diff --git a/debian/patches/extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch b/debian/patches/extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch deleted file mode 100644 index 2f81fb7..0000000 --- a/debian/patches/extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Fri, 4 Jan 2019 12:05:49 +0100 -Subject: [PATCH] conf: use SYSERROR on lxc_write_to_file errors - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/conf.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 3d0e4a192..0d86d66e5 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -2681,8 +2681,8 @@ int setup_sysctl_parameters(struct lxc_list *sysctls) - ret = lxc_write_to_file(filename, elem->value, - strlen(elem->value), false, 0666); - if (ret < 0) { -- ERROR("Failed to setup sysctl parameters %s to %s", -- elem->key, elem->value); -+ SYSERROR("Failed to setup sysctl parameters %s to %s", -+ elem->key, elem->value); - return -1; - } - } -@@ -2716,8 +2716,8 @@ int setup_proc_filesystem(struct lxc_list *procs, pid_t pid) - ret = lxc_write_to_file(filename, elem->value, - strlen(elem->value), false, 0666); - if (ret < 0) { -- ERROR("Failed to setup proc filesystem %s to %s", -- elem->filename, elem->value); -+ SYSERROR("Failed to setup proc filesystem %s to %s", -+ elem->filename, elem->value); - return -1; - } - } --- -2.20.1 - diff --git a/debian/patches/extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch b/debian/patches/extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch deleted file mode 100644 index 013a851..0000000 --- a/debian/patches/extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Thu, 17 Jan 2019 09:16:16 +0100 -Subject: [PATCH] Revert "conf: remove extra MS_BIND with sysfs:mixed" - -This reverts commit 51a922baf724689ff3a0df938ca8975601c9c815. - -The above commit confuses the mountall unit of privileged -Ubuntu 14.04 containers at startup so that they cannot -finish booting. - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/conf.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index 0d86d66e5..7263d0e1a 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -690,6 +690,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, -+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL }, - { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL }, --- -2.20.1 - diff --git a/debian/patches/extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch b/debian/patches/extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch deleted file mode 100644 index 24c34e2..0000000 --- a/debian/patches/extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch +++ /dev/null @@ -1,403 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Christian Brauner -Date: Sat, 26 Jan 2019 01:19:29 +0100 -Subject: [PATCH] CVE-2019-5736 (runC): rexec callers as memfd -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Adam Iwaniuk and Borys Popławski discovered that an attacker can compromise the -runC host binary from inside a privileged runC container. As a result, this -could be exploited to gain root access on the host. runC is used as the default -runtime for containers with Docker, containerd, Podman, and CRI-O. - -The attack can be made when attaching to a running container or when starting a -container running a specially crafted image. For example, when runC attaches -to a container the attacker can trick it into executing itself. This could be -done by replacing the target binary inside the container with a custom binary -pointing back at the runC binary itself. As an example, if the target binary -was /bin/bash, this could be replaced with an executable script specifying the -interpreter path #!/proc/self/exe (/proc/self/exec is a symbolic link created -by the kernel for every process which points to the binary that was executed -for that process). As such when /bin/bash is executed inside the container, -instead the target of /proc/self/exe will be executed - which will point to the -runc binary on the host. The attacker can then proceed to write to the target -of /proc/self/exe to try and overwrite the runC binary on the host. However in -general, this will not succeed as the kernel will not permit it to be -overwritten whilst runC is executing. To overcome this, the attacker can -instead open a file descriptor to /proc/self/exe using the O_PATH flag and then -proceed to reopen the binary as O_WRONLY through /proc/self/fd/ and try to -write to it in a busy loop from a separate process. Ultimately it will succeed -when the runC binary exits. After this the runC binary is compromised and can -be used to attack other containers or the host itself. - -This attack is only possible with privileged containers since it requires root -privilege on the host to overwrite the runC binary. Unprivileged containers -with a non-identity ID mapping do not have the permission to write to the host -binary and therefore are unaffected by this attack. - -LXC is also impacted in a similar manner by this vulnerability, however as the -LXC project considers privileged containers to be unsafe no CVE has been -assigned for this issue for LXC. Quoting from the -https://linuxcontainers.org/lxc/security/ project's Security information page: - -"As privileged containers are considered unsafe, we typically will not consider -new container escape exploits to be security issues worthy of a CVE and quick -fix. We will however try to mitigate those issues so that accidental damage to -the host is prevented." - -To prevent this attack, LXC has been patched