mirror_lxc

mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-16 18:10:38 +00:00

Author	SHA1	Message	Date
0x0916	5107af320a	seccomp: export the seccomp filter after load it into kernel successful when the log level is TRACE, this patch export the seccomp filter to log file. the ouput of `seccomp_export_pfc()` is human readable and this feature is useful for user to make sure their `seccomp configuration file` is right. Output for he default ubuntu container's seccomp filter is the following: ``` lxc-start ubuntu 20170520024159.412 INFO lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:238 - changed apparmor profile to lxc-container-default-cgns if ($arch == 3221225534) # filter for syscall "finit_module" (313) [priority: 65535] if ($syscall == 313) action ERRNO(1); # filter for syscall "open_by_handle_at" (304) [priority: 65535] if ($syscall == 304) action ERRNO(1); # filter for syscall "kexec_load" (246) [priority: 65535] if ($syscall == 246) action ERRNO(1); # filter for syscall "delete_module" (176) [priority: 65535] if ($syscall == 176) action ERRNO(1); # filter for syscall "init_module" (175) [priority: 65535] if ($syscall == 175) action ERRNO(1); # filter for syscall "umount2" (166) [priority: 65533] if ($syscall == 166) if ($a1.hi32 & 0x00000000 == 0) if ($a1.lo32 & 0x00000001 == 1) action ERRNO(13); # default action action ALLOW; if ($arch == 1073741827) # filter for syscall "finit_module" (350) [priority: 65535] if ($syscall == 350) action ERRNO(1); # filter for syscall "open_by_handle_at" (342) [priority: 65535] if ($syscall == 342) action ERRNO(1); # filter for syscall "kexec_load" (283) [priority: 65535] if ($syscall == 283) action ERRNO(1); # filter for syscall "delete_module" (129) [priority: 65535] if ($syscall == 129) action ERRNO(1); # filter for syscall "init_module" (128) [priority: 65535] if ($syscall == 128) action ERRNO(1); # filter for syscall "umount2" (52) [priority: 65534] if ($syscall == 52) if ($a1 & 0x00000001 == 1) action ERRNO(13); # default action action ALLOW; if ($arch == 3221225534) # filter for syscall "kexec_load" (1073742352) [priority: 65535] if ($syscall == 1073742352) action ERRNO(1); # filter for syscall "finit_module" (1073742137) [priority: 65535] if ($syscall == 1073742137) action ERRNO(1); # filter for syscall "open_by_handle_at" (1073742128) [priority: 65535] if ($syscall == 1073742128) action ERRNO(1); # filter for syscall "delete_module" (1073742000) [priority: 65535] if ($syscall == 1073742000) action ERRNO(1); # filter for syscall "init_module" (1073741999) [priority: 65535] if ($syscall == 1073741999) action ERRNO(1); # filter for syscall "umount2" (1073741990) [priority: 65534] if ($syscall == 1073741990) if ($a1 & 0x00000001 == 1) action ERRNO(13); # default action action ALLOW; action KILL; lxc-start ubuntu 20170520024159.412 NOTICE lxc_start - start.c:start:1470 - Exec'ing "/sbin/init". ``` Signed-off-by: 0x0916 <w@laoqinren.net>	2017-06-06 09:45:31 +08:00
Stéphane Graber	9795e880ae	Merge pull request #1613 from brauner/2017-06-03/af_unix abstract lxc_abstract_unix_{send,recv}_fd, bugfixes, and improvements	2017-06-05 19:52:46 -04:00
Christian Brauner	5b8819a714	lxc-opensuse: add Tumbleweed as supported release Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-06 01:40:08 +02:00
Stéphane Graber	3b01115569	Merge pull request #1611 from brauner/2017-06-02/enforce_config_item_method_implementation tests: enforce all methods for config items being implemented	2017-06-05 19:30:00 -04:00
Christian Brauner	a394f952cd	conf: fix bionic builds bionic seems to lack a definition of __S_ISTYPE(). Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-05 23:44:22 +02:00
Christian Brauner	6e50e70437	conf: improve lxc_map_ids() Closes https://github.com/lxc/lxd/issues/3384. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-05 23:44:11 +02:00
Christian Brauner	54117de569	conf: improve tty shifting function Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-05 19:17:11 +02:00
