The problem here is that lxc-init runs *inside* the container. So if a
person has the log file set to /home/$USER/foo, lxc-init ends up making a
directory /home/$USER/foo inside the container to put the log file in. What
we really want are the logs to be propagated from inside the container to
the outside. We accomplish this by passing an fd without O_CLOEXEC, and
telling lxc-init to log to that file.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Add inline setns() function to tool_utils.h. Without it
tool_utils.c can't be build when HAVE_SETNS is unset.
Signed-off-by: Serj Kalichev <serj.kalichev@gmail.com>
lxc_monitor.c uses offsetof(), so it should include
<stddef.h>. Otherwise the build fails with the musl C library:
tools/lxc_monitor.c: In function ‘lxc_abstract_unix_connect’:
tools/lxc_monitor.c:324:9: warning: implicit declaration of function ‘offsetof’ [-Wimplicit-function-declaration]
offsetof(struct sockaddr_un, sun_path) + len + 1);
^~~~~~~~
tools/lxc_monitor.c:324:18: error: expected expression before ‘struct’
offsetof(struct sockaddr_un, sun_path) + len + 1);
^~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
LXC generates and loads the seccomp-bpf filter in the host/container which
spawn the new container. In other words, userspace N is responsible for
generating and loading the seccomp-bpf filter which restricts userspace N + 1.
Assume 64bit kernel and 32bit userspace running a 64bit container. In this case
the 32-bit x86 userspace is used to create a seccomp-bpf filter for a 64-bit
userspace. Unless one explicitly adds the 64-bit ABI to the libseccomp filter,
or adjusts the default behavior for "BAD_ARCH", *all* 64-bit x86 syscalls will
be blocked.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Paul Moore <paul@paul-moore.com>
Always use 022 as the umask when creating the rootfs directory and
executing the template. A too loose umask may cause security issues.
A too strict umask may cause programs to fail inside the container.
Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
This commit deals with different kernel and userspace layouts and nesting. Here
are three examples:
1. 64bit kernel and 64bit userspace running 32bit containers
2. 64bit kernel and 32bit userspace running 64bit containers
3. 64bit kernel and 64bit userspace running 32bit containers running 64bit containers
Two things to lookout for:
1. The compat arch that is detected might have already been present in the main
context. So check that it actually hasn't been and only then add it.
2. The contexts don't need merging if the architectures are the same and also can't be.
With these changes I can run all crazy/weird combinations with proper seccomp
isolation.
Closes#654.
Link: https://bugs.chromium.org/p/chromium/issues/detail?id=832366
Reported-by: Chirantan Ekbote <chirantan@chromium.org>
Reported-by: Sonny Rao <sonnyrao@chromium.org>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