to create a temporary copy of the -calling binary itself when it starts or attaches to containers. To do this LXC -creates an anonymous, in-memory file using the memfd_create() system call and -copies itself into the temporary in-memory file, which is then sealed to -prevent further modifications. LXC then executes this sealed, in-memory file -instead of the original on-disk binary. Any compromising write operations from -a privileged container to the host LXC binary will then write to the temporary -in-memory binary and not to the host binary on-disk, preserving the integrity -of the host LXC binary. Also as the temporary, in-memory LXC binary is sealed, -writes to this will also fail. - -Note: memfd_create() was added to the Linux kernel in the 3.17 release. - -Signed-off-by: Christian Brauner -Co-Developed-by: Alesa Sarai -Acked-by: Serge Hallyn -Signed-off-by: Christian Brauner -(cherry picked from commit 6400238d08cdf1ca20d49bafb85f4e224348bf9d) ---- - configure.ac | 12 +++ - src/lxc/Makefile.am | 4 + - src/lxc/file_utils.c | 41 ++++++++- - src/lxc/file_utils.h | 1 + - src/lxc/rexec.c | 181 +++++++++++++++++++++++++++++++++++++ - src/lxc/syscall_wrappers.h | 14 +++ - 6 files changed, 252 insertions(+), 1 deletion(-) - create mode 100644 src/lxc/rexec.c - -diff --git a/configure.ac b/configure.ac -index 9f3b8fb3c..3177f7da3 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -727,6 +727,17 @@ AM_COND_IF([ENABLE_DLOG], - ]) - ]) - -+AC_ARG_ENABLE([memfd-rexec], -+ [AC_HELP_STRING([--enable-memfd-rexec], [enforce liblxc as a memfd to protect against certain symlink attacks [default=yes]])], -+ [], [enable_memfd_rexec=yes]) -+AM_CONDITIONAL([ENFORCE_MEMFD_REXEC], [test "x$enable_memfd_rexec" = "xyes"]) -+if test "x$enable_memfd_rexec" = "xyes"; then -+ AC_DEFINE([ENFORCE_MEMFD_REXEC], 1, [Rexec liblxc as memfd]) -+ AC_MSG_RESULT([yes]) -+else -+ AC_MSG_RESULT([no]) -+fi -+ - # Files requiring some variable expansion - AC_CONFIG_FILES([ - Makefile -@@ -956,6 +967,7 @@ Security features: - - Linux capabilities: $enable_capabilities - - seccomp: $enable_seccomp - - SELinux: $enable_selinux -+ - memfd rexec: $enable_memfd_rexec - - PAM: - - PAM module: $enable_pam -diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am -index 95b0a2f72..865d341fe 100644 ---- a/src/lxc/Makefile.am -+++ b/src/lxc/Makefile.am -@@ -175,6 +175,10 @@ if !HAVE_STRLCAT - liblxc_la_SOURCES += ../include/strlcat.c ../include/strlcat.h - endif - -+if ENFORCE_MEMFD_REXEC -+liblxc_la_SOURCES += rexec.c -+endif -+ - AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \ - -DLXCPATH=\"$(LXCPATH)\" \ - -DLXC_GLOBAL_CONF=\"$(LXC_GLOBAL_CONF)\" \ -diff --git a/src/lxc/file_utils.c b/src/lxc/file_utils.c -index f89aa638d..930fd738a 100644 ---- a/src/lxc/file_utils.c -+++ b/src/lxc/file_utils.c -@@ -31,7 +31,7 @@ - #include "config.h" - #include "file_utils.h" - #include "macro.h" --#include "string.h" -+#include "string_utils.h" - - int lxc_write_to_file(const char *filename, const void *buf, size_t count, - bool add_newline, mode_t mode) -@@ -327,3 +327,42 @@ again: - - return ret; - } -+ -+char *file_to_buf(char *path, size_t *length) -+{ -+ int fd; -+ char buf[PATH_MAX]; -+ char *copy = NULL; -+ -+ if (!length) -+ return NULL; -+ -+ fd = open(path, O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ return NULL; -+ -+ *length = 0; -+ for (;;) { -+ int n; -+ char *old = copy; -+ -+ n = lxc_read_nointr(fd, buf, sizeof(buf)); -+ if (n < 0) -+ goto on_error; -+ if (!n) -+ break; -+ -+ copy = must_realloc(old, (*length + n) * sizeof(*old)); -+ memcpy(copy + *length, buf, n); -+ *length += n; -+ } -+ -+ close(fd); -+ return copy; -+ -+on_error: -+ close(fd); -+ free(copy); -+ -+ return NULL; -+} -diff --git a/src/lxc/file_utils.h b/src/lxc/file_utils.h -index 6361557a0..518a61af3 100644 ---- a/src/lxc/file_utils.h -+++ b/src/lxc/file_utils.h -@@ -55,5 +55,6 @@ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); - extern FILE *fopen_cloexec(const char *path, const char *mode); - extern ssize_t lxc_sendfile_nointr(int out_fd, int in_fd, off_t *offset, - size_t count); -+extern char *file_to_buf(char *path, size_t *length); - - #endif /* __LXC_FILE_UTILS_H */ -diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c -new file mode 100644 -index 000000000..396bd617f ---- /dev/null -+++ b/src/lxc/rexec.c -@@ -0,0 +1,181 @@ -+/* liblxcapi -+ * -+ * Copyright © 2019 Christian Brauner . -+ * Copyright © 2019 Canonical Ltd. -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2, as -+ * published by the Free Software Foundation. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License along -+ * with this program; if not, write to the Free Software Foundation, Inc., -+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+ */ -+ -+#ifndef _GNU_SOURCE -+#define _GNU_SOURCE 1 -+#endif -+#include -+#include -+#include -+#include -+ -+#include "config.h" -+#include "file_utils.h" -+#include "raw_syscalls.h" -+#include "string_utils.h" -+#include "syscall_wrappers.h" -+ -+#define LXC_MEMFD_REXEC_SEALS \ -+ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE) -+ -+static int push_vargs(char *data, int data_length, char ***output) -+{ -+ int num = 0; -+ char *cur = data; -+ -+ if (!data || *output) -+ return -1; -+ -+ *output = must_realloc(NULL, sizeof(**output)); -+ -+ while (cur < data + data_length) { -+ num++; -+ *output = must_realloc(*output, (num + 1) * sizeof(**output)); -+ -+ (*output)[num - 1] = cur; -+ cur += strlen(cur) + 1; -+ } -+ (*output)[num] = NULL; -+ return num; -+} -+ -+static int parse_exec_params(char ***argv, char ***envp) -+{ -+ int ret; -+ char *cmdline = NULL, *env = NULL; -+ size_t cmdline_size, env_size; -+ -+ cmdline = file_to_buf("/proc/self/cmdline", &cmdline_size); -+ if (!cmdline) -+ goto on_error; -+ -+ env = file_to_buf("/proc/self/environ", &env_size); -+ if (!env) -+ goto on_error; -+ -+ ret = push_vargs(cmdline, cmdline_size, argv); -+ if (ret <= 0) -+ goto on_error; -+ -+ ret = push_vargs(env, env_size, envp); -+ if (ret <= 0) -+ goto on_error; -+ -+ return 0; -+ -+on_error: -+ free(env); -+ free(cmdline); -+ -+ return -1; -+} -+ -+static int is_memfd(void) -+{ -+ int fd, saved_errno, seals; -+ -+ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ return -ENOTRECOVERABLE; -+ -+ seals = fcntl(fd, F_GET_SEALS); -+ saved_errno = errno; -+ close(fd); -+ errno = saved_errno; -+ if (seals < 0) -+ return -EINVAL; -+ -+ return seals == LXC_MEMFD_REXEC_SEALS; -+} -+ -+static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name) -+{ -+ int saved_errno; -+ ssize_t bytes_sent; -+ int fd = -1, memfd = -1; -+ -+ memfd = memfd_create(memfd_name, MFD_ALLOW_SEALING | MFD_CLOEXEC); -+ if (memfd < 0) -+ return; -+ -+ fd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ goto on_error; -+ -+ /* sendfile() handles up to 2GB. */ -+ bytes_sent = lxc_sendfile_nointr(memfd, fd, NULL, LXC_SENDFILE_MAX); -+ saved_errno = errno; -+ close(fd); -+ errno = saved_errno; -+ if (bytes_sent < 0) -+ goto on_error; -+ -+ if (fcntl(memfd, F_ADD_SEALS, LXC_MEMFD_REXEC_SEALS)) -+ goto on_error; -+ -+ fexecve(memfd, argv, envp); -+ -+on_error: -+ saved_errno = errno; -+ close(memfd); -+ errno = saved_errno; -+} -+ -+static int lxc_rexec(const char *memfd_name) -+{ -+ int ret; -+ char **argv = NULL, **envp = NULL; -+ -+ ret = is_memfd(); -+ if (ret < 0 && ret == -ENOTRECOVERABLE) { -+ fprintf(stderr, -+ "%s - Failed to determine whether this is a memfd\n", -+ strerror(errno)); -+ return -1; -+ } else if (ret > 0) { -+ return 0; -+ } -+ -+ ret = parse_exec_params(&argv, &envp); -+ if (ret < 0) { -+ fprintf(stderr, -+ "%s - Failed to parse command line parameters\n", -+ strerror(errno)); -+ return -1; -+ } -+ -+ lxc_rexec_as_memfd(argv, envp, memfd_name); -+ fprintf(stderr, "%s - Failed to rexec as memfd\n", strerror(errno)); -+ return -1; -+} -+ -+/** -+ * This function will copy any binary that calls liblxc into a memory file and -+ * will use the memfd to rexecute the binary. This is done to prevent attacks -+ * through the /proc/self/exe symlink to corrupt the host binary when host and -+ * container are in the same user namespace or have set up an identity id -+ * mapping: CVE-2019-5736. -+ */ -+__attribute__((constructor)) static void liblxc_rexec(void) -+{ -+ if (lxc_rexec("liblxc")) { -+ fprintf(stderr, "Failed to re-execute liblxc via memory file descriptor\n"); -+ _exit(EXIT_FAILURE); -+ } -+} -diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h -index 42d94db28..dca4d1571 100644 ---- a/src/lxc/syscall_wrappers.h -+++ b/src/lxc/syscall_wrappers.h -@@ -58,6 +58,20 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3, - #define keyctl __keyctl - #endif - -+#ifndef F_LINUX_SPECIFIC_BASE -+#define F_LINUX_SPECIFIC_BASE 1024 -+#endif -+#ifndef F_ADD_SEALS -+#define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9) -+#define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10) -+#endif -+#ifndef F_SEAL_SEAL -+#define F_SEAL_SEAL 0x0001 -+#define F_SEAL_SHRINK 0x0002 -+#define F_SEAL_GROW 0x0004 -+#define F_SEAL_WRITE 0x0008 -+#endif -+ - #ifndef HAVE_MEMFD_CREATE - static inline int memfd_create(const char *name, unsigned int flags) { - #ifndef __NR_memfd_create --- -2.20.1 - diff --git a/debian/patches/extra/0005-attach-don-t-close-stdout-of-getent.patch b/debian/patches/extra/0005-attach-don-t-close-stdout-of-getent.patch deleted file mode 100644 index 02568fa..0000000 --- a/debian/patches/extra/0005-attach-don-t-close-stdout-of-getent.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Tue, 13 Aug 2019 14:17:30 +0200 -Subject: [PATCH] attach: don't close stdout of getent - -Signed-off-by: Wolfgang Bumiller ---- - src/lxc/attach.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/lxc/attach.c b/src/lxc/attach.c -index 8b34a412e..6075688c2 100644 ---- a/src/lxc/attach.c -+++ b/src/lxc/attach.c -@@ -488,7 +488,7 @@ static char *lxc_attach_getpwshell(uid_t uid) - close(STDERR_FILENO); - } else { - (void)dup3(fd, STDIN_FILENO, O_CLOEXEC); -- (void)dup3(fd, STDOUT_FILENO, O_CLOEXEC); -+ (void)dup3(fd, STDERR_FILENO, O_CLOEXEC); - close(fd); - } - --- -2.20.1 - diff --git a/debian/patches/pve/0002-PVE-Down-run-lxcnetaddbr-when-instantiating-veths.patch b/debian/patches/pve/0002-PVE-Down-run-lxcnetaddbr-when-instantiating-veths.patch index 070c5e4..bc4099d 100644 --- a/debian/patches/pve/0002-PVE-Down-run-lxcnetaddbr-when-instantiating-veths.patch +++ b/debian/patches/pve/0002-PVE-Down-run-lxcnetaddbr-when-instantiating-veths.patch @@ -11,10 +11,10 @@ Signed-off-by: Wolfgang Bumiller 1 file changed, 5 insertions(+) diff --git a/src/lxc/network.c b/src/lxc/network.c -index d0f14e632..9337ad4d9 100644 +index 65727f6b5..cd8d0bb14 100644 --- a/src/lxc/network.c +++ b/src/lxc/network.c -@@ -195,6 +195,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd +@@ -503,6 +503,11 @@ static int instantiate_veth(struct lxc_handler *handler, struct lxc_netdev *netd netdev->upscript, "up", argv); if (err < 0) goto out_delete; diff --git a/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch index 74835c3..9040b43 100644 --- a/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch +++ b/debian/patches/pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch @@ -38,10 +38,10 @@ index 077476559..fbd70fdf5 100644 # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. # mount options=(rw,make-slave) -> **, diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in -index 1a3ead89a..39abf348c 100644 +index 2606fb64c..3e61c62ea 100644 --- a/config/apparmor/abstractions/container-base.in +++ b/config/apparmor/abstractions/container-base.in -@@ -82,7 +82,6 @@ +@@ -83,7 +83,6 @@ deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/, mount fstype=proc -> /proc/, mount fstype=sysfs -> /sys/, @@ -49,7 +49,7 @@ index 1a3ead89a..39abf348c 100644 deny /sys/firmware/efi/efivars/** rwklx, deny /sys/kernel/security/** rwklx, mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/, -@@ -90,6 +89,11 @@ +@@ -91,6 +90,11 @@ # deny reads from debugfs deny /sys/kernel/debug/{,**} rwklx, diff --git a/debian/patches/pve/0007-PVE-Up-possibility-to-run-lxc-monitord-as-a-regular-.patch b/debian/patches/pve/0004-PVE-Up-possibility-to-run-lxc-monitord-as-a-regular-.patch similarity index 97% rename from debian/patches/pve/0007-PVE-Up-possibility-to-run-lxc-monitord-as-a-regular-.patch rename to debian/patches/pve/0004-PVE-Up-possibility-to-run-lxc-monitord-as-a-regular-.patch index 5c70fe1..7f3e921 100644 --- a/debian/patches/pve/0007-PVE-Up-possibility-to-run-lxc-monitord-as-a-regular-.patch +++ b/debian/patches/pve/0004-PVE-Up-possibility-to-run-lxc-monitord-as-a-regular-.patch @@ -20,10 +20,10 @@ Signed-off-by: Wolfgang Bumiller create mode 100644 config/init/systemd/lxc-monitord.service.in diff --git a/.gitignore b/.gitignore -index 45377714c..69e6e7ffe 100644 +index b2d4657c4..36d0b7013 100644 --- a/.gitignore +++ b/.gitignore -@@ -116,6 +116,7 @@ config/bash/lxc +@@ -119,6 +119,7 @@ config/bash/lxc config/init/common/lxc-containers config/init/common/lxc-net config/init/systemd/lxc-autostart-helper @@ -80,10 +80,10 @@ index 000000000..406351688 +[Install] +WantedBy=multi-user.target diff --git a/configure.ac b/configure.ac -index 9a6ba83c2..9f3b8fb3c 100644 +index 645a2166d..6260f483f 100644 --- a/configure.ac +++ b/configure.ac -@@ -747,6 +747,7 @@ AC_CONFIG_FILES([ +@@ -796,6 +796,7 @@ AC_CONFIG_FILES([ config/init/systemd/lxc.service config/init/systemd/lxc@.service config/init/systemd/lxc-net.service @@ -92,10 +92,10 @@ index 9a6ba83c2..9f3b8fb3c 100644 config/init/sysvinit/lxc-containers config/init/sysvinit/lxc-net diff --git a/lxc.spec.in b/lxc.spec.in -index 7fcd811ff..59597f469 100644 +index ec6321c33..ea6789fb6 100644 --- a/lxc.spec.in +++ b/lxc.spec.in -@@ -247,6 +247,7 @@ fi +@@ -251,6 +251,7 @@ fi %{_unitdir}/lxc-net.service %{_unitdir}/lxc.service %{_unitdir}/lxc@.service diff --git a/debian/patches/pve/0008-PVE-Config-Disable-lxc.monitor-cgroup.patch b/debian/patches/pve/0005-PVE-Config-Disable-lxc.monitor-cgroup.patch similarity index 83% rename from debian/patches/pve/0008-PVE-Config-Disable-lxc.monitor-cgroup.patch rename to debian/patches/pve/0005-PVE-Config-Disable-lxc.monitor-cgroup.patch index 263c16e..5b4902d 100644 --- a/debian/patches/pve/0008-PVE-Config-Disable-lxc.monitor-cgroup.patch +++ b/debian/patches/pve/0005-PVE-Config-Disable-lxc.monitor-cgroup.patch @@ -9,33 +9,37 @@ empty. Signed-off-by: Wolfgang Bumiller --- - src/lxc/start.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) + src/lxc/start.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/lxc/start.c b/src/lxc/start.c -index 1cf792aa2..24f387de6 100644 +index a9a07bc83..0169cf8e3 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1954,15 +1954,15 @@ int __lxc_start(const char *name, struct lxc_handler *handler, +@@ -2026,17 +2026,17 @@ int __lxc_start(const char *name, struct lxc_handler *handler, goto out_fini_nonet; } - if (!cgroup_ops->monitor_create(cgroup_ops, handler)) { - ERROR("Failed to create monitor cgroup"); +- ret = -1; - goto out_fini_nonet; - } - - if (!cgroup_ops->monitor_enter(cgroup_ops, handler->monitor_pid)) { - ERROR("Failed to enter monitor cgroup"); +- ret = -1; - goto out_fini_nonet; - } + //if (!cgroup_ops->monitor_create(cgroup_ops, handler)) { + // ERROR("Failed to create monitor cgroup"); ++ // ret = -1; + // goto out_fini_nonet; + //} + + //if (!cgroup_ops->monitor_enter(cgroup_ops, handler->monitor_pid)) { + // ERROR("Failed to enter monitor cgroup"); ++ // ret = -1; + // goto out_fini_nonet; + //} diff --git a/debian/patches/pve/0004-PVE-Up-separate-the-limiting-from-the-namespaced-cgr.patch b/debian/patches/pve/0006-PVE-Up-separate-the-limiting-from-the-namespaced-cgr.patch similarity index 79% rename from debian/patches/pve/0004-PVE-Up-separate-the-limiting-from-the-namespaced-cgr.patch rename to debian/patches/pve/0006-PVE-Up-separate-the-limiting-from-the-namespaced-cgr.patch index e5670cf..8891b81 100644 --- a/debian/patches/pve/0004-PVE-Up-separate-the-limiting-from-the-namespaced-cgr.patch +++ b/debian/patches/pve/0006-PVE-Up-separate-the-limiting-from-the-namespaced-cgr.patch @@ -15,27 +15,27 @@ being used in order to combat this. Signed-off-by: Wolfgang Bumiller --- - src/lxc/cgroups/cgfsng.c | 94 +++++++++++++++++++++++++++++++++------- - src/lxc/cgroups/cgroup.h | 18 ++++++-- - src/lxc/commands.c | 87 ++++++++++++++++++++++++++++--------- + src/lxc/cgroups/cgfsng.c | 80 +++++++++++++++++++++++++++++------- + src/lxc/cgroups/cgroup.h | 18 +++++++-- + src/lxc/commands.c | 87 ++++++++++++++++++++++++++++++---------- src/lxc/commands.h | 2 + src/lxc/criu.c | 4 +- - src/lxc/start.c | 28 +++++++++--- - 6 files changed, 183 insertions(+), 50 deletions(-) + src/lxc/start.c | 28 +++++++++---- + 6 files changed, 171 insertions(+), 48 deletions(-) diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c -index ab99b47c5..ac8f469bb 100644 +index 1e6a45cff..c09b4ea71 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c -@@ -818,6 +818,7 @@ static struct hierarchy *add_hierarchy(struct hierarchy ***h, char **clist, char +@@ -808,6 +808,7 @@ static struct hierarchy *add_hierarchy(struct hierarchy ***h, char **clist, char new->mountpoint = mountpoint; new->container_base_path = container_base_path; new->container_full_path = NULL; + new->container_inner_path = NULL; new->monitor_full_path = NULL; new->version = type; - -@@ -1059,6 +1060,9 @@ static int cgroup_rmdir(struct hierarchy **hierarchies, + new->cgroup2_chown = NULL; +@@ -1048,6 +1049,9 @@ static int cgroup_rmdir(struct hierarchy **hierarchies, free(h->container_full_path); h->container_full_path = NULL; @@ -45,7 +45,7 @@ index ab99b47c5..ac8f469bb 100644 } return 0; -@@ -1070,6 +1074,7 @@ struct generic_userns_exec_data { +@@ -1059,6 +1063,7 @@ struct generic_userns_exec_data { struct lxc_conf *conf; uid_t origuid; /* target uid in parent namespace */ char *path; @@ -53,7 +53,7 @@ index ab99b47c5..ac8f469bb 100644 }; static int cgroup_rmdir_wrapper(void *data) -@@ -1112,6 +1117,7 @@ __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, +@@ -1104,6 +1109,7 @@ __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops, wrap.container_cgroup = ops->container_cgroup; wrap.hierarchies = ops->hierarchies; wrap.conf = handler->conf; @@ -61,7 +61,7 @@ index ab99b47c5..ac8f469bb 100644 if (handler->conf && !lxc_list_empty(&handler->conf->id_map)) ret = userns_exec_1(handler->conf, cgroup_rmdir_wrapper, &wrap, -@@ -1323,17 +1329,26 @@ static bool monitor_create_path_for_hierarchy(struct hierarchy *h, char *cgname) +@@ -1306,17 +1312,26 @@ static bool monitor_create_path_for_hierarchy(struct hierarchy *h, char *cgname) return cg_unified_create_cgroup(h, cgname); } @@ -92,8 +92,8 @@ index ab99b47c5..ac8f469bb 100644 if (ret < 0) { ERROR("Failed to create cgroup \"%s\"", h->container_full_path); return false; -@@ -1425,11 +1440,29 @@ on_error: - return bret; +@@ -1408,11 +1423,29 @@ __cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops, + return true; } +static inline bool cgfsng_create_inner(struct cgroup_ops *ops) @@ -121,36 +121,31 @@ index ab99b47c5..ac8f469bb 100644 + struct lxc_handler *handler, + bool inner) { + __do_free char *container_cgroup = NULL, *tmp = NULL; int i; - size_t len; -@@ -1438,10 +1471,17 @@ __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops, +@@ -1422,7 +1455,12 @@ __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops, struct lxc_conf *conf = handler->conf; - if (ops->container_cgroup) { -+ if (inner) -+ return cgfsng_create_inner(ops); - WARN("cgfsng_create called a second time: %s", ops->container_cgroup); - return false; - } - + if (ops->container_cgroup) ++ return inner ? cgfsng_create_inner(ops) : false; ++ + if (inner) { + ERROR("cgfsng_create called twice for inner cgroup"); -+ return false; + return false; + } -+ + if (!conf) return false; +@@ -1453,7 +1491,7 @@ __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops, -@@ -1482,7 +1522,7 @@ again: - } - - for (i = 0; ops->hierarchies[i]; i++) { -- if (!container_create_path_for_hierarchy(ops->hierarchies[i], container_cgroup)) { -+ if (!container_create_path_for_hierarchy(ops->hierarchies[i], container_cgroup, false)) { - ERROR("Failed to create cgroup \"%s\"", ops->hierarchies[i]->container_full_path); - free(ops->hierarchies[i]->container_full_path); - ops->hierarchies[i]->container_full_path = NULL; -@@ -1505,7 +1545,8 @@ out_free: + for (i = 0; ops->hierarchies[i]; i++) { + if (!container_create_path_for_hierarchy(ops->hierarchies[i], +- container_cgroup)) { ++ container_cgroup, false)) { + ERROR("Failed to create cgroup \"%s\"", + ops->hierarchies[i]->container_full_path); + for (int j = 0; j < i; j++) +@@ -1475,7 +1513,8 @@ __cgfsng_ops static inline bool cgfsng_payload_create(struct cgroup_ops *ops, } __cgfsng_ops static bool __do_cgroup_enter(struct cgroup_ops *ops, pid_t pid, @@ -160,7 +155,7 @@ index ab99b47c5..ac8f469bb 100644 { int len; char pidstr[INTTYPE_TO_STRLEN(pid_t)]; -@@ -1521,6 +1562,9 @@ __cgfsng_ops static bool __do_cgroup_enter(struct cgroup_ops *ops, pid_t pid, +@@ -1494,6 +1533,9 @@ __cgfsng_ops static bool __do_cgroup_enter(struct cgroup_ops *ops, pid_t pid, if (monitor) path = must_make_path(ops->hierarchies[i]->monitor_full_path, "cgroup.procs", NULL); @@ -170,7 +165,7 @@ index ab99b47c5..ac8f469bb 100644 else path = must_make_path(ops->hierarchies[i]->container_full_path, "cgroup.procs", NULL); -@@ -1538,12 +1582,12 @@ __cgfsng_ops static bool __do_cgroup_enter(struct cgroup_ops *ops, pid_t pid, +@@ -1509,12 +1551,12 @@ __cgfsng_ops static bool __do_cgroup_enter(struct cgroup_ops *ops, pid_t pid, __cgfsng_ops static bool cgfsng_monitor_enter(struct cgroup_ops *ops, pid_t pid) { @@ -186,46 +181,20 @@ index ab99b47c5..ac8f469bb 100644 } static int chowmod(char *path, uid_t chown_uid, gid_t chown_gid, -@@ -1609,9 +1653,15 @@ static int chown_cgroup_wrapper(void *data) - char *fullpath; +@@ -1578,8 +1620,12 @@ static int chown_cgroup_wrapper(void *data) + + for (int i = 0; arg->hierarchies[i]; i++) { + __do_free char *fullpath = NULL; ++ __do_free char *inner_guard = NULL; char *path = arg->hierarchies[i]->container_full_path; + if (arg->inner) -+ path = must_make_path(path, CGROUP_NAMESPACE_SUBDIR, NULL); ++ path = inner_guard = must_make_path(path, CGROUP_NAMESPACE_SUBDIR, NULL); + ret = chowmod(path, destuid, nsgid, 0775); -- if (ret < 0) -+ if (ret < 0) { -+ if (arg->inner) -+ free(path); + if (ret < 0) return -1; -+ } - - /* Failures to chown() these are inconvenient but not - * detrimental We leave these owned by the container launcher, -@@ -1630,8 +1680,11 @@ static int chown_cgroup_wrapper(void *data) - (void)chowmod(fullpath, destuid, nsgid, 0664); - free(fullpath); - -- if (arg->hierarchies[i]->version != CGROUP2_SUPER_MAGIC) -+ if (arg->hierarchies[i]->version != CGROUP2_SUPER_MAGIC) { -+ if (arg->inner) -+ free(path); - continue; -+ } - - fullpath = must_make_path(path, "cgroup.subtree_control", NULL); - (void)chowmod(fullpath, destuid, nsgid, 0664); -@@ -1640,13 +1693,17 @@ static int chown_cgroup_wrapper(void *data) - fullpath = must_make_path(path, "cgroup.threads", NULL); - (void)chowmod(fullpath, destuid, nsgid, 0664); - free(fullpath); -+ -+ if (arg->inner) -+ free(path); - } - - return 0; +@@ -1612,7 +1658,8 @@ static int chown_cgroup_wrapper(void *data) } __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops, @@ -235,7 +204,7 @@ index ab99b47c5..ac8f469bb 100644 { struct generic_userns_exec_data wrap; -@@ -1657,6 +1714,7 @@ __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops, +@@ -1626,6 +1673,7 @@ __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops, wrap.path = NULL; wrap.hierarchies = ops->hierarchies; wrap.conf = conf; @@ -243,7 +212,7 @@ index ab99b47c5..ac8f469bb 100644 if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap, "chown_cgroup_wrapper") < 0) { -@@ -2038,7 +2096,8 @@ __cgfsng_ops static bool cgfsng_unfreeze(struct cgroup_ops *ops) +@@ -2100,7 +2148,8 @@ __cgfsng_ops static bool cgfsng_unfreeze(struct cgroup_ops *ops) } __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, @@ -253,7 +222,7 @@ index ab99b47c5..ac8f469bb 100644 { struct hierarchy *h; -@@ -2049,6 +2108,9 @@ __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, +@@ -2111,6 +2160,9 @@ __cgfsng_ops static const char *cgfsng_get_cgroup(struct cgroup_ops *ops, return NULL; } @@ -263,16 +232,16 @@ index ab99b47c5..ac8f469bb 100644 return h->container_full_path ? h->container_full_path + strlen(h->mountpoint) : NULL; } -@@ -2080,7 +2142,7 @@ static int __cg_unified_attach(const struct hierarchy *h, const char *name, +@@ -2143,7 +2195,7 @@ static int __cg_unified_attach(const struct hierarchy *h, const char *name, + size_t len; int fret = -1, idx = 0; - char *base_path = NULL, *container_cgroup = NULL, *full_path = NULL; - container_cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); + container_cgroup = lxc_cmd_get_attach_cgroup_path(name, lxcpath, controller); /* not running */ if (!container_cgroup) return 0; -@@ -2161,7 +2223,7 @@ __cgfsng_ops static bool cgfsng_attach(struct cgroup_ops *ops, const char *name, +@@ -2220,7 +2272,7 @@ __cgfsng_ops static bool cgfsng_attach(struct cgroup_ops *ops, const char *name, continue; } @@ -282,7 +251,7 @@ index ab99b47c5..ac8f469bb 100644 if (!path) continue; diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h -index d4dcd506b..59445b5a5 100644 +index f3f0f6726..35d207feb 100644 --- a/src/lxc/cgroups/cgroup.h +++ b/src/lxc/cgroups/cgroup.h @@ -32,6 +32,12 @@ @@ -308,7 +277,7 @@ index d4dcd506b..59445b5a5 100644 * @version * - legacy hierarchy * If the hierarchy is a legacy hierarchy this will be set to -@@ -85,6 +94,7 @@ struct hierarchy { +@@ -90,6 +99,7 @@ struct hierarchy { char *mountpoint; char *container_base_path; char *container_full_path; @@ -316,7 +285,7 @@ index d4dcd506b..59445b5a5 100644 char *monitor_full_path; int version; }; -@@ -139,9 +149,9 @@ struct cgroup_ops { +@@ -144,9 +154,9 @@ struct cgroup_ops { void (*monitor_destroy)(struct cgroup_ops *ops, struct lxc_handler *handler); bool (*monitor_create)(struct cgroup_ops *ops, struct lxc_handler *handler); bool (*monitor_enter)(struct cgroup_ops *ops, pid_t pid); @@ -329,7 +298,7 @@ index d4dcd506b..59445b5a5 100644 bool (*escape)(const struct cgroup_ops *ops, struct lxc_conf *conf); int (*num_hierarchies)(struct cgroup_ops *ops); bool (*get_hierarchies)(struct cgroup_ops *ops, int n, char ***out); -@@ -152,7 +162,7 @@ struct cgroup_ops { +@@ -158,7 +168,7 @@ struct cgroup_ops { bool (*unfreeze)(struct cgroup_ops *ops); bool (*setup_limits)(struct cgroup_ops *ops, struct lxc_conf *conf, bool with_devices); @@ -339,10 +308,10 @@ index d4dcd506b..59445b5a5 100644 const char *lxcpath, pid_t pid); bool (*mount)(struct cgroup_ops *ops, struct lxc_handler *handler, diff --git a/src/lxc/commands.c b/src/lxc/commands.c -index 133384d72..b41a76000 100644 +index 90e3c5863..93406bb7e 100644 --- a/src/lxc/commands.c +++ b/src/lxc/commands.c -@@ -427,20 +427,8 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, +@@ -425,20 +425,8 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, return lxc_cmd_rsp_send(fd, &rsp); } @@ -365,7 +334,7 @@ index 133384d72..b41a76000 100644 { int ret, stopped; struct lxc_cmd_rr cmd = { -@@ -453,8 +441,18 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, +@@ -451,8 +439,18 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, cmd.req.data = subsystem; cmd.req.datalen = 0; @@ -386,7 +355,7 @@ index 133384d72..b41a76000 100644 ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); if (ret < 0) -@@ -469,6 +467,42 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, +@@ -467,6 +465,42 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, return cmd.rsp.data; } @@ -427,9 +396,9 @@ index 133384d72..b41a76000 100644 +} + static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, - struct lxc_handler *handler) - { -@@ -476,10 +510,21 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, + struct lxc_handler *handler, + struct lxc_epoll_descr *descr) +@@ -475,10 +509,21 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, struct lxc_cmd_rsp rsp; struct cgroup_ops *cgroup_ops = handler->cgroup_ops; @@ -455,7 +424,7 @@ index 133384d72..b41a76000 100644 if (!path) return -1; -@@ -651,7 +696,7 @@ static int lxc_cmd_stop_callback(int fd, struct lxc_cmd_req *req, +@@ -653,7 +698,7 @@ static int lxc_cmd_stop_callback(int fd, struct lxc_cmd_req *req, * lxc_unfreeze() would do another cmd (GET_CGROUP) which would * deadlock us. */ @@ -465,10 +434,10 @@ index 133384d72..b41a76000 100644 if (cgroup_ops->unfreeze(cgroup_ops)) diff --git a/src/lxc/commands.h b/src/lxc/commands.h -index 2c024b65d..7c4c00b1e 100644 +index d7d0c6096..042892a42 100644 --- a/src/lxc/commands.h +++ b/src/lxc/commands.h -@@ -88,6 +88,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd, +@@ -89,6 +89,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd, */ extern char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, const char *subsystem); @@ -478,7 +447,7 @@ index 2c024b65d..7c4c00b1e 100644 extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath); extern char *lxc_cmd_get_name(const char *hashed_sock); diff --git a/src/lxc/criu.c b/src/lxc/criu.c -index 3d857b541..ec9bcb7e4 100644 +index 86f6f1836..15a703c4f 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c @@ -332,7 +332,7 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf, @@ -490,7 +459,7 @@ index 3d857b541..ec9bcb7e4 100644 if (!p) { ERROR("failed to get cgroup path for %s", controllers[0]); goto err; -@@ -976,7 +976,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_ +@@ -975,7 +975,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_ goto out_fini_handler; handler->cgroup_ops = cgroup_ops; @@ -500,10 +469,10 @@ index 3d857b541..ec9bcb7e4 100644 goto out_fini_handler; } diff --git a/src/lxc/start.c b/src/lxc/start.c -index dae3bcfe5..f3b29d6cd 100644 +index 0169cf8e3..db0625af5 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1649,7 +1649,7 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1726,7 +1726,7 @@ static int lxc_spawn(struct lxc_handler *handler) } } @@ -512,7 +481,7 @@ index dae3bcfe5..f3b29d6cd 100644 ERROR("Failed creating cgroups"); goto out_delete_net; } -@@ -1743,10 +1743,10 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1841,10 +1841,10 @@ static int lxc_spawn(struct lxc_handler *handler) goto out_delete_net; } @@ -524,8 +493,8 @@ index dae3bcfe5..f3b29d6cd 100644 + if (!cgroup_ops->chown(cgroup_ops, handler->conf, false)) goto out_delete_net; - /* Now we're ready to preserve the network namespace */ -@@ -1813,16 +1813,30 @@ static int lxc_spawn(struct lxc_handler *handler) + /* If not done yet, we're now ready to preserve the network namespace */ +@@ -1902,16 +1902,30 @@ static int lxc_spawn(struct lxc_handler *handler) } } diff --git a/debian/patches/pve/0005-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch b/debian/patches/pve/0007-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch similarity index 94% rename from debian/patches/pve/0005-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch rename to debian/patches/pve/0007-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch index 1bae3be..655004e 100644 --- a/debian/patches/pve/0005-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch +++ b/debian/patches/pve/0007-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch @@ -17,10 +17,10 @@ Signed-off-by: Wolfgang Bumiller 3 files changed, 24 insertions(+), 19 deletions(-) diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c -index 11c808662..8b5e2542a 100644 +index da3363294..5e33afc58 100644 --- a/src/lxc/initutils.c +++ b/src/lxc/initutils.c -@@ -63,14 +63,15 @@ static char *copy_global_config_value(char *p) +@@ -64,14 +64,15 @@ static char *copy_global_config_value(char *p) const char *lxc_global_config_value(const char *option_name) { static const char * const options[][2] = { @@ -57,10 +57,10 @@ index 6bf23a706..b542e6015 100644 #ifndef PR_SET_MM #define PR_SET_MM 35 diff --git a/src/lxc/start.c b/src/lxc/start.c -index f3b29d6cd..1cf792aa2 100644 +index db0625af5..0ee7f9636 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c -@@ -1820,17 +1820,20 @@ static int lxc_spawn(struct lxc_handler *handler) +@@ -1909,17 +1909,20 @@ static int lxc_spawn(struct lxc_handler *handler) TRACE("Set up legacy device cgroup controller limits"); if (cgns_supported()) { diff --git a/debian/patches/pve/0006-PVE-Config-namespace-separation.patch b/debian/patches/pve/0008-PVE-Config-namespace-separation.patch similarity index 97% rename from debian/patches/pve/0006-PVE-Config-namespace-separation.patch rename to debian/patches/pve/0008-PVE-Config-namespace-separation.patch index 396be8d..56dbe3e 100644 --- a/debian/patches/pve/0006-PVE-Config-namespace-separation.patch +++ b/debian/patches/pve/0008-PVE-Config-namespace-separation.patch @@ -13,7 +13,7 @@ Signed-off-by: Wolfgang Bumiller 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h -index 59445b5a5..7d6135c19 100644 +index 35d207feb..be9df33a2 100644 --- a/src/lxc/cgroups/cgroup.h +++ b/src/lxc/cgroups/cgroup.h @@ -36,7 +36,7 @@ diff --git a/debian/patches/pve/0010-PVE-Config-attach-always-use-getent.patch b/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch similarity index 83% rename from debian/patches/pve/0010-PVE-Config-attach-always-use-getent.patch rename to debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch index a96d4c4..af8b688 100644 --- a/debian/patches/pve/0010-PVE-Config-attach-always-use-getent.patch +++ b/debian/patches/pve/0009-PVE-Config-attach-always-use-getent.patch @@ -9,26 +9,27 @@ To avoid this, stick to always using getent. Signed-off-by: Wolfgang Bumiller --- - src/lxc/attach.c | 29 ++--------------------------- - 1 file changed, 2 insertions(+), 27 deletions(-) + src/lxc/attach.c | 28 ++-------------------------- + 1 file changed, 2 insertions(+), 26 deletions(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c -index 117e3778f..8b34a412e 100644 +index 80c41fe26..f30f192e3 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c -@@ -1548,11 +1548,7 @@ int lxc_attach_run_command(void *payload) +@@ -1506,12 +1506,8 @@ int lxc_attach_run_command(void *payload) + int lxc_attach_run_shell(void* payload) { +- __do_free char *buf = NULL; uid_t uid; - struct passwd pwent; - struct passwd *pwentp = NULL; char *user_shell; -- char *buf; - size_t bufsize; int ret; /* Ignore payload parameter. */ -@@ -1560,32 +1556,13 @@ int lxc_attach_run_shell(void* payload) +@@ -1519,32 +1515,13 @@ int lxc_attach_run_shell(void* payload) uid = getuid(); @@ -62,7 +63,7 @@ index 117e3778f..8b34a412e 100644 if (user_shell) execlp(user_shell, user_shell, (char *)NULL); -@@ -1595,9 +1572,7 @@ int lxc_attach_run_shell(void* payload) +@@ -1554,8 +1531,7 @@ int lxc_attach_run_shell(void* payload) execlp("/bin/sh", "/bin/sh", (char *)NULL); SYSERROR("Failed to execute shell"); @@ -70,7 +71,6 @@ index 117e3778f..8b34a412e 100644 - free(user_shell); + free(user_shell); -- free(buf); return -1; } -- diff --git a/debian/patches/pve/0009-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch b/debian/patches/pve/0010-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch similarity index 100% rename from debian/patches/pve/0009-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch rename to debian/patches/pve/0010-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch diff --git a/debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch b/debian/patches/pve/0011-apparmor-generate-ro-bind-remount-rule-list.patch similarity index 100% rename from debian/patches/extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch rename to debian/patches/pve/0011-apparmor-generate-ro-bind-remount-rule-list.patch diff --git a/debian/patches/pve/0012-apparmor-Prevent-writes-to-proc-acpi.patch b/debian/patches/pve/0012-apparmor-Prevent-writes-to-proc-acpi.patch new file mode 100644 index 0000000..77e1e81 --- /dev/null +++ b/debian/patches/pve/0012-apparmor-Prevent-writes-to-proc-acpi.patch @@ -0,0 +1,27 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Wed, 23 Oct 2019 10:53:21 +0200 +Subject: [PATCH] apparmor: Prevent writes to /proc/acpi/** + +Same as #3117. + +Signed-off-by: Wolfgang Bumiller +--- + src/lxc/lsm/apparmor.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c +index 47f825866..8aebb21af 100644 +--- a/src/lxc/lsm/apparmor.c ++++ b/src/lxc/lsm/apparmor.c +@@ -121,6 +121,7 @@ static const char AA_PROFILE_BASE[] = + " # block some other dangerous paths\n" + " deny @{PROC}/kcore rwklx,\n" + " deny @{PROC}/sysrq-trigger rwklx,\n" ++" deny @{PROC}/acpi/** rwklx,\n" + "\n" + " # deny writes in /sys except for /sys/fs/cgroup, also allow\n" + " # fusectl, securityfs and debugfs to be mounted there (read-only)\n" +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index ba6f5af..7511a9e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,15 +1,12 @@ pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch pve/0002-PVE-Down-run-lxcnetaddbr-when-instantiating-veths.patch pve/0003-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch -pve/0004-PVE-Up-separate-the-limiting-from-the-namespaced-cgr.patch -pve/0005-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch -pve/0006-PVE-Config-namespace-separation.patch -pve/0007-PVE-Up-possibility-to-run-lxc-monitord-as-a-regular-.patch -pve/0008-PVE-Config-Disable-lxc.monitor-cgroup.patch -pve/0009-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch -pve/0010-PVE-Config-attach-always-use-getent.patch -extra/0001-conf-use-SYSERROR-on-lxc_write_to_file-errors.patch -extra/0002-Revert-conf-remove-extra-MS_BIND-with-sysfs-mixed.patch -extra/0003-CVE-2019-5736-runC-rexec-callers-as-memfd.patch -extra/0004-apparmor-generate-ro-bind-remount-rule-list.patch -extra/0005-attach-don-t-close-stdout-of-getent.patch +pve/0004-PVE-Up-possibility-to-run-lxc-monitord-as-a-regular-.patch +pve/0005-PVE-Config-Disable-lxc.monitor-cgroup.patch +pve/0006-PVE-Up-separate-the-limiting-from-the-namespaced-cgr.patch +pve/0007-PVE-Up-start-initutils-make-cgroupns-separation-leve.patch +pve/0008-PVE-Config-namespace-separation.patch +pve/0009-PVE-Config-attach-always-use-getent.patch +pve/0010-init-add-ExecReload-to-lxc.service-to-only-reload-pr.patch +pve/0011-apparmor-generate-ro-bind-remount-rule-list.patch +pve/0012-apparmor-Prevent-writes-to-proc-acpi.patch diff --git a/lxc b/lxc index dfaaf1c..344b8ee 160000 --- a/lxc +++ b/lxc @@ -1 +1 @@ -Subproject commit dfaaf1cf5a9136c2caf9aab147e0f51dcb86bafb +Subproject commit 344b8ee293f4d3730a70a6ccaa03d7e4a516ae95