Hello community, here is the log from the commit of package lxc.3935 for openSUSE:13.2:Update checked in at 2015-07-30 11:15:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/lxc.3935 (Old) and /work/SRC/openSUSE:13.2:Update/.lxc.3935.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "lxc.3935" Changes: -------- New Changes file: --- /dev/null 2015-07-22 21:25:44.928025004 +0200 +++ /work/SRC/openSUSE:13.2:Update/.lxc.3935.new/lxc.changes 2015-07-30 11:15:19.000000000 +0200 @@ -0,0 +1,549 @@ +------------------------------------------------------------------- +Thu Jul 23 09:23:19 UTC 2015 - jslaby@suse.com + +- Added CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch + (bnc#938522) +- Added CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch + (bnc#938523) + +------------------------------------------------------------------- +Sat Sep 27 05:12:44 UTC 2014 - opensuse_buildservice@ojkastl.de + +- update to 1.0.6, which includes the following changes/fixes: + rootfs_is_blockdev: don't run if no rootfs is specified + confile: sanity-check netdev->type before setting netdev->priv elements + Fix typo in previous patch + Remove mention of mountcgroups in ubuntu.common config + remove mountcgroup hook entirely + Add SIGPWR support to lxc_init + Sysvinit script fixes + unprivileged containers: use next available nic name if unspecified + fix typo in btrfs error msg + apparmor: Allow slave bind mounts + provide an example SELinux policy for older releases + print a helpful message if creating unpriv container with no idmap + use non-thread-safe getpwuid and getpwgid for android + btrfs: support recursive subvolume deletion (v2) + fix '--log-priority' --> '--logpriority' in main + Fix a file descriptor leak in the daemonization + Fix a file descriptor leak in the monitord spawn + Ensure /dev/pts directory exists on pts setup + Do not allow snapshots of LVM backed containers + add lxc.console.logpath + coverity: don't use newname after null check + coverity: malloc the right size for btrs_node tree + introduce --with-distro=raspbian + cgmanager get/set: clean up child (v2) + Add extra debugging + Fix typo in the previous commit... + do_mount_entry: add nexec, nosuid, nodev, rdonly flags if needed at remount + command socket: use hash if needed + monitor: fix sockname calculation for long lxcpaths + show additional info if btrfs subvolume deletion fails (issue #315) + ignore SIGKILL (CTRL-C) and SIGQUIT (CTRL-\) - issue #313 + chmod container dir to 0770 (v2) + build: Fix support for split build and source dirs + mount_entry: use statvfs + lxc_mount_auto_mounts: honor existing nodev etc at remounts + statvfs: do nothing if statvfs does not exist (android/bionic) + Prevent compiler warning by initializing ifindex + build: don't remove configuration template on clean + build: Make setup.py run from srcdir to avoid distutils errors + handle hashed command socket names (v2) + lxc-cgm: fix issue with nested chowning + Report container exit status to monitord + support use of 'all' containers when cgmanager supports it + log: fix quiet mode + Fix build error(ISO C90 specs violation) in lxc.c + lxc_map_ids: don't do bogus chekc for newgidmap + lxc_map_ids: add a comment + clean autodev dir on container exit + As discussed on ML, do not clean autodev dir on reboot + Fix build failure due to slightly different rmdir + Fix presentation of IPv6 addresses and gateway + + lxc-start: Add -F (foreground) option + + all: Discontinue the use of in-line comments (stable) + all: Include hostname in DHCP requests + all: Switch from arch command to uname -m + altlinux: bugfixes + archlinux: Properly set default locale in /etc/locale.conf + centos template: prevent mingetty from calling vhangup(2) + download: Have wget retry 3 times + download: Make --keyserver actually work + gentoo: keep original uid/gid of files/dirs when installing + gentoo: Use portageq to determine portage distdir + plamo: keep original uid/gid of files/dirs when installing + plamo: bugfix template + ssh: send hostname to dhcp server + ubuntu: don't check for $rootfs/run/shm + ubuntu: add help