diff --git a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch index fd56728..1a1c6f4 100644 --- a/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch +++ b/debian/patches/0001-lxc.service-start-after-a-potential-syslog.service.patch @@ -1,7 +1,7 @@ From 674c54165393b3ad0059f4a5c5d1e1505eea9114 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:13:40 +0100 -Subject: [PATCH 1/9] lxc.service: start after a potential syslog.service +Subject: [PATCH 01/10] lxc.service: start after a potential syslog.service Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch index 424d475..6d987c0 100644 --- a/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch +++ b/debian/patches/0002-jessie-systemd-remove-Delegate-flag-to-silence-warni.patch @@ -1,7 +1,8 @@ From a5ee14df834c008294b790d96982a1fea36c807a Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:14:55 +0100 -Subject: [PATCH 2/9] jessie/systemd: remove Delegate flag to silence warnings +Subject: [PATCH 02/10] jessie/systemd: remove Delegate flag to silence + warnings Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch b/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch index 5cbc84d..7f683cd 100644 --- a/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch +++ b/debian/patches/0003-pve-run-lxcnetaddbr-when-instantiating-veths.patch @@ -1,7 +1,7 @@ From 84da55875d3a9468957fe0f0012ea2b39b9f7785 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 09:15:37 +0100 -Subject: [PATCH 3/9] pve: run lxcnetaddbr when instantiating veths +Subject: [PATCH 03/10] pve: run lxcnetaddbr when instantiating veths FIXME: Why aren't we using regular up-scripts? diff --git a/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch b/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch index 3940048..2657a9e 100644 --- a/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch +++ b/debian/patches/0004-deny-rw-mounting-of-sys-and-proc.patch @@ -1,7 +1,7 @@ From 2d651f876f4afa97ddd6081d996776c10355732a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Wed, 9 Nov 2016 09:14:26 +0100 -Subject: [PATCH 4/9] deny rw mounting of /sys and /proc +Subject: [PATCH 04/10] deny rw mounting of /sys and /proc this would allow root in a privileged container to change the permissions of /sys on the host, which could lock out diff --git a/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch b/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch index 89e92f5..6120cef 100644 --- a/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch +++ b/debian/patches/0005-separate-the-limiting-from-the-namespaced-cgroup-roo.patch @@ -1,7 +1,7 @@ From 9152a996a7413e1dc7dc3cb6c64af20cdf0389be Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 15 Nov 2016 09:20:24 +0100 -Subject: [PATCH 5/9] separate the limiting from the namespaced cgroup root +Subject: [PATCH 05/10] separate the limiting from the namespaced cgroup root When cgroup namespaces are enabled a privileged container with mixed cgroups has full write access to its own root diff --git a/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch b/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch index ad732c3..64aefaf 100644 --- a/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch +++ b/debian/patches/0006-start-initutils-make-cgroupns-separation-level-confi.patch @@ -1,7 +1,7 @@ From 3ec7cf35c1ca98f976a2c39cd58287d8137d0269 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 16 Nov 2016 09:53:42 +0100 -Subject: [PATCH 6/9] start/initutils: make cgroupns separation level +Subject: [PATCH 06/10] start/initutils: make cgroupns separation level configurable Adds a new global config variable `lxc.cgroup.separate` diff --git a/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch b/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch index ae93b5a..de90acb 100644 --- a/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch +++ b/debian/patches/0007-rename-cgroup-namespace-directory-to-ns.patch @@ -1,7 +1,7 @@ From d80258c750c52470389056c212a0eb5f0901dd7b Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 23 Dec 2016 15:57:24 +0100 -Subject: [PATCH 7/9] rename cgroup namespace directory to ns +Subject: [PATCH 07/10] rename cgroup namespace directory to ns Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch b/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch index ad49e31..e589e88 100644 --- a/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch +++ b/debian/patches/0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch @@ -1,7 +1,7 @@ From 9f5dc10171f3546530a326b8d427683109fd2818 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 10 Feb 2017 10:23:36 +0100 -Subject: [PATCH 8/9] possibility to run lxc-monitord as a regular daemon +Subject: [PATCH 08/10] possibility to run lxc-monitord as a regular daemon This includes an lxc-monitord.service, required by lxc@.service which is now of Type=forking. diff --git a/debian/patches/0009-network-add-missing-checks-for-empty-links.patch b/debian/patches/0009-network-add-missing-checks-for-empty-links.patch index c739381..ee3966e 100644 --- a/debian/patches/0009-network-add-missing-checks-for-empty-links.patch +++ b/debian/patches/0009-network-add-missing-checks-for-empty-links.patch @@ -1,7 +1,7 @@ From c1c1e55305a06786ee3dd938e421ca413db73dd1 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Wed, 6 Sep 2017 11:51:03 +0200 -Subject: [PATCH 9/9] network: add missing checks for empty links +Subject: [PATCH 09/10] network: add missing checks for empty links Signed-off-by: Wolfgang Bumiller --- diff --git a/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch b/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch new file mode 100644 index 0000000..065a38b --- /dev/null +++ b/debian/patches/0010-start-unshare-cgroup-after-setting-up-device-limits.patch @@ -0,0 +1,45 @@ +From 7f3ecf9291a8bca0e60f6611206608d0644e73bf Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Tue, 19 Sep 2017 10:00:43 +0200 +Subject: [PATCH 10/10] start: unshare cgroup after setting up device limits + +Commit f4152036dd29 ("start: lxc_setup() after unshare(CLONE_NEWCGROUP)" +introduced another sync step before the cgroup device +limits, but in order for cgroup namespace separation to work +these limits must be setup before creating the separation +directory, which means we need to move the unshare to after +setting up the limits. + +Fixup-for: separate the limiting from the namespaced cgroup root +Signed-off-by: Wolfgang Bumiller +--- + src/lxc/start.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 4fec27b9..7715f64f 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1324,9 +1324,6 @@ static int lxc_spawn(struct lxc_handler *handler) + goto out_delete_net; + } + +- if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE)) +- goto out_delete_net; +- + if (!cgroup_setup_limits(handler, true)) { + ERROR("Failed to setup the devices cgroup for container \"%s\".", name); + goto out_delete_net; +@@ -1351,6 +1348,9 @@ static int lxc_spawn(struct lxc_handler *handler) + } + } + ++ if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE)) ++ goto out_delete_net; ++ + cgroup_disconnect(); + cgroups_connected = false; + +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index 9dbf12e..1e860ae 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ 0007-rename-cgroup-namespace-directory-to-ns.patch 0008-possibility-to-run-lxc-monitord-as-a-regular-daemon.patch 0009-network-add-missing-checks-for-empty-links.patch +0010-start-unshare-cgroup-after-setting-up-device-limits.patch