[lxc-devel] [lxc/lxc] 330cbe: preserve inherited fds for stop hook

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 330cbe36d86bbddff698cb35d38cc475db4d422d
  https://github.com/lxc/lxc/commit/330cbe36d86bbddff698cb35d38cc475db4d422d
  Author: Serge Hallyn 
  Date:   2016-01-11 (Mon, 11 Jan 2016)

  Changed paths:
M src/lxc/start.c

  Log Message:
  ---
  preserve inherited fds for stop hook

When preserving fds for the stop hook, make sure to also save
any fds we've inherited.

Signed-off-by: Serge Hallyn 


  Commit: 52ba9c5400886e9a2a66c3a42d6001437bfa978d
  https://github.com/lxc/lxc/commit/52ba9c5400886e9a2a66c3a42d6001437bfa978d
  Author: Stéphane Graber 
  Date:   2016-01-12 (Tue, 12 Jan 2016)

  Changed paths:
M src/lxc/start.c

  Log Message:
  ---
  Merge pull request #761 from hallyn/2016-01-11/preservens.1

preserve inherited fds for stop hook


Compare: https://github.com/lxc/lxc/compare/ffe344373e5d...52ba9c540088___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/lxc] 3db8dd: bash completion: the 'have' command was deprecated...

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 3db8dd39a797f87f8b348f1b6b44953a25f3f170
  https://github.com/lxc/lxc/commit/3db8dd39a797f87f8b348f1b6b44953a25f3f170
  Author: Peter Simons 
  Date:   2016-01-11 (Mon, 11 Jan 2016)

  Changed paths:
M config/bash/lxc.in

  Log Message:
  ---
  bash completion: the 'have' command was deprecated in favor of '_have'

`bash-completion` version 2.1 and later no longer include the `have` command,
and consequently the `lxc` competion file fails on such systems. The command is
now called `_have`.

Signed-off-by: Peter Simons 


  Commit: 4dbfaf3084456a8c373094f4eb708224dd739390
  https://github.com/lxc/lxc/commit/4dbfaf3084456a8c373094f4eb708224dd739390
  Author: Stéphane Graber 
  Date:   2016-01-12 (Tue, 12 Jan 2016)

  Changed paths:
M config/bash/lxc.in

  Log Message:
  ---
  Merge pull request #750 from peti/patch-1

bash completion: the 'have' command was deprecated in favor of '_have'


Compare: https://github.com/lxc/lxc/compare/63ecff35779d...4dbfaf308445___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/lxc] 15a90a: copy_storage: try to use snapshot for btrfs

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 15a90a10d90b7722db66b7622b47344e1ccad97d
  https://github.com/lxc/lxc/commit/15a90a10d90b7722db66b7622b47344e1ccad97d
  Author: Serge Hallyn 
  Date:   2016-01-11 (Mon, 11 Jan 2016)

  Changed paths:
M src/lxc/lxccontainer.c

  Log Message:
  ---
  copy_storage: try to use snapshot for btrfs

Signed-off-by: Serge Hallyn 


  Commit: 63ecff35779d8102a69a54eb5d2eba69d210b5e7
  https://github.com/lxc/lxc/commit/63ecff35779d8102a69a54eb5d2eba69d210b5e7
  Author: Stéphane Graber 
  Date:   2016-01-12 (Tue, 12 Jan 2016)

  Changed paths:
M src/lxc/lxccontainer.c

  Log Message:
  ---
  Merge pull request #760 from hallyn/2016-01-11/btrfs

copy_storage: try to use snapshot for btrfs


Compare: https://github.com/lxc/lxc/compare/52ba9c540088...63ecff35779d___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] Errored: lxc/lxc#1507 (master - ffe3443)

[Travis CI]

Build Update for lxc/lxc
-

Build: #1507
Status: Errored

Duration: 1 minute and 3 seconds
Commit: ffe3443 (master)
Author: Serge Hallyn
Message: Set the right variable to NULL when unsetting ipv6_gateway

We were freeing one and setting a different one to NULL, eventually
leading to a crash when closing the netdev (at container shutdown)
and freeing already-freed memory.

Closes #732

Signed-off-by: Serge Hallyn 

View the changeset: 
https://github.com/lxc/lxc/compare/c7ec3de8256c...ffe344373e5d

View the full build log and details: 
https://travis-ci.org/lxc/lxc/builds/101740066

--

You can configure recipients for build notifications in your .travis.yml file. 
See https://docs.travis-ci.com/user/notifications

___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/lxc] ffe344: Set the right variable to NULL when unsetting ipv6...

