Commit Graph

177 Commits

Author SHA1 Message Date
Christian Brauner
bca94305af
tests: add test for PR_SET_NO_NEW_PRIVS
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
2016-09-06 15:58:52 +02:00
Christian Brauner
83319023ca
tests: add lxc.syslog tests to get_item
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-09-05 00:36:35 +02:00
Christian Brauner
d479e1f70e
tests: fix get_item tests
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-09-05 00:07:08 +02:00
Christian Brauner
0377ef65b4
autotools: fix tests
Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-08-16 01:42:38 +02:00
Christian Brauner
29c57e4ef6
tests: add unit tests for lxc_string_in_array()
Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-08-15 18:27:56 +02:00
Christian Brauner
bed0d08fe7 tests: add unit tests for lxc_string_replace()
Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-08-14 23:15:31 +02:00
Christian Brauner
ca1e6c0227
tools, tests: reorganize repo
- tools: move lxc commands to common subfolder
- tests: adapt include search path

Signed-off-by: Christian Brauner <cbrauner@suse.de>
2016-07-31 13:01:03 +02:00
Christian Brauner
804bd6e32f only execute last test when we are a pty
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-04-13 16:54:15 +02:00
Christian Brauner
e96e50345b adapt lxc-attach tests & add test for pty logging
The current tests for lxc-attach pty allocation and I/O redirection rely on the
standard file descriptors of the test script to refer to a pty. If they do not
the tests are effectively useless with respect to pty allocation. We need a test
environment with the standard file descriptors refering to a pty as well. One
solution is to run this test under the script command.

This commit also adds a test whether pty logging works. This test is only
executed when all standard file descriptors refer to a pty.

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-04-10 23:06:24 +02:00
Serge Hallyn
9ec45e7faa cgroups: try to load cgmanager first
If cgmanager is running, use it.  This allows the admin to simply
stop cgmanager if they don't want to use it.  The other way there
is no way to choose to use cgmanager.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-03-16 16:33:03 -07:00
Serge Hallyn
8aa1044fd8 implement lxc.mount.auto = cgroup for cgfsng
Also add testcase for each of the cgroup{,-full}:{rw,ro,mixed} cases.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-03-16 15:55:19 -07:00
Christian Brauner
172d397e6f lxc-attach: update and improve tests
Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-03-09 15:56:20 +01:00
Serge Hallyn
177f793ae0 tests: set clone_children if need be
Lxc only sets it on /lxc, not on /.

It's conceivable that we should really re-set this to the original
value, to prevent making later tests not fail when they should.  I
didn't do that.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-03-08 13:44:38 -08:00
Christian Brauner
8d1ea53785 tests: add lxc-test-attach-test
Test if the various types of I/O redirection work with lxc-attach.

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-03-05 00:50:34 +01:00
Serge Hallyn
a17d94a593 lxc-test-unpriv: try to start the container a second time
We have nothing else testing this, and it was a real regression in lp
bug 1552355.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-03-02 16:17:17 -08:00
Christian Brauner
d0a6bd3940 configure.ac: add --enable-deprecated flag
- lxc-clone and lxc-start-ephemeral are marked deprecated. We add a
  --enable-deprecated flag to configure.ac allowing us to enable these
  deprecated executables
- update tests to use lxc-copy instead of lxc-clone

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
2016-02-24 21:07:26 +01:00
Serge Hallyn
f58236fd70 update tests to recognize cgns profile
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-02-21 21:09:42 -08:00
Serge Hallyn
615af4ac3a lxc-test-usernic: update to reflect new lxc-test-usernic arguments
the new lxcpath and lxcname are not optional

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-01-28 18:08:50 +01:00
Stéphane Graber
6a5640665c Update get_item test after the lxc.mount.entry fix
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2015-12-09 23:54:28 -05:00
Serge Hallyn
13cea07dcd lxc-test-symlink: add a test using absolute symlink
This would have caught the regression last night.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-10-05 11:49:05 +01:00
Serge Hallyn
592fd47a62 CVE-2015-1335: Protect container mounts against symlinks
When a container starts up, lxc sets up the container's inital fstree
by doing a bunch of mounting, guided by the container configuration
file.  The container config is owned by the admin or user on the host,
so we do not try to guard against bad entries.  However, since the
mount target is in the container, it's possible that the container admin
could divert the mount with symbolic links.  This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.