Christian Brauner	a5b18cb1b1	bdev: record output from mkfs.* Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-05 19:17:11 +02:00
Christian Brauner	493de765bb	bdev: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-05 19:17:11 +02:00
Christian Brauner	b9986e437b	doc: tweak lxc.container.conf a little Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-05 19:17:10 +02:00
Christian Brauner	7e009d5207	bdev: "detect" loop file Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-04 18:02:50 +02:00
Christian Brauner	9aa76a172c	conf: remove dead mount code The removed codepath was non-functional for a long time now. All mounting is handled through bdev.{c,h} and if that fails the other codepath would necessarily fail as well. So let's remove them. This makes it way clearer what is going on and simplifies things massively. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-04 13:25:23 +02:00
Christian Brauner	ae467c546b	af_unix: abstract lxc_abstract_unix_{send,recv}_fd - Enable lxc_abstract_unix_{send,recv}_fd() to send and receive multiple fds at once. - lxc_abstract_unix_{send,recv}_fd() -> lxc_abstract_unix_{send,recv}_fds() - Send tty fds from child to parent all at once. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-04 08:08:41 +02:00
Stéphane Graber	beda39ebbd	Merge pull request #1612 from brauner/2017-06-03/bugfixes idmapping bugfixes	2017-06-03 19:13:11 -04:00
Christian Brauner	c9b7c33ed0	tree-wide: log function called in userns_exec_1() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-03 23:35:07 +02:00
Christian Brauner	1d90e06436	conf: avoid double-frees in userns_exec_1() Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-03 22:05:27 +02:00
Christian Brauner	b0ee598357	conf: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-03 22:05:27 +02:00
Christian Brauner	f07fa8df6e	start: log sending and receiving of tty fds This is a potentially security sensitive operation and I really want to keep an eye on when exactly this is send. So add more logging on the TRACE() level. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-03 22:05:04 +02:00
Stéphane Graber	ff3381e14a	Merge pull request #1609 from brauner/2017-06-01/unit_test_idmap_parser unit test idmap parser + userns_exec_1() rework	2017-06-02 20:43:38 -04:00
Christian Brauner	6002524466	Merge pull request #1608 from ss1h2a3tw/checkconfig add probe status checking	2017-06-02 17:21:16 -06:00
Christian Brauner	28a2d9e76d	conf: rework userns_exec_1() This also fixes a bug where we caused a double mapping, when the {u,g}id for the user was mapped to container root {g,u}id. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-03 00:41:59 +02:00
Christian Brauner	339efad99e	conf: non-functional changes Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-03 00:41:57 +02:00
Christian Brauner	77803ee7a6	tests: add unit tests for idmap parser Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-03 00:41:56 +02:00
Christian Brauner	0b843d358a	confile_utils: add new file This adds confile_utils.{c,h} which will contain a helpers to parse lxc configuration files. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-03 00:41:54 +02:00
Shane Chen	59d7470770	add probe status checking Signed-off-by: Shane Chen <ss1ha3tw@gmail.com>	2017-06-02 13:31:55 +08:00
Christian Brauner	c04f651ede	tests: enforce all methods for config items This adds a test that checks LXC's configuration jump table whether all methods for a given configuration item are implemented. If it is not, we'll error out. This should provide additional safety since a) the API can now be sure that dereferencing the pointer for a given method in the config struct is safe and b) when users implement new configuration keys and forget to implement a required method we'll see it right away. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-02 02:48:20 +02:00
Christian Brauner	a3c8e60080	confile: add dummy getter for lxc.include Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-02 02:42:19 +02:00
