[lxc-devel] [lxc/lxc] 330cbe: preserve inherited fds for stop hook
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 330cbe36d86bbddff698cb35d38cc475db4d422d https://github.com/lxc/lxc/commit/330cbe36d86bbddff698cb35d38cc475db4d422d Author: Serge HallynDate: 2016-01-11 (Mon, 11 Jan 2016) Changed paths: M src/lxc/start.c Log Message: --- preserve inherited fds for stop hook When preserving fds for the stop hook, make sure to also save any fds we've inherited. Signed-off-by: Serge Hallyn Commit: 52ba9c5400886e9a2a66c3a42d6001437bfa978d https://github.com/lxc/lxc/commit/52ba9c5400886e9a2a66c3a42d6001437bfa978d Author: Stéphane Graber Date: 2016-01-12 (Tue, 12 Jan 2016) Changed paths: M src/lxc/start.c Log Message: --- Merge pull request #761 from hallyn/2016-01-11/preservens.1 preserve inherited fds for stop hook Compare: https://github.com/lxc/lxc/compare/ffe344373e5d...52ba9c540088___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 3db8dd: bash completion: the 'have' command was deprecated...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 3db8dd39a797f87f8b348f1b6b44953a25f3f170 https://github.com/lxc/lxc/commit/3db8dd39a797f87f8b348f1b6b44953a25f3f170 Author: Peter SimonsDate: 2016-01-11 (Mon, 11 Jan 2016) Changed paths: M config/bash/lxc.in Log Message: --- bash completion: the 'have' command was deprecated in favor of '_have' `bash-completion` version 2.1 and later no longer include the `have` command, and consequently the `lxc` competion file fails on such systems. The command is now called `_have`. Signed-off-by: Peter Simons Commit: 4dbfaf3084456a8c373094f4eb708224dd739390 https://github.com/lxc/lxc/commit/4dbfaf3084456a8c373094f4eb708224dd739390 Author: Stéphane Graber Date: 2016-01-12 (Tue, 12 Jan 2016) Changed paths: M config/bash/lxc.in Log Message: --- Merge pull request #750 from peti/patch-1 bash completion: the 'have' command was deprecated in favor of '_have' Compare: https://github.com/lxc/lxc/compare/63ecff35779d...4dbfaf308445___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 15a90a: copy_storage: try to use snapshot for btrfs
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 15a90a10d90b7722db66b7622b47344e1ccad97d https://github.com/lxc/lxc/commit/15a90a10d90b7722db66b7622b47344e1ccad97d Author: Serge HallynDate: 2016-01-11 (Mon, 11 Jan 2016) Changed paths: M src/lxc/lxccontainer.c Log Message: --- copy_storage: try to use snapshot for btrfs Signed-off-by: Serge Hallyn Commit: 63ecff35779d8102a69a54eb5d2eba69d210b5e7 https://github.com/lxc/lxc/commit/63ecff35779d8102a69a54eb5d2eba69d210b5e7 Author: Stéphane Graber Date: 2016-01-12 (Tue, 12 Jan 2016) Changed paths: M src/lxc/lxccontainer.c Log Message: --- Merge pull request #760 from hallyn/2016-01-11/btrfs copy_storage: try to use snapshot for btrfs Compare: https://github.com/lxc/lxc/compare/52ba9c540088...63ecff35779d___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Errored: lxc/lxc#1507 (master - ffe3443)
Build Update for lxc/lxc - Build: #1507 Status: Errored Duration: 1 minute and 3 seconds Commit: ffe3443 (master) Author: Serge Hallyn Message: Set the right variable to NULL when unsetting ipv6_gateway We were freeing one and setting a different one to NULL, eventually leading to a crash when closing the netdev (at container shutdown) and freeing already-freed memory. Closes #732 Signed-off-by: Serge HallynView the changeset: https://github.com/lxc/lxc/compare/c7ec3de8256c...ffe344373e5d View the full build log and details: https://travis-ci.org/lxc/lxc/builds/101740066 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] ffe344: Set the right variable to NULL when unsetting ipv6...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: ffe344373e5d2b9f2be517f138bf42f9c7d0ca20 https://github.com/lxc/lxc/commit/ffe344373e5d2b9f2be517f138bf42f9c7d0ca20 Author: Serge HallynDate: 2016-01-11 (Mon, 11 Jan 2016) Changed paths: M src/lxc/confile.c Log Message: --- Set the right variable to NULL when unsetting ipv6_gateway We were freeing one and setting a different one to NULL, eventually leading to a crash when closing the netdev (at container shutdown) and freeing already-freed memory. Closes #732 Signed-off-by: Serge Hallyn ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH v2] safe_mount: Handle mounting proc and refactor