string + + lxc-test-{unpriv,usernic.in}: make sure to chgrp as well + lxc-test-unpriv: test lxc-clone -s + tests: Call sync before testing a shutdown + tests: Copy the download cache when available [v2] + Fix the unprivileged tests cgroup management + + doc: Mention that veth.pair is ignored for unpriv + doc: Add mention that veth.pair is ignored for unpriv in Japanese man + doc: Add -F option to Japanese lxc-start(1) + doc: Update the description of SELinux in Japanese lxc.container.conf(5) + doc: Add 'zfs' to the parameter of -B option in lxc-create(1) + doc: add lxc.console.logpath to Japanese lxc.container.conf(5) + doc: language correction + doc: Fix Japanese translation of lxc.container.conf(5) + doc: Add destroy option to lxc-snapshot(1) + doc: Add description about ignoring lxc.cgroup.use when using cgmanager +- delete: 0002-lxc-autostart-helper-working-even-if-action-is-not-a.patch +- delete: 0003-lxc-autostart-helper-working-even-if-var-lock-subsys.patch + +------------------------------------------------------------------- +Fri Aug 15 14:43:35 UTC 2014 - opensuse_buildservice@ojkastl.de + +- third patch to get lxc-autostart-helper to work on openSUSE + * 0003-lxc-autostart-helper-working-even-if-var-lock-subsys.patch + +------------------------------------------------------------------- +Fri Aug 15 13:04:48 UTC 2014 - opensuse_buildservice@ojkastl.de + +- added another patch to ensure correct operation of lxc.service systemd-unit + * 0002-lxc-autostart-helper-working-even-if-action-is-not-a.patch + +------------------------------------------------------------------- +Thu Aug 14 19:26:33 UTC 2014 - opensuse_buildservice@ojkastl.de + +- added patch to ensure correct operation of lxc.service systemd-unit + * 0001-systemd-Ensure-action-is-defined.patch + +------------------------------------------------------------------- +Wed Aug 6 19:38:55 UTC 2014 - opensuse_buildservice@ojkastl.de + +- update to 1.0.5 + * seccomp profile + * core: Fix unprivileged containers to work with recent kernels. + * core: Fix building with -Werror=maybe-uninitialized. + * core: seccomp: Don't fail on unresolvable syscalls. + * core: lxc-init: Don't force dropping capabilities. + * core: configure: Split -lcap and -lselinux out of LIBS. + * core: configure: Fix expansion of libexecdir. + * core: seccomp: Support 'all' arch sections. + * core: seccomp: Fix 32-bit rules. + * core: seccomp: Enable a default filter for all templates. + * core: Fix corruption in write_config. + * core: attach: Fix querying for the current personality. + * core: cgmanager: Have cgm_set and cgm_get use absolute paths when possible. + * core: cgmanager: Make sure @value is null-terminated in cgm_get. + * core: optimization of signal filtering/parsing code. + * core: apparmor: Allow hugetlbfs by default (similar to tmpfs and restricted by the hugetlb cgroup controller). + * core: Fix find_fstype_cb to ignore blank lines and comments. + * lxc-autostart: Actually respect -P when passed. + * lxc-attach: Fix typo in usage. + * lxc-start: propagate the container exit code. + * lxc-stop: Fix incorrect timeout handling. + * lxc-device: Support --version. + * lxc-ls: Support --version. + * lxc-start-ephemeral: Support --version. + * tests: Avoid the download template when possible. + * tests: Don't fail when HOME isn't defined. + * tests: apparmor: Always end messages with a newline. + * tests: Clarify error message and fix return codes. + * tests: lxc-test-ubuntu doesn't actually need bind9-host. + * lxc-debian: standardize formatting. + * lxc-debian: fix formatting. + * python3: Fix attach_wait and threads. + +------------------------------------------------------------------- +Fri Jun 13 19:33:04 UTC 2014 - opensuse_buildservice@ojkastl.de + +- fixed the build errors + +------------------------------------------------------------------- +Fri Jun 13 18:24:48 UTC 2014 - opensuse_buildservice@ojkastl.de + +- update to 1.0.4; disable lua and excluded lxc-top, as lua-dependencies are not available + +------------------------------------------------------------------- +Sat May 17 18:57:22 UTC 2014 - opensuse_buildservice@ojkastl.de + +- added --enable-lua to compile lxc with lua support (for lxc-top) + +------------------------------------------------------------------- +Sat May 17 13:14:01 UTC 2014 - opensuse_buildservice@ojkastl.de + +- added "Requires: lua", as lxc-top needs it + +------------------------------------------------------------------- +Mon May 5 13:08:04 UTC 2014 - opensuse_buildservice@ojkastl.de + +- added file /usr/sbin/rxlcx that links to /usr/sbin/service + +------------------------------------------------------------------- +Mon May 5 10:14:06 UTC 2014 - opensuse_buildservice@ojkastl.de + +- upgrade to version 1.0.3 +- deleted patch patch_bash_completion.d_lxc.patch, as it is included upstream already +- added file /usr/sbin/init.lxc + +------------------------------------------------------------------- +Sun Mar 2 09:06:57 UTC 2014 - opensuse_buildservice@ojkastl.de + +- patch now including headers and signoff + +------------------------------------------------------------------- +Sun Mar 2 08:57:35 UTC 2014 - opensuse_buildservice@ojkastl.de + +- updated sources to 1.0.0 ++++ 352 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.lxc.3935.new/lxc.changes New: ---- 0001-systemd-Ensure-action-is-defined.patch CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch README.SUSE lxc-1.0.6.tar.gz lxc-createconfig.in lxc.changes lxc.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ # # spec file for package lxc # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: lxc Version: 1.0.6 Release: 0 Url: http://linuxcontainers.org/ Summary: Userspace tools for the Linux kernel containers License: LGPL-2.1+ Group: System/Management Source: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Source1: README.SUSE Source2: lxc-createconfig.in Patch1: 0001-systemd-Ensure-action-is-defined.patch Patch2: CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch Patch3: CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: docbook-utils BuildRequires: docbook2x BuildRequires: libapparmor-devel BuildRequires: libcap-devel %ifarch %ix86 x86_64 BuildRequires: libseccomp-devel %endif BuildRequires: libxslt BuildRequires: linux-glibc-devel BuildRequires: lsb-release BuildRequires: pkg-config BuildRequires: python3-devel %if 0%{?suse_version} >= 1210 BuildRequires: systemd %endif Requires: /sbin/setcap Requires: rsync %{?systemd_requires} # needed to create openSUSE containers using template Recommends: build %description It provides commands to create and manage containers. It contains a full featured container with the isolation/virtualization of the pids, the ipc, the utsname, the mount points, /proc, /sys, the network and it takes into account the control groups. It is very light, flexible, and provides a set of tools around the container like the monitoring with asynchronous events notification, or the freeze of the container. This package is useful to create Virtual Private Server, or to run isolated applications like bash or sshd. %package devel Summary: Development library for lxc License: LGPL-2.1 Group: Development/Libraries/C and C++ Requires: %name = %version %description devel Lxc header files and library needed for development of containers. %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %build chmod 755 configure %configure --disable-examples --with-init-script=systemd %__make %{?_smp_mflags} %__cp %{SOURCE1} . %__rm -rf .doc %__mkdir_p .doc/examples %__cp doc/examples/*.conf .doc/examples %install %makeinstall install -d -m 755 %{buildroot}/var/lib/lxc find %buildroot -type f -name '*.la' -delete chmod u-s %{buildroot}/usr/lib/lxc/lxc-user-nic ./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:2} chmod a+x %{buildroot}%{_bindir}/lxc-createconfig ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rc%name %clean %__rm -rf %buildroot %pre %service_add_pre lxc.service %post /sbin/ldconfig %service_add_post lxc.service %preun %service_del_preun lxc.service %postun /sbin/ldconfig %service_del_postun lxc.service %files %defattr(-,root,root) %doc AUTHORS MAINTAINERS COPYING README doc/FAQ.txt %doc README.SUSE %doc .doc/examples %dir %{_sysconfdir}/%{name}/ %config %{_sysconfdir}/%{name}/default.conf %{_libdir}/lib%{name}.so.