To prevent this,

1. do not allow mounts to paths containing symbolic links

2. do not allow bind mounts from relative paths containing symbolic
links.

Details:

Define safe_mount which ensures that the container has not inserted any
symbolic links into any mount targets for mounts to be done during
container setup.

The host's mount path may contain symbolic links.  As it is under the
control of the administrator, that's ok.  So safe_mount begins the check
for symbolic links after the rootfs->mount, by opening that directory.

It opens each directory along the path using openat() relative to the
parent directory using O_NOFOLLOW.  When the target is reached, it
mounts onto /proc/self/fd/<targetfd>.

Use safe_mount() in mount_entry(), when mounting container proc,
and when needed.  In particular, safe_mount() need not be used in
any case where:

1. the mount is done in the container's namespace
2. the mount is for the container's rootfs
3. the mount is relative to a tmpfs or proc/sysfs which we have
   just safe_mount()ed ourselves

Since we were using proc/net as a temporary placeholder for /proc/sys/net
during container startup, and proc/net is a symbolic link, use proc/tty
instead.

Update the lxc.container.conf manpage with details about the new
restrictions.

Finally, add a testcase to test some symbolic link possibilities.

Reported-by: Roman Fiedler
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-09-29 09:52:55 -04:00
Stéphane Graber
d028235de9
Fix indentation
I've noticed that a bunch of the code we've included over the past few
weeks has been using 8-spaces rather than tabs, making it all very hard
to read depending on your tabstop setting.

This commit attempts to revert all of that back to proper tabs and fix a
few more cases I've noticed here and there.

No functional changes are included in this commit.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2015-09-21 16:25:47 -04:00
Serge Hallyn
c4532a2036 Add tests for snapshot clone dependencies
Test edge cases (removing first and last entries in lxc_snapshots and the very
last snapshot) and make sure original container isn't destroyed while there are
snapshots, and is when there are none.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-09-21 11:35:32 -04:00
Stéphane Graber
c804bedf8b Merge pull request #585 from ptoomey3/lxc-execute-as-user
Add support for specified UID/GID for lxc-execute in a private user namespace
2015-08-28 11:23:13 -04:00
Patrick Toomey
68d18db8d8 Add support for get_config_item and set_config_item
Signed-off-by: Patrick Toomey <ptoomey3@biasedcoin.com>
2015-08-28 08:25:33 -06:00
Serge Hallyn
72cf81f6a3 CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc
This prevents an unprivileged user to use LXC to create arbitrary file
on the filesystem.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-07-22 10:09:09 -04:00
Laurence Rowe
da0e298c67 Wait on correct container name
Signed-off-by: Laurence Rowe <l@lrowe.co.uk>
2015-06-08 14:43:24 -07:00
Serge Hallyn
fad5004627 lxc-test-apparmor: flush the pipe before exiting child
to make sure the parent's read returns.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-04-06 12:12:10 -04:00
Arjun Sreedharan
ea7e3744e7 concurrent: check realloc() rc and exit on failure
Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2015-04-06 12:12:10 -04:00
Stéphane Graber
8d19ce7b9f Only use clear_config_item for lists
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2015-01-28 09:15:43 +01:00
Patrick O'Leary
46cd28455f replace deprecated index with strchr
The `index` libc function was removed in POSIX 2008, and `strchr` is a direct
replacement. The bionic (Android) libc has removed `index` when you are
compiling for a 64-bit architecture, such as AArch64.