The safe_mount primitive will mount the fs in the new container environment by using file descriptors referred in /proc/self/fd. However, when the mounted filesystem is proc itself, it will have been previously unmounted, therefore resulting in an error when searching for these file descriptors. This only happens when there's no container rootfs prefix (commonly with lxc-execute). Implement the support for this use case as well, by doing the mount based on the full path. Refactor the whole function in order to remove duplicated code checks and improve readability. Changes since v1: - In order to address CVE-2015-1335, still check if the destination is not a symlink. Do the mount only if the destination file descriptor exists. Signed-off-by: Bogdan Purcareata--- src/lxc/utils.c | 49 - 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index d9e769d..c53711a 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1644,9 +1644,9 @@ out: int safe_mount(const char *src, const char *dest, const char *fstype, unsigned long flags, const void *data, const char *rootfs) { - int srcfd = -1, destfd, ret, saved_errno; + int srcfd = -1, destfd = -1, ret = 0; char srcbuf[50], destbuf[50]; // only needs enough for /proc/self/fd/ - const char *mntsrc = src; + const char *mntsrc = src, *mntdest = dest; if (!rootfs) rootfs = ""; @@ -1655,45 +1655,52 @@ int safe_mount(const char *src, const char *dest, const char *fstype, if (flags & MS_BIND && src && src[0] != '/') { INFO("this is a relative bind mount"); srcfd = open_without_symlink(src, NULL); - if (srcfd < 0) - return srcfd; + if (srcfd < 0) { + ret = srcfd; + goto out; + } ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); if (ret < 0 || ret > 50) { - close(srcfd); ERROR("Out of memory"); - return -EINVAL; + ret = -EINVAL; + goto out_src; } mntsrc = srcbuf; } destfd = open_without_symlink(dest, rootfs); if (destfd < 0) { - if (srcfd != -1) - close(srcfd); - return destfd; + ret = destfd; + goto out_src; } ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); if (ret < 0 || ret > 50) { - if (srcfd != -1) - close(srcfd); - close(destfd); ERROR("Out of memory"); - return -EINVAL; + ret = -EINVAL; + goto out_dest; } - ret = mount(mntsrc, destbuf, fstype, flags, data); - saved_errno = errno; - if (srcfd != -1) - close(srcfd); - close(destfd); + /* make sure the destination descriptor exists */ + if (access(destbuf, F_OK) == 0) + mntdest = destbuf; + + ret = mount(mntsrc, mntdest, fstype, flags, data); if (ret < 0) { - errno = saved_errno; SYSERROR("Failed to mount %s onto %s", src, dest); - return ret; + goto out_dest; } - return 0; + ret = 0; + +out_dest: + if (destfd > 0) + close(destfd); +out_src: + if (srcfd > 0) + close(srcfd); +out: + return ret; } /* -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] fix lockpath removal in Python lxc-ls
The lock path for lxc is not RUNTIME_PATH/lock/lxc but rather RUNTIME_PATH/lxc/lock Signed-off-by: Christian Brauner--- src/lxc/lxc-ls.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/lxc-ls.in b/src/lxc/lxc-ls.in index dc2b2ba..b83ee73 100755 --- a/src/lxc/lxc-ls.in +++ b/src/lxc/lxc-ls.in @@ -392,7 +392,7 @@ def get_containers(fd=None, base="/", root=False): else: def clear_lock(): try: -lock_path = "%s/lock/lxc/%s/%s" % (RUNTIME_PATH, +lock_path = "%s/lxc/lock/%s/%s" % (RUNTIME_PATH, path, entry['name']) if os.path.exists(lock_path): -- 2.7.0 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2] safe_mount: Handle mounting proc and refactor
