The gcc implementation and the C standard are not to be considered sane
in this respect. We don't want to risk reordering of writes when the
compiler incorrectly *thinks* two types do not alias each other.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Fix#2592 by defining -Wvla -std=gnu11 even if --disable-werror is set
As -std=gnu11 is always set, bump requirement on gcc from 4.6 to 4.7
(see https://gcc.gnu.org/projects/cxx-status.html#cxx11)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Fail the build if --enable-thread-safety is passed and the environment cannot
guarantee thread-safety.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
We line up with the Linux kernel and won't support any compiler under 4.6.
Additionally, we also require at least gnu99 so this is due anyway.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This copies lxd's apparmor profile generation. This tries to
detect features such as cgroup namespaces, apparmor
namespaces and stacking support, and has profile parts
conditionally for unprivileged containers.
This introduces the following changes to the configuration:
lxc.apparmor.profile = generated
The fixed value 'generated' will cause this
functionality to be used, otherwise there should be no
functional changes happening unless specifically
requested with the next key:
lxc.apparmor.allow_nesting
This is a boolean which, if enabled, causes the
following changes: When generated apparmor profiles are
used, they will contain the necessary changes to allow
creating a nested container. In addition to the usual
mount points, /dev/.lxc/proc and /dev/.lxc/sys will
contain procfs and sysfs mount points without the lxcfs
overlays, which, if generated apparmor profiles are
being used, will not be read/writable directly.
lxc.apparmor.raw
A list of raw apparmor profile lines to append to the
profile. Only valid when using generated profiles.
The following apparmor profile lines have not been copied
from lxd:
mount /var/lib/lxd/shmounts/ -> /var/lib/lxd/shmounts/,
mount none -> /var/lib/lxd/shmounts/,
mount options=bind /var/lib/lxd/shmounts/** -> /var/lib/lxd/**,
They should be added via lxc.apparmor.raw entries by lxd.
In order for apparmor_parser's cache to be of use, this adds
a --with-apparmor-cache-dir ./configure option.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Commit c06ed219c4 has broken
compilation with a static libcap and a shared gnutls.
This results in a build failure on init_lxc_static if gnutls is
a shared library as init_lxc_static is built with -all-static option
(see src/lxc/Makefile.am) and AC_CHECK_LIB adds gnutls to LIBS.
This commit fix the issue by removing default behavior of AC_CHECK_LIB
and handling manually GNUTLS_LIBS and HAVE_LIBGNUTLS
Fixes:
- http://autobuild.buildroot.net/results/b655d6853c25a195df28d91512b3ffb6c654fc90
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
- remove legacy binaries
- conditionalize creation of docs and tests for the command line tools and the
shared library helper commands
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This allows users to only compile the shared libray without having to compile
any of the command line tools or command helpers for the shared library.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This reverts commit 7995662124.
Before we can merge something like this we need to have it be behind a
configure flag and quite probably be an opt-in feature (--enable-pam).
This should fix Jenkins, PPA builds and the current binary conflicts
between the lxcfs and lxc package builds (snap and archive).
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
This moves pam_cgfs from the LXCFS repo into the LXC repo. This will allow us
to share a bunch of code between the cgroup backends and the pam module. The
next step obviously is to share code.
Closes#1307.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Since we write the label directly without going through the AppArmor API it
doesn't make sense to link against it.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
