[meta-virtualization] [PATCH] lxc: upstream fixes for lxc-execute

Bogdan Purcareata bogdan.purcareata at nxp.com
Mon Feb 29 07:27:59 PST 2016 

These patches address some warnings that LXC throws when running
an application container. They are currently applied in the official
repository.

Signed-off-by: Bogdan Purcareata <bogdan.purcareata at nxp.com>
---
 ...s-Create-dev-shm-folder-if-it-doesn-t-exi.patch | 39 ++++++++++++
 ...if_needed-only-safe-mount-when-rootfs-is-.patch | 69 ++++++++++++++++++++++
 ...t_symlink-Account-when-prefix-is-empty-st.patch | 37 ++++++++++++
 recipes-containers/lxc/lxc_1.1.4.bb                |  3 +
 4 files changed, 148 insertions(+)
 create mode 100644 recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
 create mode 100644 recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
 create mode 100644 recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch

diff --git a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
new file mode 100644
index 0000000..751a7ac
--- /dev/null
+++ b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
@@ -0,0 +1,39 @@
+From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata at nxp.com>
+Date: Fri, 8 Jan 2016 15:38:44 +0000
+Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
+
+When running application containers with lxc-execute, /dev is
+populated only with device entries. Since /dev is a tmpfs mount in
+the container environment, the /dev/shm folder not being present is not
+a sufficient reason for the /dev/shm mount to fail.
+
+Create the /dev/shm directory if not present.
+
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata at nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
+---
+ src/lxc/initutils.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
+index 45df60f..8d9016c 100644
+--- a/src/lxc/initutils.c
++++ b/src/lxc/initutils.c
+@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
+ 	if (mount_fs("proc", "/proc", "proc"))
+ 		INFO("failed to remount proc");
+ 
++	/* if /dev has been populated by us, /dev/shm does not exist */
++	if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
++		INFO("failed to create /dev/shm");
++
+ 	/* if we can't mount /dev/shm, continue anyway */
+ 	if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
+ 		INFO("failed to mount /dev/shm");
+-- 
+1.9.1
+
diff --git a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
new file mode 100644
index 0000000..c3afd85
--- /dev/null
+++ b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
@@ -0,0 +1,69 @@
+From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata at nxp.com>
+Date: Wed, 20 Jan 2016 10:53:57 +0000
+Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is defined
+
+The safe_mount function was introduced in order to address CVE-2015-1335,
+one of the vulnerabilities being a mount with a symlink for the
+destination path. In scenarios such as lxc-execute with no rootfs, the
+destination path is the host /proc, which is previously mounted by the
+host, and is unmounted and mounted again in a new set of namespaces,
+therefore eliminating the need to check for it being a symlink.
+
+Mount the rootfs normally if the rootfs is NULL, keep the safe mount
+only for scenarios where a different rootfs is defined.
+
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata at nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
+---
+ src/lxc/conf.c  |  1 +
+ src/lxc/utils.c | 10 +++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 632dde3..1e30c0c 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
+ 	return 0;
+ }
+ 
++/* NOTE: not to be called from inside the container namespace! */
+ int tmp_proc_mount(struct lxc_conf *lxc_conf)
+ {
+ 	int mounted;
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 4e96a50..0bc7a20 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
+  *
+  * Returns < 0 on failure, 0 if the correct proc was already mounted
+  * and 1 if a new proc was mounted.
++ *
++ * NOTE: not to be called from inside the container namespace!
+  */
+ int mount_proc_if_needed(const char *rootfs)
+ {
+@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
+ 	return 0;
+ 
+ domount:
+-	if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
++	if (!strcmp(rootfs,"")) /* rootfs is NULL */
++		ret = mount("proc", path, "proc", 0, NULL);
++	else
++		ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
++
++	if (ret < 0)
+ 		return -1;
++
+ 	INFO("Mounted /proc in container for security transition");
+ 	return 1;
+ }
+-- 
+1.9.1
+
diff --git a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
new file mode 100644
index 0000000..28f9889
--- /dev/null
+++ b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
@@ -0,0 +1,37 @@
+From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata at nxp.com>
+Date: Fri, 8 Jan 2016 15:38:35 +0000
+Subject: [PATCH] open_without_symlink: Account when prefix is empty string
+
+In the current implementation, the open_without_symlink function
+will default to opening the root mount only if the passed rootfs
+prefix is null. It doesn't account for the case where this prefix
+is passed as an empty string.
+
+Properly handle this second case as well.
+
+Upstream-Status: Accepted
+[https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata at nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
+---
+ src/lxc/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index ed8c4c4..4e96a50 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char *target, const char *prefix_skip)
+ 	fulllen = strlen(target);
+ 
+ 	/* make sure prefix-skip makes sense */
+-	if (prefix_skip) {
++	if (prefix_skip && strlen(prefix_skip) > 0) {
+ 		curlen = strlen(prefix_skip);
+ 		if (!is_subdir(target, prefix_skip, curlen)) {
+ 			ERROR("WHOA there - target '%s' didn't start with prefix '%s'",
+-- 
+1.9.1
+
diff --git a/recipes-containers/lxc/lxc_1.1.4.bb b/recipes-containers/lxc/lxc_1.1.4.bb
index 4006deb..e017dcf 100644
--- a/recipes-containers/lxc/lxc_1.1.4.bb
+++ b/recipes-containers/lxc/lxc_1.1.4.bb
@@ -34,6 +34,9 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
 	file://make-some-OpenSSH-tools-optional.patch \
 	file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
 	file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
+	file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
+	file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
+	file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
 	"
 
 SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"
-- 
1.9.1

More information about the meta-virtualization mailing list