Quoting Bogdan Purcareata (bogdan.purcare...@nxp.com): > The safe_mount primitive will mount the fs in the new container > environment by using file descriptors referred in /proc/self/fd. > However, when the mounted filesystem is proc itself, it will have > been previously unmounted, therefore resulting in an error when > searching for these file descriptors. This only happens when there's > no container rootfs prefix (commonly with lxc-execute). > > Implement the support for this use case as well, by doing the mount > based on the full path. > > Refactor the whole function in order to remove duplicated code checks > and improve readability. > > Changes since v1: > - In order to address CVE-2015-1335, still check if the destination is > not a symlink. Do the mount only if the destination file descriptor > exists. > > Signed-off-by: Bogdan Purcareata> --- > src/lxc/utils.c | 49 - > 1 file changed, 28 insertions(+), 21 deletions(-) > > diff --git a/src/lxc/utils.c b/src/lxc/utils.c > index d9e769d..c53711a 100644 > --- a/src/lxc/utils.c > +++ b/src/lxc/utils.c > @@ -1644,9 +1644,9 @@ out: > int safe_mount(const char *src, const char *dest, const char *fstype, > unsigned long flags, const void *data, const char *rootfs) > { > - int srcfd = -1, destfd, ret, saved_errno; > + int srcfd = -1, destfd = -1, ret = 0; > char srcbuf[50], destbuf[50]; // only needs enough for > /proc/self/fd/ > - const char *mntsrc = src; > + const char *mntsrc = src, *mntdest = dest; > > if (!rootfs) > rootfs = ""; > @@ -1655,45 +1655,52 @@ int safe_mount(const char *src, const char *dest, > const char *fstype, > if (flags & MS_BIND && src && src[0] != '/') { > INFO("this is a relative bind mount"); > srcfd = open_without_symlink(src, NULL); > - if (srcfd < 0) > - return srcfd; > + if (srcfd < 0) { > + ret = srcfd; > + goto out; > + } > ret = snprintf(srcbuf, 50, "/proc/self/fd/%d", srcfd); > if (ret < 0 || ret > 50) { > - close(srcfd); > ERROR("Out of memory"); > - return -EINVAL; > + ret = -EINVAL; > + goto out_src; > } > mntsrc = srcbuf; > } > > destfd = open_without_symlink(dest, rootfs); > if (destfd < 0) { > - if (srcfd != -1) > - close(srcfd); > - return destfd; > + ret = destfd; > + goto out_src; > } > > ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd); > if (ret < 0 || ret > 50) { > - if (srcfd != -1) > - close(srcfd); > - close(destfd); > ERROR("Out of memory"); > - return -EINVAL; > + ret = -EINVAL; > + goto out_dest; > } > > - ret = mount(mntsrc, destbuf, fstype, flags, data); > - saved_errno = errno; > - if (srcfd != -1) > - close(srcfd); > - close(destfd); > + /* make sure the destination descriptor exists */ > + if (access(destbuf, F_OK) == 0) > + mntdest = destbuf; First, if we're going to shortcut I'd prefer to say "if /proc/self does not exist then skip this check" fo rnow. But can we think of any way to still do this check? What exactly are the cases? 1. lxc-execute, lxc-init tries to mount /proc. We should be able to simply have lxc always mount /proc before the pivot_root, so we can properly do this check. what use-cases will break if we demand /proc to exist in the container? (We can add an option to umount /proc in lxc-init, but the directory would have to exist) 2. lxc.rootfs unset. In this case we're trusting the *host* admin to not have messed with /proc to make it a symlink, if we can't trust that we're out of luck. Other paths are not the same (since parts of the rootfs could be bind-mounted from container-owned dirs) so we should check those. But so for this check we should simply explicitly check for "/proc". Doing a more roundabout check may leave us open to subtle different attacks. In particular I imagine there are other ways to make /proc/self/fd/N not access-able, and you are, in that case, re-introducing the TOCTTOU - the attacker could try to quickliy insert the symlink after our checks and before the real mount(). > + ret = mount(mntsrc, mntdest, fstype, flags, data); > if (ret < 0) { > - errno = saved_errno; > SYSERROR("Failed to mount %s onto %s", src, dest); > - return ret; > + goto out_dest; > } > > - return 0; > + ret = 0; > + > +out_dest: > + if (destfd > 0) These should be >= 0 (here and below) right? > +