Signed-off-by: Patrick O'Leary <patrick.oleary@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-01-24 23:43:29 -05:00
Serge Hallyn
e6744e9b39 update hwaddr to fill in xx at create time
Commit 67702c21 regressed the case where lxc-create use a config
file with 'xx:xx' in lxc.network.hwaddr, so that the 'xx' were
preserved in the container's configuration file.  Expand those
in the unexpanded_config file whenever we are reading a
config file which is not coming from a 'lxc.include'.

The config file will have \n-terminated lines, so update
rand_complete_hwaddr to also stop on \n.

Add a test case to make sure xx gets expanded at lxc-create.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2015-01-20 16:40:27 -05:00
Serge Hallyn
d2f31a576b containertests: don't expect NULL lxc_conf
Because we never have that any more

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-01-12 22:24:26 -06:00
Arjun Sreedharan
21e624d9cf tests: try again when waitpid() sets errno as EINTR
when waitpid() is interrupted, errno is not set to the negative
value -EINTR. It is set to EINTR. check against EINTR.

Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-12-04 11:48:00 -05:00
Sergio Jimenez
9eaf8a596e Fixed mismatch on ipvX gateway
Signed-off-by: Sergio Jimenez <tripledes@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-10-27 17:42:11 -04:00
Serge Hallyn
efdca59e49 lxc-test-apparmor-mount: don't clear out /etc/lxc/lxc-usernet
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-10-09 12:15:14 -05:00
Serge Hallyn
e2ef635e68 lxc-test-unpriv: test for different cgroups per subsystem
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-10-09 11:24:37 -05:00
Serge Hallyn
9a64d3cf9f lxc-test-unpriv: don't clear out /etc/lxc/lxc-usernet
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-10-08 11:31:52 -05:00
Stéphane Graber
2ba5eb93b8
tests: Fix unpriv test
Don't use $TUSER as it's not defined. Also don't include
lxc-test-usernic in extra_DIST.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-10-02 14:59:35 -04:00
Stéphane Graber
42e5c9878f
Fix the unprivileged tests cgroup management
To cover all the cases we have around, we need to:
 - Attempt to use cgm if present (preferred)
 - Attempt to use cgmanager directly over dbus otherwise
 - Fallback to cgroupfs

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-09-22 18:08:49 -04:00
Serge Hallyn
7aff4f43fd apparmor: improve behavior when kernel lacks mount restrictions (v2)
(Dwight, I took the liberty of adding your Ack but the code did
change a bit to continue passing the char *label from attach.
Tested that "lxc-start -n u1 -s lxc.aa_profile=p2; lxc-attach -n u1"
does attach you to the p2 profile)

Apparmor policies require mount restrictions to fullfill many of
their promises - for instance if proc can be mounted anywhere,
then 'deny /proc/sysrq-trigger w' prevents only accidents, not
malice.

The mount restrictions are not available in the upstream kernel.
We can detect their presence through /sys.  In the past, when
we detected it missing, we would not enable apparmor.  But that
prevents apparmor from helping to prevent accidents.

At the same time, if the user accidentaly boots a kernel which
has regressed, we do not want them starting the container thinking
they are more protected than they are.

This patch:

1. adds a lxc.aa_allow_incomplete = 1 container config flag.  If
not set, then any container which is not set to run unconfined
will refuse to run.   If set, then the container will run with
apparmor protection.

2. to pass this flag to the apparmor driver, we pass the container
configuration (lxc_conf) to the lsm_label_set hook.

3. add a testcase.  To test the case were a kernel does not
provide mount restrictions, we mount an empty directory over
the /sys/kernel/security/apparmor/features/mount directory.  In
order to have that not be unmounted in a new namespace, we must
test using unprivileged containers (who cannot remove bind mounts
which hide existing mount contents).

