Bug#908223: lxc: diff for NMU version 1:2.0.9-6.2
Hi here actually the proper debdiff. Regards, Salvatore diff -Nru lxc-2.0.9/debian/changelog lxc-2.0.9/debian/changelog --- lxc-2.0.9/debian/changelog 2018-08-29 15:22:46.0 +0200 +++ lxc-2.0.9/debian/changelog 2018-10-22 23:18:55.0 +0200 @@ -1,3 +1,10 @@ +lxc (1:2.0.9-6.2) unstable; urgency=medium + + * Non-maintainer upload. + * autodev: adapt to changes in Linux 4.18 (Closes: #908223) + + -- Salvatore Bonaccorso Mon, 22 Oct 2018 23:18:55 +0200 + lxc (1:2.0.9-6.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru lxc-2.0.9/debian/patches/0007-autodev-adapt-to-changes-in-Linux-4.18.patch lxc-2.0.9/debian/patches/0007-autodev-adapt-to-changes-in-Linux-4.18.patch --- lxc-2.0.9/debian/patches/0007-autodev-adapt-to-changes-in-Linux-4.18.patch 1970-01-01 01:00:00.0 +0100 +++ lxc-2.0.9/debian/patches/0007-autodev-adapt-to-changes-in-Linux-4.18.patch 2018-10-22 23:18:55.0 +0200 @@ -0,0 +1,219 @@ +From: Christian Brauner +Date: Mon, 22 Oct 2018 16:30:49 +0200 +Subject: autodev: adapt to changes in Linux 4.18 +Origin: backport, https://github.com/lxc/lxc/commit/db4219603946649474b5cb7915dbd6c17ec728f0 +Bug-Debian: https://bugs.debian.org/908223 + +Starting with commit +55956b59df33 ("vfs: Allow userns root to call mknod on owned filesystems.") +Linux will allow mknod() in user namespaces for userns root if CAP_MKNOD is +available. +However, these device nodes are useless since + +static struct super_block *alloc_super(struct file_system_type *type, int flags, + struct user_namespace *user_ns) +{ +/* */ + +if (s->s_user_ns != _user_ns) +s->s_iflags |= SB_I_NODEV; + +/* */ +} + +will set the SB_I_NODEV flag on the filesystem. When a device node created in +non-init userns is open()ed the call chain will hit: + +bool may_open_dev(const struct path *path) +{ +return !(path->mnt->mnt_flags & MNT_NODEV) && +!(path->mnt->mnt_sb->s_iflags & SB_I_NODEV); +} + +which will cause an EPERM because the device node is located on an fs +owned by non-init-userns and thus doesn't grant access to device nodes due to +SB_I_NODEV. + +The solution is straightforward. Unless you're real root you should bind-mount +device nodes. + +Signed-off-by: Christian Brauner +--- + src/lxc/conf.c | 127 +++-- + 1 file changed, 81 insertions(+), 46 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 91816beb..384138ec 100644 +--- a/src/lxc/conf.c b/src/lxc/conf.c +@@ -1130,32 +1130,41 @@ static int mount_autodev(const char *name, const struct lxc_rootfs *rootfs, + return 0; + } + +-struct lxc_devs { ++struct lxc_device_node { + const char *name; +- mode_t mode; +- int maj; +- int min; ++ const mode_t mode; ++ const int maj; ++ const int min; + }; + +-static const struct lxc_devs lxc_devs[] = { +- { "null",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 3 }, +- { "zero",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 5 }, ++static const struct lxc_device_node lxc_devices[] = { + { "full",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 7 }, +- { "urandom", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 9 }, ++ { "null",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 3 }, + { "random", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 8 }, + { "tty", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 5, 0 }, ++ { "urandom", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 9 }, ++ { "zero",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 5 }, ++}; ++ ++ ++ ++enum { ++ LXC_DEVNODE_BIND, ++ LXC_DEVNODE_MKNOD, ++ LXC_DEVNODE_PARTIAL, ++ LXC_DEVNODE_OPEN, + }; + + static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) + { +- int ret; +- char path[MAXPATHLEN]; +- int i; ++ int i, ret; ++ char path[PATH_MAX]; + mode_t cmask; ++ int use_mknod = LXC_DEVNODE_MKNOD; + +- ret = snprintf(path, MAXPATHLEN, "%s/dev", ++ ret = snprintf(path, PATH_MAX, "%s/dev", + rootfs->path ? rootfs->mount : ""); +- if (ret < 0 || ret >= MAXPATHLEN) ++ if (ret < 0 || ret >= PATH_MAX) + return -1; + + /* ignore, just don't try to fill in */ +@@ -1165,53 +1174,79 @@ static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) + INFO("Populating \"/dev\""); + + cmask = umask(S_IXUSR | S_IXGRP | S_IXOTH); +- for (i = 0; i < sizeof(lxc_devs) / sizeof(lxc_devs[0]); i++) { +- const struct lxc_devs *d = _devs[i]; ++ for (i = 0; i < sizeof(lxc_devices) / sizeof(lxc_devices[0]); i++) { ++ char hostpath[PATH_MAX]; ++ const struct lxc_device_node *device = _devices[i]; + +- ret = snprintf(path, MAXPATHLEN, "%s/dev/%s", +- rootfs->path ? rootfs->mount : "", d->name); +- if (ret < 0 || ret >= MAXPATHLEN) ++ ret = snprintf(path, PATH_MAX, "%s/dev/%s", ++ rootfs->path ? rootfs->mount : "", device->name); ++ if (ret < 0 || ret >= PATH_MAX) + return -1; + +- ret = mknod(path, d->mode, makedev(d->maj, d->min)); +- if (ret < 0) { +- FILE *pathfile; +-