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: ffe344373e5d2b9f2be517f138bf42f9c7d0ca20
  https://github.com/lxc/lxc/commit/ffe344373e5d2b9f2be517f138bf42f9c7d0ca20
  Author: Serge Hallyn 
  Date:   2016-01-11 (Mon, 11 Jan 2016)

  Changed paths:
M src/lxc/confile.c

  Log Message:
  ---
  Set the right variable to NULL when unsetting ipv6_gateway

We were freeing one and setting a different one to NULL, eventually
leading to a crash when closing the netdev (at container shutdown)
and freeing already-freed memory.

Closes #732

Signed-off-by: Serge Hallyn 


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH v2] safe_mount: Handle mounting proc and refactor

[Bogdan Purcareata]

The safe_mount primitive will mount the fs in the new container
environment by using file descriptors referred in /proc/self/fd.
However, when the mounted filesystem is proc itself, it will have
been previously unmounted, therefore resulting in an error when
searching for these file descriptors. This only happens when there's
no container rootfs prefix (commonly with lxc-execute).

Implement the support for this use case as well, by doing the mount
based on the full path.

Refactor the whole function in order to remove duplicated code checks
and improve readability.

Changes since v1:
- In order to address CVE-2015-1335, still check if the destination is
not a symlink. Do the mount only if the destination file descriptor
exists.

Signed-off-by: Bogdan Purcareata 
---
 src/lxc/utils.c | 49 -
 1 file changed, 28 insertions(+), 21 deletions(-)

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index d9e769d..c53711a 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1644,9 +1644,9 @@ out:
 int safe_mount(const char *src, const char *dest, const char *fstype,
unsigned long flags, const void *data, const char *rootfs)
 {
-   int srcfd = -1, destfd, ret, saved_errno;
+   int srcfd = -1, destfd = -1, ret = 0;
char srcbuf[50], destbuf[50]; // only needs enough for 
/proc/self/fd/
-   const char *mntsrc = src;
+   const char *mntsrc = src, *mntdest = dest;
 
if (!rootfs)
rootfs = "";
@@ -1655,45 +1655,52 @@ int safe_mount(const char *src, const char *dest, const 
char *fstype,
if (flags & MS_BIND && src && src[0] != '/') {
INFO("this is a relative bind mount");
srcfd = open_without_symlink(src, NULL);
-   if (srcfd < 0)
-   return srcfd;
+   if (srcfd < 0) {
+   ret = srcfd;
+   goto out;
+   }
ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd);
if (ret < 0 || ret > 50) {
-   close(srcfd);
ERROR("Out of memory");
-   return -EINVAL;
+   ret = -EINVAL;
+   goto out_src;
}
mntsrc = srcbuf;
}
 
destfd = open_without_symlink(dest, rootfs);
if (destfd < 0) {
-   if (srcfd != -1)
-   close(srcfd);
-   return destfd;
+   ret = destfd;
+   goto out_src;
}
 
ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd);
if (ret < 0 || ret > 50) {
-   if (srcfd != -1)
-   close(srcfd);
-   close(destfd);
ERROR("Out of memory");
-   return -EINVAL;
+   ret = -EINVAL;
+   goto out_dest;
}
 
-   ret = mount(mntsrc, destbuf, fstype, flags, data);
-   saved_errno = errno;
-   if (srcfd != -1)
-   close(srcfd);
-   close(destfd);
+   /* make sure the destination descriptor exists */
+   if (access(destbuf, F_OK) == 0)
+   mntdest = destbuf;
+
+   ret = mount(mntsrc, mntdest, fstype, flags, data);
if (ret < 0) {
-   errno = saved_errno;
SYSERROR("Failed to mount %s onto %s", src, dest);
-   return ret;
+   goto out_dest;
}
 
-   return 0;
+   ret = 0;
+
+out_dest:
+   if (destfd > 0)
+   close(destfd);
+out_src:
+   if (srcfd > 0)
+   close(srcfd);
+out:
+   return ret;
 }
 
 /*
-- 
1.9.1

___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH] fix lockpath removal in Python lxc-ls

[Christian Brauner]

The lock path for lxc is not

RUNTIME_PATH/lock/lxc

but rather

RUNTIME_PATH/lxc/lock

Signed-off-by: Christian Brauner 
---
 src/lxc/lxc-ls.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/lxc-ls.in b/src/lxc/lxc-ls.in
index dc2b2ba..b83ee73 100755
--- a/src/lxc/lxc-ls.in
+++ b/src/lxc/lxc-ls.in
@@ -392,7 +392,7 @@ def get_containers(fd=None, base="/", root=False):
 else:
 def clear_lock():
 try:
-lock_path = "%s/lock/lxc/%s/%s" % (RUNTIME_PATH,
+lock_path = "%s/lxc/lock/%s/%s" % (RUNTIME_PATH,
path,
entry['name'])
 if os.path.exists(lock_path):
-- 
2.7.0

