Commit 31666358 authored by Natanael Copa's avatar Natanael Copa

main/lxc: upgrade to 3.2.1

also backport a couple of regression fixes
parent 7627256f
# Contributor: Łukasz Jendrysik <scadu@yandex.com>
# Contributor:
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=lxc
pkgver=3.1.0
pkgver=3.2.1
_pkgver=${pkgver/_rc/.rc}
pkgrel=2
pkgrel=0
pkgdesc="Userspace interface for the Linux kernel containment features"
url="https://linuxcontainers.org/lxc/"
arch="all"
......@@ -17,7 +16,7 @@ makedepends="
linux-headers
bsd-compat-headers
docbook2x
automake
autoconf
libtool
......@@ -38,14 +37,11 @@ subpackages="
$pkgname-templates::noarch
"
source="
https://linuxcontainers.org/downloads/lxc/lxc-$_pkgver.tar.gz
source="https://linuxcontainers.org/downloads/lxc/lxc-$_pkgver.tar.gz
cgroups-initialize-cpuset-properly.patch
network-restore-ability-to-move-nl80211-devices.patch
lxc.initd
lxc.confd
6400238d08cdf1ca20d49bafb85f4e224348bf9d.patch
re-exec-of-liblxc.patch
"
builddir="$srcdir/lxc-$_pkgver"
......@@ -175,8 +171,8 @@ bashcomp() {
rmdir "$pkgdir"/etc/bash_completion.d
}
sha512sums="706cee9bc8ac57300574b59d728437e41baa4eb16c68f8548142e53b4e13679ef6698df30a4fbf8617e4f07338f898464e9f818e80d32648fe9717370dcbbb20 lxc-3.1.0.tar.gz
sha512sums="4b3046fc6c4aa497fb26bd45839e60de503184af86d3966e796d14e619203536b9a9ed67bdcd8a108cf1a548f8d095fb46dff53094a08abd8d268c866db685c0 lxc-3.2.1.tar.gz
2bebe6cc24987354b6e7dc9003c3a4df450ca10263e6dc0e9313977fdfc2eb57c0d68560da4d1071c8de2f8e3e394ed3ca17af445bea524daa5f8ae8955b3ba6 cgroups-initialize-cpuset-properly.patch
d302b7296918680901d034dc12ae0687dbbc65766800a9f7256e661f638d3dcad66bcc737aec2c6de8c27d3b9c08833e00420c2064f356d6d73efda9ae9bd707 network-restore-ability-to-move-nl80211-devices.patch
b74ffe7c3e8f193265a90ffeb6e5743b1212bc1416b898e5a7e59ddd7f06fc77dc34e2dcbb3614038ac6222a95e2b9beb9f03ab734c991837203ab626b1b091f lxc.initd
91de43db5369a9e10102933514d674e9c875218a1ff2910dd882e5b9c308f9e430deacb13d1d7e0b2ed1ef682d0bb035aa6f8a6738f54fa2ca3a05acce04e467 lxc.confd
c06f7390cc9814299bf94f2e5937b8adf1963b8c83a667d0ee189f2864cdab159ad053b3c5099c39643fb9664f2674060fa241760df017643f93353a52a65a86 6400238d08cdf1ca20d49bafb85f4e224348bf9d.patch
a561a783b2232c94a675ec0f8c9ffeb2288a5ae94ccefccde8991fd23e302771283e06c2b741a28d756da2cc1d0e856ea92b3bb5ec09d407ddb9bf54f2a6067d re-exec-of-liblxc.patch"
91de43db5369a9e10102933514d674e9c875218a1ff2910dd882e5b9c308f9e430deacb13d1d7e0b2ed1ef682d0bb035aa6f8a6738f54fa2ca3a05acce04e467 lxc.confd"
From b31d62b847a3ee013613795094cce4acc12345ef Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sun, 28 Jul 2019 23:13:26 +0200
Subject: [PATCH] cgroups: initialize cpuset properly
Closes #3108.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/cgroups/cgfsng.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 7b8fe6736f..c29c0958e9 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -496,12 +496,12 @@ static bool cg_legacy_filter_and_set_cpus(char *path, bool am_initialized)
}
if (!flipped_bit) {
- DEBUG("No isolated or offline cpus present in cpuset");
- return true;
+ cpulist = lxc_cpumask_to_cpulist(possmask, maxposs);
+ TRACE("No isolated or offline cpus present in cpuset");
+ } else {
+ cpulist = move_ptr(posscpus);
+ TRACE("Removed isolated or offline cpus from cpuset");
}
- DEBUG("Removed isolated or offline cpus from cpuset");
-
- cpulist = lxc_cpumask_to_cpulist(possmask, maxposs);
if (!cpulist) {
ERROR("Failed to create cpu list");
return false;
# Force lxc to use cgfs instead of new cgfsng.
# This is a workaround for https://github.com/lxc/lxc/issues/1095.
lxc.cgroup.use = @kernel
From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 26 Jul 2019 08:20:02 +0200
Subject: [PATCH] network: restore ability to move nl80211 devices
Closes #3105.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/network.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/src/lxc/network.c b/src/lxc/network.c
index 9755116ba1..7684f95918 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old,
static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
const char *newname)
{
- char *cmd;
+ __do_free char *cmd = NULL;
pid_t fpid;
- int err = -1;
/* Move phyN into the container. TODO - do this using netlink.
* However, IIUC this involves a bit more complicated work to talk to
* the 80211 module, so for now just call out to iw.