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Dwight Engen <dwight.engen@oracle.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-09-22 17:28:27 -04:00
Tycho Andersen
d48d22299d tests: require criu >= 1.3.1 for criu test
CRIU 1.3 has a pretty crippling deadlock which will cause dumping containers to
fail fairly often. This is fixed in criu 1.3.1, so we shouldn't run the tests
on anything less than that.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-09-19 17:06:44 -04:00
Tycho Andersen
5f845c928a Allow criu >= 1.3 in c/r test
criu version 1.3 has been tagged, which has the minimal set of patches to allow
checkpointing and restoring containers. lxc-test-checkpoint-restore is now
skipped on any version of criu lower than 1.3.

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-09-19 17:00:07 -04:00
Serge Hallyn
67702c2129 config: fix the handling of lxc.hook and hwaddrs in unexpanded config
And add a testcase.

The code to update hwaddrs in a clone was walking through the container
configuration and re-printing all network entries.  However network
entries from an include file which should not be printed out were being
added to the unexpanded config.  With this patch, at clone we simply
update the hwaddr in-place in the unexpanded configuration file, making
sure to make the same update to the expanded network configuration.

The code to update out lxc.hook statements had the same problem.
We also update it in-place in the unexpanded configuration, though
we mirror the logic we use when updating the expanded configuration.
(Perhaps that should be changed, to simplify future updates)

This code isn't particularly easy to review, so testcases are added
to make sure that (1) extra lxc.network entries are not added (or
removed), even if they are present in an included file, (2) lxc.hook
entries are not added, (3) hwaddr entries are updated, and (4)
the lxc.hook entries are properly updated (only when they should be).

Reported-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-09-19 16:54:33 -04:00
Stéphane Graber
188adf0594
Fix build failure due to wrong test name
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-08-26 11:10:52 -04:00
Tycho Andersen
735f2c6e50 Add support for checkpoint and restore via CRIU
This patch adds support for checkpointing and restoring containers via CRIU.
It adds two api calls, ->checkpoint and ->restore, which are wrappers around
the CRIU CLI. CRIU has an RPC API, but reasons for preferring exec() are
discussed in [1].

To checkpoint, users specify a directory to dump the container metadata (CRIU
dump files, plus some additional information about veth pairs and which
bridges they are attached to) into this directory. On restore, this
information is read out of the directory, a CRIU command line is constructed,
and CRIU is exec()d. CRIU uses the lxc-restore-net callback (which in turn
inspects the image directory with the NIC data) to properly restore the
network.

This will only work with the current git master of CRIU; anything as of
a152c843 should work. There is a known bug where containers which have been
restored cannot be checkpointed [2].

[1]: http://lists.openvz.org/pipermail/criu/2014-July/015117.html
[2]: http://lists.openvz.org/pipermail/criu/2014-August/015876.html

v2: fixed some problems with the s/int/bool return code form api function
v3: added a testcase, fixed up the man page synopsis
v4: fix a small typo in lxc-test-checkpoint-restore
v5: remove a reference to the old CRIU_PATH, and a bad error about the same

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-08-26 10:40:05 -04:00
Stéphane Graber
57221f67fe tests: Copy the download cache when available [v2]
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
2014-08-25 16:59:26 -04:00
Stéphane Graber
c6b861ba64
tests: Call sync before testing a shutdown
This should avoid tests failure when the machine running the tests has
either very slow disks or a lot of data waiting to be flushed.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
2014-08-18 00:00:59 -04:00
Serge Hallyn
3ad30ff74f lxc-test-unpriv: test lxc-clone -s
This would have caught a regression in Ubuntu's 3.16 kernel.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2014-08-15 21:03:16 -04:00
Serge Hallyn
79d88b03ed lxc-test-{unpriv,usernic.in}: make sure to chgrp as well
These tests are failing on new kernels because the container root is
not privileged over the directories, since privilege no requires
the group being mapped into the container.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-07-17 16:02:06 -05:00