Just like we block access to mem and kmem, there's no good reason for
the container to have access to kcore.
Reported-by: Marc Schaefer
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
Alpine Linux provides yaml files with latest release instead of the old
approach with .latest.txt.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
fedora-release has been split into fedora-release and fedora-repos.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
This is to prevent systemd-journald to enter a 100% cpu loop.
Signed-off-by: Michael Adam <obnox@samba.org>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
In contrast to what the comment above the line disabling it said,
it seems to work just fine. It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
If a container has a bind mount from a host nfs or fuse
filesystem, and does 'umount -f', it will disconnect the
host's filesystem. This patch adds a seccomp rule to
block umount -f from a container. It also adds that rule
to the default seccomp profile.
Thanks stgraber for the idea :)
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
There are now two (permitted) ways to add data to netlink message:
1. put_xxx()
2. call nlmsg_reserve() to get a pointer to newly reserved room within the
original netlink message, then write or memcpy data to that area.
Both of them guarantee adding requested length data do not overflow the
pre-allocated message buffer by checking against its cap field first.
And there may be no need to access nlmsg_len outside nl module, because both
put_xxx() and nlmsg_reserve() have alread did that for us.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
when waitpid() is interrupted, errno is not set to the negative
value -EINTR. It is set to EINTR. check against EINTR.
Signed-off-by: Arjun Sreedharan <arjun024@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
The previous error message made it look like the host interface name was
the concatenation of both the host and guest interface names.
Closes#374
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Do as much as possible to allow containers switching from non-systemd to
systemd to work as intended (but nothing that will cause side effects).
Use update-rc.d disable instead of remove so the init scripts are not
re-enabled when the package is updated
Signed-off-by: Cameron Norman <camerontnorman@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This reverts commit 55ae7edb18.
This change caused hangs in the testsuite, specifically with lxc-user-nic.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Ran into this when trying to automate stgraber's "GUI in containers"
post.
Signed-off-by: Casey Marshall <casey.marshall@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This is a copy of patch version 3 for issue #278 on the issue-tracker:
- Allow multiple bind-mounts (--bdir) and multiple cow-mounts (--cdir).
- Further fixes to permissions throughout lxc-start-ephemeral (annotated
in the code).
Signed-off by: Oleg Freedholm <overlayfs@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
There are now two (permitted) ways to add data to netlink message:
1. put_xxx()
2. call nlmsg_reserve() to get a pointer to newly reserved room within the
original netlink message, then write or memcpy data to that area.
Both of them guarantee adding requested length data do not overflow the
pre-allocated message buffer by checking against its cap field first.
And there may be no need to access nlmsg_len outside nl module, because both
put_xxx() and nlmsg_reserve() have alread did that for us.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Disabled building openSUSE containers on openSUSE 13.2 and openSUSE
Tumbleweed due to faulty behaviour with newer versions of
init_buildsystem.
Signed-off-by: Johannes Kastl <git@ojkastl.de>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Create a tty so we get login prompt on console by default
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
nlmsg_len is the length of message including header.
Signed-off-by: Shuai Zhang <zs.broccoli@gmail.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
Bind mounts do not honor filesystem mount options. This change will
remount filesystems that are bind mounted if there are changes to
filesystem mount options, specifically if the mount is readonly.
Signed-off-by: Abin Shahab <ashahab@altiscale.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
* fix "reg" to "req" in English (fix for commit b8683fe)
* change "opt" to "req" in Japanese
Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