*/
cmd = on_path("iw", NULL);
- if (!cmd)
- goto out1;
- free(cmd);
+ if (!cmd) {
+ return -1;
+ }
fpid = fork();
if (fpid < 0)
- goto out1;
+ return -1;
if (fpid == 0) {
char pidstr[30];
@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
}
if (wait_for_pid(fpid))
- goto out1;
+ return -1;
- err = 0;
if (newname)
- err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
+ return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
-out1:
- free(physname);
- return err;
+ return 0;
}
int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname)
{
+ __do_free char *physname = NULL;
int index;
- char *physname;
if (!ifname)
return -EINVAL;
@@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler)
return 0;
lxc_list_for_each(iterator, network) {
+ __do_free char *physname = NULL;
int ret;
struct lxc_netdev *netdev = iterator->elem;
if (!netdev->ifindex)
continue;
- ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
+ if (netdev->type == LXC_NET_PHYS)
+ physname = is_wlan(netdev->link);
+
+ if (physname)
+ ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL);
+ else
+ ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
if (ret) {
errno = -ret;
SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d",
From d3a9befc86113228f77c89030336faa84a5557c0 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Tue, 12 Feb 2019 17:31:14 +0100
Subject: [PATCH] rexec: make rexecution opt-in for library callers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We cannot rexecute the liblxc shared library unconditionally as this would
break most of our downstreams. Here are some scenarios:
- anyone performing a dlopen() on the shared library (e.g. users of the LXC
Python bindings)
- LXD as it needs to know the absolute path to its own executable based on
/proc/self/exe etc.
This commit makes the rexecution of liblxc conditional on whether the
LXC_MEMFD_REXEC environment variable is set or not. If it is then liblxc is
unconditionally rexecuted.
The only relevant attack vector exists for lxc-attach which we simply reexecute
unconditionally.
Reported-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/Makefile.am | 4 +++-
src/lxc/rexec.c | 4 ++--
src/lxc/rexec.h | 26 ++++++++++++++++++++++++++
src/lxc/tools/lxc_attach.c | 18 ++++++++++++++++++
4 files changed, 49 insertions(+), 3 deletions(-)
create mode 100644 src/lxc/rexec.h
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index e1499a7ebe..ef19df9e08 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -25,6 +25,7 @@ noinst_HEADERS = api_extensions.h \
monitor.h \
namespace.h \
raw_syscalls.h \
+ rexec.h \
start.h \
state.h \
storage/btrfs.h \
@@ -180,7 +181,7 @@ liblxc_la_SOURCES += ../include/strlcat.c ../include/strlcat.h
endif
if ENFORCE_MEMFD_REXEC
-liblxc_la_SOURCES += rexec.c
+liblxc_la_SOURCES += rexec.c rexec.h
endif
AM_CFLAGS = -DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \
@@ -307,6 +308,7 @@ LDADD = liblxc.la \
if ENABLE_TOOLS
lxc_attach_SOURCES = tools/lxc_attach.c \
+ rexec.c rexec.h \
tools/arguments.c tools/arguments.h
lxc_autostart_SOURCES = tools/lxc_autostart.c \
tools/arguments.c tools/arguments.h
diff --git a/src/lxc/rexec.c b/src/lxc/rexec.c
index 3ce499b1e2..024728d855 100644
--- a/src/lxc/rexec.c
+++ b/src/lxc/rexec.c
@@ -142,7 +142,7 @@ static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name)
errno = saved_errno;
}
-static int lxc_rexec(const char *memfd_name)
+int lxc_rexec(const char *memfd_name)
{
int ret;
char **argv = NULL, **envp = NULL;
@@ -179,7 +179,7 @@ static int lxc_rexec(const char *memfd_name)
*/
__attribute__((constructor)) static void liblxc_rexec(void)
{
- if (lxc_rexec("liblxc")) {
+ if (getenv("LXC_MEMFD_REXEC") && lxc_rexec("liblxc")) {
fprintf(stderr, "Failed to re-execute liblxc via memory file descriptor\n");
_exit(EXIT_FAILURE);
}
diff --git a/src/lxc/rexec.h b/src/lxc/rexec.h
new file mode 100644
index 0000000000..088ded932d
--- /dev/null
+++ b/src/lxc/rexec.h
@@ -0,0 +1,26 @@
+/* liblxcapi
+ *
+ * Copyright © 2019 Christian Brauner <christian.brauner@ubuntu.com>.
+ * Copyright © 2019 Canonical Ltd.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef __LXC_REXEC_H
+#define __LXC_REXEC_H
+
+extern int lxc_rexec(const char *memfd_name);
+
+#endif /* __LXC_REXEC_H */
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index 3de0d7747f..d10b6ecc23 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -44,10 +44,28 @@
#include "config.h"
#include "confile.h"
#include "log.h"
+#include "rexec.h"
#include "utils.h"
lxc_log_define(lxc_attach, lxc);
+/**
+ * This function will copy any binary that calls liblxc into a memory file and
+ * will use the memfd to rexecute the binary. This is done to prevent attacks
+ * through the /proc/self/exe symlink to corrupt the host binary when host and
+ * container are in the same user namespace or have set up an identity id
+ * mapping: CVE-2019-5736.
+ */
+#ifdef ENFORCE_MEMFD_REXEC
+__attribute__((constructor)) static void lxc_attach_rexec(void)
+{
+ if (!getenv("LXC_MEMFD_REXEC") && lxc_rexec("lxc-attach")) {
+ fprintf(stderr, "Failed to re-execute lxc-attach via memory file descriptor\n");
+ _exit(EXIT_FAILURE);
+ }
+}
+#endif
+
static int my_parser(struct lxc_arguments *args, int c, char *arg);
static int add_to_simple_array(char ***array, ssize_t *capacity, char *value);
static bool stdfd_is_pty(void);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment