- When we detect that the container, we want to attach to, has been stared with
PR_SET_NO_NEW_PRIVS we attach with PR_SET_NO_NEW_PRIVS as well. (We might
relax this restriction later but let's be strict for now.)
- When LXC_ATTACH_NO_NEW_PRIVS is set in the flags passed to
lxc_attach()/attach_child_main() then we set PR_SET_NO_NEW_PRIVS irrespective
of whether the container was started with PR_SET_NO_NEW_PRIVS or not.
- Set no_new_privs before lsm and seccomp. We probably don't want attach() to
be able to change the lsm or seccomp policy if the container was started with
PR_SET_NO_NEW_PRIVS enabled.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
Set no_new_privs after setting the lsm label. If we do set it before we aren't
allowed to change the label anymore.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>
An incorrect quoting introduced in bf39edb caused a /{lib,etc} folder to
appear in Debian templates
The very next line :
mkdir -p "${rootfs}/etc/systemd/system/getty.target.wants
makes creating ${rootfs}/etc/systemd/system/ unnecessary in the first
place
Signed-off-by: Maxime Besson <maxime.besson@smile.fr>
Given commit 330ae3d350:
lxccontainer: detect if we should send SIGRTMIN+3
This is required by systemd to cleanly shutdown. Other init systems should not
have SIGRTMIN+3 in the blocked signals set.
we should stop symlinking halt.target to sigpwr.target for systemd.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
otherwise the generated docs have the full build path in them
and nonbody cares that the files were built in
/build/lxc-_BVY2u/lxc-2.0.4/src/lxc/
Signed-off-by: Evgeni Golov <evgeni@debian.org>
Previously, we write a "success" status but tried to parse the pid. This
meant that we wouldn't notice a successful restore but failure to parse the
pid, which was a little strange.
We still don't know the child pid, so we will end up with a restored
process tree and a running container, but at least in this case the API
will return false indicating that something failed.
We could kill(-1, 9) in this case, but since liblxc runs as root sometimes
(e.g. LXD), that would be a Very Bad Thing.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
All we really needed a unique temp file for was passing the pid. Since CRIU
opened this with O_EXCL | O_CREAT, this was "safe" (users could still
overwrite it afterwards, but the monitor would immediately die since the
only valid number in there was the init process).
In any case, we can just read /proc/self/tid/children, which lists the
child process.
Closes#1150
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
MIPS processors implement 3 ABIs: o32, n64 and n32 (similar to x32). The kernel
treats each ABI separately so syscalls disallowed on "all" arches should be
added to all three seccomp sets. This is implemented by expanding compat_arch
and compat_ctx to accept two compat architectures.
After this, the MIPS hostarch detection code and config section code is added.
Signed-off-by: James Cowgill <james410@cowgill.org.uk>
This also changes the help exit status of lxc-unshare and lxc-usernsexec. So
far they did exit(EXIT_FAILURE) whereas all other tools do exit(EXIT_SUCCESS).
Let's align them with the rest of the tools. This should be safe to do.
Signed-off-by: Christian Brauner <cbrauner@suse.de>
