Proxmox/lxc
5
0
Fork 0
mirror of git://git.proxmox.com/git/lxc.git synced 2025-03-11 20:58:39 +03:00
Code Releases Activity

update to lxc 6.0

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2024-04-05 13:09:18 +02:00
parent db69b3776d
commit ab6c7914e6
6 changed files with 7 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/control vendored
View File

@ -10,6 +10,7 @@ Build-Depends: bash-completion,
graphviz, graphviz,
libapparmor-dev, libapparmor-dev,
libcap-dev, libcap-dev,
libdbus-1-dev,
libgnutls28-dev, libgnutls28-dev,
libseccomp-dev (>= 2.4~), libseccomp-dev (>= 2.4~),
linux-libc-dev, linux-libc-dev,

43
debian/patches/extra/0001-apparmor-don-t-try-to-mmap-empty-files.patch vendored
View File

@ -1,43 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 27 Feb 2023 11:02:43 +0100
Subject: [PATCH] apparmor: don't try to mmap empty files
In case empty profile files linger somehow (eg. powerloss or
oom killer etc. between creating and writing the file) we
tried to use mmap() with a length of 0 which is invalid.
Let's treat this as if it did not exist.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/lxc/lsm/apparmor.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 23af021aa..685d3b9ef 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -973,12 +973,14 @@ static int load_apparmor_profile(struct lsm_ops *ops, struct lxc_conf *conf, con
goto out;
}
old_len = profile_sb.st_size;
- old_content = lxc_strmmap(NULL, old_len, PROT_READ,
- MAP_PRIVATE, profile_fd, 0);
- if (old_content == MAP_FAILED) {
- SYSERROR("Failed to mmap old profile from %s",
- profile_path);
- goto out;
+ if (old_len) {
+ old_content = lxc_strmmap(NULL, old_len, PROT_READ,
+ MAP_PRIVATE, profile_fd, 0);
+ if (old_content == MAP_FAILED) {
+ SYSERROR("Failed to mmap old profile from %s",
+ profile_path);
+ goto out;
+ }
}
} else if (errno != ENOENT) {
SYSERROR("Error reading old profile from %s", profile_path);
--
2.30.2

4
debian/patches/pve/0001-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com> From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Wed, 9 Nov 2016 09:14:26 +0100 Date: Wed, 9 Nov 2016 09:14:26 +0100
Subject: [PATCH 2/3] PVE: [Config] deny rw mounting of /sys and /proc Subject: [PATCH 1/2] PVE: [Config] deny rw mounting of /sys and /proc
Note that we don't actually make use of this anymore, since Note that we don't actually make use of this anymore, since
we switched to the generated profiles which already do this. we switched to the generated profiles which already do this.
@ -65,5 +65,5 @@ index 2606fb64c..3e61c62ea 100644
# FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts. # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
# mount options=(rw,make-slave) -> **, # mount options=(rw,make-slave) -> **,
-- --
2.30.2 2.39.2

6
debian/patches/pve/0002-PVE-Config-attach-always-use-getent.patch vendored
View File

@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com> From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 13 Aug 2019 13:57:22 +0200 Date: Tue, 13 Aug 2019 13:57:22 +0200
Subject: [PATCH 3/3] PVE: [Config] attach: always use getent Subject: [PATCH 2/2] PVE: [Config] attach: always use getent
In debian buster, some libnss plugins (if installed) can In debian buster, some libnss plugins (if installed) can
cause getpwent to segfault instead of erroring out cleanly. cause getpwent to segfault instead of erroring out cleanly.
@ -13,7 +13,7 @@ Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
1 file changed, 2 insertions(+), 27 deletions(-) 1 file changed, 2 insertions(+), 27 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index f086e96c4..9969f2d8e 100644 index 8f2f7a37c..a8684808c 100644
--- a/src/lxc/attach.c --- a/src/lxc/attach.c
+++ b/src/lxc/attach.c +++ b/src/lxc/attach.c
@@ -1843,45 +1843,21 @@ int lxc_attach_run_command(void *payload) @@ -1843,45 +1843,21 @@ int lxc_attach_run_command(void *payload)
@ -74,5 +74,5 @@ index f086e96c4..9969f2d8e 100644
return -1; return -1;
} }
-- --
2.30.2 2.39.2

1
debian/patches/series vendored
View File

@ -1,3 +1,2 @@
extra/0001-apparmor-don-t-try-to-mmap-empty-files.patch
pve/0001-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch pve/0001-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0002-PVE-Config-attach-always-use-getent.patch pve/0002-PVE-Config-attach-always-use-getent.patch

2
lxc

@ -1 +1 @@
Subproject commit d571736812b89e195bee69b900fe09115a1e7e00 Subproject commit 3dee5fb88c6f77496dbcab46f31bcd891c9ee4e0