* %{_libexecdir}/%name %{_libdir}/%name %{_datadir}/%name %dir /var/lib/lxc %{_bindir}/%{name}-* %exclude %{_bindir}/%{name}-top %{_sbindir}/init.lxc %{_sbindir}/rclxc %{_mandir}/man[^3]/* %_unitdir/%{name}.service %python3_sitearch/%{name}/ %python3_sitearch/_%{name}* %dir %{_sysconfdir}/apparmor.d %dir %{_sysconfdir}/apparmor.d/abstractions %dir %{_sysconfdir}/apparmor.d/abstractions/lxc %config %{_sysconfdir}/apparmor.d/abstractions/lxc/container-base %config %{_sysconfdir}/apparmor.d/abstractions/lxc/start-container %config %{_sysconfdir}/apparmor.d/lxc-containers %dir %{_sysconfdir}/apparmor.d/lxc %config %{_sysconfdir}/apparmor.d/lxc/lxc-default %config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-mounting %config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-nesting %config %{_sysconfdir}/apparmor.d/usr.bin.lxc-start %config %{_sysconfdir}/bash_completion.d/%{name} %files devel %defattr(-,root,root) %{_includedir}/%name %{_libdir}/lib%{name}.so %{_libdir}/pkgconfig/%{name}.pc %changelog ++++++ 0001-systemd-Ensure-action-is-defined.patch ++++++

From 82dddfc2d3c26db922f105111a439e43f5ce7172 Mon Sep 17 00:00:00 2001 From: Martin Pitt <martin.pitt@ubuntu.com> Date: Thu, 31 Jul 2014 08:53:54 +0200 Subject: [PATCH 1/2] systemd: Ensure action() is defined

If /etc/rc.d/init.d/functions is not present or does not define an action() function, provide a simple fallback using "echo". Signed-off-by: Martin Pitt <martin.pitt@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> --- config/init/sysvinit/lxc.in | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/init/sysvinit/lxc.in b/config/init/sysvinit/lxc.in index 4bfd0f0..c4c0c75 100644 --- a/config/init/sysvinit/lxc.in +++ b/config/init/sysvinit/lxc.in @@ -45,6 +45,13 @@ STOPOPTS="-a -s" test ! -r "$sysconfdir"/rc.d/init.d/functions || . "$sysconfdir"/rc.d/init.d/functions +# provide action() fallback +if ! type action >/dev/null 2>&1; then + action() { + echo "$@" + } +fi + # Source any configurable options test ! -r "$sysconfdir"/sysconfig/lxc || . "$sysconfdir"/sysconfig/lxc -- 2.0.4 ++++++ CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch ++++++ From: Serge Hallyn <serge.hallyn@ubuntu.com> Date: Fri, 3 Jul 2015 09:26:17 -0500 Subject: CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes Git-commit: 72cf81f6a3404e35028567db2c99a90406e9c6e6 References: bnc#938522 This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Jiri Slaby <jslaby@suse.com> --- src/lxc/lxclock.c | 38 ++++++++++---------------------------- src/tests/locktests.c | 2 +- 2 files changed, 11 insertions(+), 29 deletions(-) --- a/src/lxc/lxclock.c +++ b/src/lxc/lxclock.c @@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, char *rundir; /* lockfile will be: - * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root + * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root * or - * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root + * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root */ - /* length of "/lock/lxc/" + $lxcpath + "/" + $lxcname + '\0' */ - len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 2; + /* length of "/lxc/lock/" + $lxcpath + "/" + $lxcname + '\0' */ + len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 2; rundir = get_rundir(); if (!rundir) return NULL; @@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, return NULL; } - ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p); + ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p); if (ret < 0 || ret >= len) { free(dest); free(rundir); @@ -128,31 +128,13 @@ static char *lxclock_name(const char *p, } ret = mkdir_p(dest, 0755); if (ret < 0) { - /* fall back to "/tmp/" $(id -u) "/lxc/" $lxcpath / $lxcname + '\0' */ - int l2 = 33 + strlen(n) + strlen(p); - if (l2 > len) { - char *d; - d = realloc(dest, l2); - if (!d) { - free(dest); - free(rundir); - return NULL; - } - len = l2; - dest = d; - } - ret = snprintf(dest, len, "/tmp/%d/lxc/%s", geteuid(), p); - if (ret < 0 || ret >= len) { - free(dest); - free(rundir); - return NULL; - } - ret = snprintf(dest, len, "/tmp/%d/lxc/%s/%s", geteuid(), p, n); - } else - ret = snprintf(dest, len, "%s/lock/lxc/%s/%s", rundir, p, n); + free(dest); + free(rundir); + return NULL; + } + ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n); free(rundir); - if (ret < 0 || ret >= len) { free(dest); return NULL; --- a/src/tests/locktests.c +++ b/src/tests/locktests.c @@ -122,7 +122,7 @@ int main(int argc, char *argv[]) exit(1); } struct stat sb; - char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/"; + char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/"; ret = stat(pathname, &sb); if (ret != 0) { fprintf(stderr, "%d: filename %s not created\n", __LINE__, ++++++ CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch ++++++ From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com> Date: Thu, 16 Jul 2015 16:37:51 -0400 Subject: CVE-2015-1334: Don't use the container's /proc during attach MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes Git-commit: 5c3fcae78b63ac9dd56e36075903921bd9461f9e References: bnc#938523 A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Jiri Slaby <jslaby@suse.com> --- src/lxc/attach.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 93 insertions(+), 4 deletions(-) --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -76,6 +76,82 @@ lxc_log_define(lxc_attach, lxc); +int lsm_set_label_at(int procfd, int on_exec, char* lsm_label) { + int labelfd = -1; + int ret = 0; + const char* name; + char* command = NULL; + + name = lsm_name(); + + if (strcmp(name, "nop") == 0) + goto out; + + if (strcmp(name, "none") == 0) + goto out; + + /* We don't support on-exec with AppArmor */ + if (strcmp(name, "AppArmor") == 0) + on_exec = 0; + + if (on_exec) { + labelfd = openat(procfd, "self/attr/exec", O_RDWR); + } + else { + labelfd = openat(procfd, "self/attr/current", O_RDWR); + } + + if (labelfd < 0) { + SYSERROR("Unable to open LSM label"); + ret = -1; + goto out; + } + + if (strcmp(name, "AppArmor") == 0) { + int size; + + command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); + if (!command) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + size = sprintf(command, "changeprofile %s", lsm_label); + if (size < 0) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + if (write(labelfd, command, size + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } + } + else if (strcmp(name, "SELinux") == 0) { + if (write(labelfd, lsm_label, strlen(lsm_label) + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } + } + else { + ERROR("Unable to restore label for unknown LSM: %s", name); + ret = -1; + goto out; + } + +out: + free(command); + + if (labelfd != -1) + close(labelfd); + + return ret; +} + static struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid) { struct lxc_proc_context_info *info = calloc(1, sizeof(*info)); @@ -588,6 +664,7 @@ struct attach_clone_payload { struct lxc_proc_context_info* init_ctx; lxc_attach_exec_t exec_function; void* exec_payload; + int procfd; }; static int attach_child_main(void* data); @@ -640,6 +717,7 @@ int lxc_attach(const char* name, const c char* cwd; char* new_cwd; int ipc_sockets[2]; + int procfd; signed long personality; if (!options) @@ -849,6 +927,13 @@ int lxc_attach(const char* name, const c rexit(-1); } + procfd = open("/proc", O_DIRECTORY | O_RDONLY); + if (procfd < 0) { + SYSERROR("Unable to open /proc"); + shutdown(ipc_sockets[1], SHUT_RDWR); + rexit(-1); + } + /* attach now, create another subprocess later, since pid namespaces * only really affect the children of the current process */ @@ -876,7 +961,8 @@ int lxc_attach(const char* name, const c .options = options, .init_ctx = init_ctx, .exec_function = exec_function, - .exec_payload = exec_payload + .exec_payload = exec_payload, + .procfd = procfd }; /* We use clone_parent here to make this subprocess a direct child of * the initial process. Then this intermediate process can exit and @@ -914,6 +1000,7 @@ static int attach_child_main(void* data) { struct attach_clone_payload* payload = (struct attach_clone_payload*)data; int ipc_socket = payload->ipc_socket; + int