___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH v2] safe_mount: Handle mounting proc and refactor

[Serge Hallyn]

Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com):
> The safe_mount primitive will mount the fs in the new container
> environment by using file descriptors referred in /proc/self/fd.
> However, when the mounted filesystem is proc itself, it will have
> been previously unmounted, therefore resulting in an error when
> searching for these file descriptors. This only happens when there's
> no container rootfs prefix (commonly with lxc-execute).
> 
> Implement the support for this use case as well, by doing the mount
> based on the full path.
> 
> Refactor the whole function in order to remove duplicated code checks
> and improve readability.
> 
> Changes since v1:
> - In order to address CVE-2015-1335, still check if the destination is
> not a symlink. Do the mount only if the destination file descriptor
> exists.
> 
> Signed-off-by: Bogdan Purcareata 
> ---
>  src/lxc/utils.c | 49 -
>  1 file changed, 28 insertions(+), 21 deletions(-)
> 
> diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> index d9e769d..c53711a 100644
> --- a/src/lxc/utils.c
> +++ b/src/lxc/utils.c
> @@ -1644,9 +1644,9 @@ out:
>  int safe_mount(const char *src, const char *dest, const char *fstype,
>   unsigned long flags, const void *data, const char *rootfs)
>  {
> - int srcfd = -1, destfd, ret, saved_errno;
> + int srcfd = -1, destfd = -1, ret = 0;
>   char srcbuf[50], destbuf[50]; // only needs enough for 
> /proc/self/fd/
> - const char *mntsrc = src;
> + const char *mntsrc = src, *mntdest = dest;
>  
>   if (!rootfs)
>   rootfs = "";
> @@ -1655,45 +1655,52 @@ int safe_mount(const char *src, const char *dest, 
> const char *fstype,
>   if (flags & MS_BIND && src && src[0] != '/') {
>   INFO("this is a relative bind mount");
>   srcfd = open_without_symlink(src, NULL);
> - if (srcfd < 0)
> - return srcfd;
> + if (srcfd < 0) {
> + ret = srcfd;
> + goto out;
> + }
>   ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd);
>   if (ret < 0 || ret > 50) {
> - close(srcfd);
>   ERROR("Out of memory");
> - return -EINVAL;
> + ret = -EINVAL;
> + goto out_src;
>   }
>   mntsrc = srcbuf;
>   }
>  
>   destfd = open_without_symlink(dest, rootfs);
>   if (destfd < 0) {
> - if (srcfd != -1)
> - close(srcfd);
> - return destfd;
> + ret = destfd;
> + goto out_src;
>   }
>  
>   ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd);
>   if (ret < 0 || ret > 50) {
> - if (srcfd != -1)
> - close(srcfd);
> - close(destfd);
>   ERROR("Out of memory");
> - return -EINVAL;
> + ret = -EINVAL;
> + goto out_dest;
>   }
>  
> - ret = mount(mntsrc, destbuf, fstype, flags, data);
> - saved_errno = errno;
> - if (srcfd != -1)
> - close(srcfd);
> - close(destfd);
> + /* make sure the destination descriptor exists */
> + if (access(destbuf, F_OK) == 0)
> + mntdest = destbuf;

First, if we're going to shortcut I'd prefer to say "if /proc/self
does not exist then skip this check" fo rnow.

But can we think of any way to still do this check?

What exactly are the cases?

1. lxc-execute, lxc-init tries to mount /proc.  We should be able
to simply have lxc always mount /proc before the pivot_root, so
we can properly do this check.

what use-cases will break if we demand /proc to exist in the
container?  (We can add an option to umount /proc in lxc-init,
but the directory would have to exist)

2. lxc.rootfs unset.  In this case we're trusting the *host* admin
to not have messed with /proc to make it a symlink, if we can't
trust that we're out of luck.  Other paths are not the same (since
parts of the rootfs could be bind-mounted from container-owned
dirs) so we should check those.  But so for this check we should
simply explicitly check for "/proc".  Doing a more roundabout
check may leave us open to subtle different attacks.  In particular
I imagine there are other ways to make /proc/self/fd/N not
access-able, and you are, in that case, re-introducing the TOCTTOU -
the attacker could try to quickliy insert the symlink after our
checks and before the real mount().

> + ret = mount(mntsrc, mntdest, fstype, flags, data);
>   if (ret < 0) {
> - errno = saved_errno;
>   SYSERROR("Failed to mount %s onto %s", src, dest);
> - return ret;
> + goto out_dest;
>   }
>  
> - return 0;
> + ret = 0;
> +
> +out_dest:
> + if (destfd > 0)

These should be >= 0 (here and below) right?

> +