly Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	6b55ce0ed3	cgroups: return ENOCGROUP2 from cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00
Christian Brauner	6407e1c244	cgroups: stricter argument vetting for cgroup_attach() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2021-02-02 22:56:10 +01:00

... 18 19 20 21 22 ...

10927 Commits