Bug#908223: lxc: diff for NMU version 1:2.0.9-6.2
Control: tags 908223 + pending Dear maintainer, I've prepared an NMU for lxc (versioned as 1:2.0.9-6.2) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. This is based on the backported patch from Christian Brauner in #908223. https://salsa.debian.org/lxc-team/lxc/merge_requests/1 Regards, Salvatore diff -Nru lxc-2.0.9/debian/changelog lxc-2.0.9/debian/changelog --- lxc-2.0.9/debian/changelog 2018-08-29 15:22:46.0 +0200 +++ lxc-2.0.9/debian/changelog 2018-10-22 21:09:12.0 +0200 @@ -1,3 +1,9 @@ +lxc (1:2.0.9-6.2) unstable; urgency=medium + + * autodev: adapt to changes in Linux 4.18 (Closes: #908223) + + -- Salvatore Bonaccorso Mon, 22 Oct 2018 21:09:12 +0200 + lxc (1:2.0.9-6.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru lxc-2.0.9/debian/patches/0007-autodev-adapt-to-changes-in-Linux-4.18.patch lxc-2.0.9/debian/patches/0007-autodev-adapt-to-changes-in-Linux-4.18.patch --- lxc-2.0.9/debian/patches/0007-autodev-adapt-to-changes-in-Linux-4.18.patch 1970-01-01 01:00:00.0 +0100 +++ lxc-2.0.9/debian/patches/0007-autodev-adapt-to-changes-in-Linux-4.18.patch 2018-10-22 21:09:12.0 +0200 @@ -0,0 +1,219 @@ +From: Christian Brauner +Date: Mon, 22 Oct 2018 16:30:49 +0200 +Subject: autodev: adapt to changes in Linux 4.18 +Origin: backport, https://github.com/lxc/lxc/commit/db4219603946649474b5cb7915dbd6c17ec728f0 +Bug-Debian: https://bugs.debian.org/908223 + +Starting with commit +55956b59df33 ("vfs: Allow userns root to call mknod on owned filesystems.") +Linux will allow mknod() in user namespaces for userns root if CAP_MKNOD is +available. +However, these device nodes are useless since + +static struct super_block *alloc_super(struct file_system_type *type, int flags, + struct user_namespace *user_ns) +{ +/* */ + +if (s->s_user_ns != _user_ns) +s->s_iflags |= SB_I_NODEV; + +/* */ +} + +will set the SB_I_NODEV flag on the filesystem. When a device node created in +non-init userns is open()ed the call chain will hit: + +bool may_open_dev(const struct path *path) +{ +return !(path->mnt->mnt_flags & MNT_NODEV) && +!(path->mnt->mnt_sb->s_iflags & SB_I_NODEV); +} + +which will cause an EPERM because the device node is located on an fs +owned by non-init-userns and thus doesn't grant access to device nodes due to +SB_I_NODEV. + +The solution is straightforward. Unless you're real root you should bind-mount +device nodes. + +Signed-off-by: Christian Brauner +--- + src/lxc/conf.c | 127 +++-- + 1 file changed, 81 insertions(+), 46 deletions(-) + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 91816beb..384138ec 100644 +--- a/src/lxc/conf.c b/src/lxc/conf.c +@@ -1130,32 +1130,41 @@ static int mount_autodev(const char *name, const struct lxc_rootfs *rootfs, + return 0; + } + +-struct lxc_devs { ++struct lxc_device_node { + const char *name; +- mode_t mode; +- int maj; +- int min; ++ const mode_t mode; ++ const int maj; ++ const int min; + }; + +-static const struct lxc_devs lxc_devs[] = { +- { "null",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 3 }, +- { "zero",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 5 }, ++static const struct lxc_device_node lxc_devices[] = { + { "full",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 7 }, +- { "urandom", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 9 }, ++ { "null",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 3 }, + { "random", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 8 }, + { "tty", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 5, 0 }, ++ { "urandom", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 9 }, ++ { "zero",S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 5 }, ++}; ++ ++ ++ ++enum { ++ LXC_DEVNODE_BIND, ++ LXC_DEVNODE_MKNOD, ++ LXC_DEVNODE_PARTIAL, ++ LXC_DEVNODE_OPEN, + }; + + static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) + { +- int ret; +- char path[MAXPATHLEN]; +- int i; ++ int i, ret; ++ char path[PATH_MAX]; + mode_t cmask; ++ int use_mknod = LXC_DEVNODE_MKNOD; + +- ret = snprintf(path, MAXPATHLEN, "%s/dev", ++ ret = snprintf(path, PATH_MAX, "%s/dev", + rootfs->path ? rootfs->mount : ""); +- if (ret < 0 || ret >= MAXPATHLEN) ++ if (ret < 0 || ret >= PATH_MAX) + return -1; + + /* ignore, just don't try to fill in */ +@@ -1165,53 +1174,79 @@ static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) + INFO("Populating \"/dev\""); + + cmask = umask(S_IXUSR | S_IXGRP | S_IXOTH); +- for (i = 0; i < sizeof(lxc_devs) / sizeof(lxc_devs[0]); i++) { +- const struct lxc_devs *d = _devs[i]; ++ for (i = 0; i < sizeof(lxc_devices) / sizeof(lxc_devices[0]); i++) { ++ char hostpath[PATH_MAX]; ++ const struct lxc_device_node *device = _devices[i]; + +- ret = snprintf(path, MAXPATHLEN, "%s/dev/%s", +- rootfs->path ? rootfs->mount : "", d->name); +- if (ret < 0 || ret >= MAXPATHLEN) ++ ret =