Serge Hallyn	a9849a0685	Merge pull request #1592 from brauner/2017-05-28/idmap_handling idmap improvements	2017-06-01 17:29:55 -05:00
Serge Hallyn	ca3592eb15	Merge pull request #1599 from brauner/2017-05-30/use_minimal_idmap_set conf: use minimal {g,u}id map	2017-06-01 17:12:58 -05:00
Christian Brauner	f8aa4bf308	conf: use minimal {g,u}id map Afaict, userns_exec_1() is only used to operate based on privileges for the user's own {g,u}id on the host and for the container root's unmapped {g,u}id. This means we require only to establish a mapping from: - the container root {g,u}id as seen from the host -> user's host {g,u}id - the container root -> some sub{g,u}id The former we add, if the user did not specifiy a mapping. The latter we retrieve from the ontainer's configured {g,u}id mappings. Closes #1598. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-01 23:54:47 +02:00
Serge Hallyn	493c623619	Merge pull request #1596 from brauner/2017-05-29/fix_parsing confile: fix parsing	2017-06-01 16:17:11 -05:00
Christian Brauner	1573a51475	Merge pull request #1607 from ss1h2a3tw/master adding warning for mtu ignoring	2017-06-01 20:25:09 +10:00
Shane Chen	72ccbbe1aa	adding warning for mtu ignoring Signed-off-by: Shane Chen <ss1ha3tw@gmail.com>	2017-06-01 14:22:39 +08:00
Christian Brauner	ae4ad10d18	tests: comp retval to exp val whenever we can Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-01 04:10:00 +02:00
Christian Brauner	a182feaebd	confile: performance tweaks Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-06-01 04:09:43 +02:00
Christian Brauner	03931c9e18	Merge pull request #1605 from decomposite/systemd_unit_stop Use lxc-stop to stop systemd service	2017-06-01 08:40:40 +10:00
JD Friedrikson	c08d29b6d1	Use lxc-stop to stop systemd service Ever since `8eb62c2`, systemd has not been able to cleanly stop lxc containers (via lxc@) because it's still using SIGPWR for systemd-based containers. We should now use the nice logic in `330ae3d` to stop the containers instead. Signed-off-by: JD Friedrikson <yours@decompo.site>	2017-05-31 18:04:37 -04:00
Stéphane Graber	bf3e9c154e	Merge pull request #1601 from brauner/2017-05-30/veth_fixes network: don't delete net devs we didn't create	2017-05-31 13:17:36 -04:00
Christian Brauner	6afd673f2e	lxccontainer: switch api to new clearer callbacks Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:59:29 +02:00
Christian Brauner	973082f566	confile: add clearer for lxc.include Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:45:51 +02:00
Christian Brauner	fdf3c5896e	confile: add clearer for lxc.include Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:44:50 +02:00
Christian Brauner	715ccc969c	confile: add clearer for lxc.limit{.*} Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:44:50 +02:00
Christian Brauner	b98c5ab00d	confile: add clearer for lxc.no_new_privs Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:44:50 +02:00
Christian Brauner	59e370db1f	confile: add clearer for lxc.ephemeral Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:44:50 +02:00
Christian Brauner	1044b247c4	confile: add clearer for lxc.init_gid Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:44:49 +02:00
Christian Brauner	ec76dcfb4b	confile: add clearer for lxc.init_uid Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:44:49 +02:00
Christian Brauner	8e90af3ecb	confile: add clearer for lxc.init_cmd Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:44:49 +02:00
Christian Brauner	832fb63a0b	confile: add clearer for lxc.environment Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:44:49 +02:00
Christian Brauner	4850d2237e	confile: add clearer for lxc.group Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:25:23 +02:00
Christian Brauner	adad12caa7	confile: add clearer for lxc.monitor.unshare Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>	2017-05-31 18:22:27 +02:00

... 20 21 22 23 24 ...

6267 Commits