procfd = payload->procfd; lxc_attach_options_t* options = payload->options; struct lxc_proc_context_info* init_ctx = payload->init_ctx; #if HAVE_SYS_PERSONALITY_H @@ -1039,12 +1126,11 @@ static int attach_child_main(void* data) close(ipc_socket); /* set new apparmor profile/selinux context */ - if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM)) { + if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { int on_exec; on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; - ret = lsm_process_label_set(init_ctx->lsm_label, 0, on_exec); - if (ret < 0) { + if (lsm_set_label_at(procfd, on_exec, init_ctx->lsm_label) < 0) { rexit(-1); } } @@ -1095,6 +1181,9 @@ static int attach_child_main(void* data) } } + /* we don't need proc anymore */ + close(procfd); + /* we're done, so we can now do whatever the user intended us to do */ rexit(payload->exec_function(payload->exec_payload)); } ++++++ README.SUSE ++++++ To mount the control group file system just run: /sbin/insserv boot.cgroup and /sys/fs/cgroup will be mounted for cgroup automatically. === lxc-user-nic === If you want to use this tool as a user, set the sticky bit by: # chmod u+s /usr/bin/lxc-user-nic and update /etc/permissions.local accordingly. ++++++ lxc-createconfig.in ++++++ #!/bin/bash # # lxc: linux Container library # Authors: # Mike Friesenegger <mikef@suse.com> # Daniel Lezcano <daniel.lezcano@free.fr> # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA usage() { echo "usage: lxc-createconfig -n <name> [-i <ipaddr/cidr>] [-b <bridge>] [-t <template]" } help() { usage echo echo "creates a lxc container config file which can be in" echo "turn used by lxc-create to create the lxc system object." echo echo "Options:" echo "name : name of the container" echo "ipaddr : ip address/cidr of the container" echo "bridge : bridge device for container (br0 if undefined)" echo "template : template is an accessible template script (opensuse if undefined)" } shortoptions='hn:i:b:t:' longoptions='help,name:,ipaddr:,bridge:,template:' lxc_confpath=$HOME templatedir=@LXCTEMPLATEDIR@ lxc_bridge=br0 lxc_template=opensuse getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") if [ $? != 0 ]; then usage exit 1; fi eval set -- "$getopt" while true; do case "$1" in -h|--help) help exit 1 ;; -n|--name) shift lxc_name=$1 lxc_confname=$lxc_name.config shift ;; -i|--ipaddr) shift lxc_ipaddr=$1 shift ;; -b|--bridge) shift lxc_bridge=$1 shift ;; -t|--template) shift lxc_template=$1 shift ;; --) shift break;; *) echo $1 usage exit 1 ;; esac done if [ -z "$lxc_name" ]; then echo "no container name specified" usage exit 1 fi if [ -f "$lxc_confpath/$lxc_confname" ]; then echo "'$lxc_confname' already exists" exit 1 fi if [ ! -z "$lxc_ipaddr" ]; then echo $lxc_ipaddr | grep -E '/(([^C9]{0,1}[0-9])|(3[0-2]))$' if [ $? -ne 0 ]; then echo "$lxc_ipaddr is missing a cidr" usage exit 1 fi fi if [ -z "$lxc_ipaddr" ]; then lxc_ipaddr=DHCP fi if [ ! -z $lxc_bridge ]; then brctl show | grep $lxc_bridge >/dev/null if [ $? -ne 0 ]; then echo "$lxc_bridge not defined" exit 1 fi fi if [ ! -z $lxc_template ]; then type ${templatedir}/lxc-$lxc_template >/dev/null if [ $? -ne 0 ]; then echo "unknown template '$lxc_template'" exit 1 fi fi echo echo "Container Name = " $lxc_name echo "IP Address = " $lxc_ipaddr echo "Bridge = " $lxc_bridge echo echo -n "Create container config? (n): " read ANSWER if [ "$ANSWER" != "y" -a "$ANSWER" != "Y" ] then exit 1 fi echo echo "Creating container config $lxc_confpath/$lxc_confname" # generate a MAC for the IP lxc_hwaddr="02:00:`(date ; cat /proc/interrupts ) | md5sum | sed -r 's/^(.{8}).*$/\1/;s/([0-9a-f]{2})/\1:/g;s/:$//;'`" cat >"$lxc_confpath/$lxc_confname" <<%% lxc.network.type = veth lxc.network.flags = up lxc.network.link = $lxc_bridge lxc.network.hwaddr = $lxc_hwaddr %% if [ ! $lxc_ipaddr = "DHCP" ]; then cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.ipv4 = $lxc_ipaddr %% fi cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.name = eth0 %% echo echo "Run 'lxc-create -n $lxc_name -f $lxc_confpath/$lxc_confname -t $lxc_template' to create the lxc system object."