aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMilan P. Stanić <mps@arvanta.net>2021-04-06 18:12:31 +0000
committerMilan P. Stanić <mps@arvanta.net>2021-04-06 20:38:31 +0000
commitc16cb33a3d241f0e194e41bb5e03d21dc63e7193 (patch)
tree9a403ae658e26800d493fcd0ec97b02e3b2bd563
parent6b99b5499ce8cbd00b596faeab9627aaabf5697f (diff)
downloadaports-c16cb33a3d241f0e194e41bb5e03d21dc63e7193.tar.gz
aports-c16cb33a3d241f0e194e41bb5e03d21dc63e7193.tar.bz2
aports-c16cb33a3d241f0e194e41bb5e03d21dc63e7193.tar.xz
main/lxc: fix cgroup mounting
pulled upstream patch which fixes lxc.cap.drop = sys_admin" fail closes: #12281
-rw-r--r--main/lxc/APKBUILD7
-rw-r--r--main/lxc/d524a35c49bdbf7132f91ac7678cbb9876091a68.patch232
2 files changed, 237 insertions, 2 deletions
diff --git a/main/lxc/APKBUILD b/main/lxc/APKBUILD
index 240d32fec2..e803863ce9 100644
--- a/main/lxc/APKBUILD
+++ b/main/lxc/APKBUILD
@@ -4,7 +4,7 @@
pkgname=lxc
pkgver=4.0.6
_pkgver=${pkgver/_rc/.rc}
-pkgrel=1
+pkgrel=2
pkgdesc="Userspace interface for the Linux kernel containment features"
url="https://linuxcontainers.org/lxc/"
arch="all"
@@ -41,6 +41,8 @@ subpackages="
source="https://linuxcontainers.org/downloads/lxc/lxc-$_pkgver.tar.gz
lxc.initd
lxc.confd
+
+ d524a35c49bdbf7132f91ac7678cbb9876091a68.patch
"
# secfixes:
@@ -166,4 +168,5 @@ bashcomp() {
sha512sums="98514796ef2091a291516ed7fde737df07ccfe374a0f8b4314e0ee992837e98ed02aa9f7809f8808a2f5ee1c7ae2dcea163531cdaedbb577211eeb9beff90c15 lxc-4.0.6.tar.gz
b74ffe7c3e8f193265a90ffeb6e5743b1212bc1416b898e5a7e59ddd7f06fc77dc34e2dcbb3614038ac6222a95e2b9beb9f03ab734c991837203ab626b1b091f lxc.initd
-91de43db5369a9e10102933514d674e9c875218a1ff2910dd882e5b9c308f9e430deacb13d1d7e0b2ed1ef682d0bb035aa6f8a6738f54fa2ca3a05acce04e467 lxc.confd"
+91de43db5369a9e10102933514d674e9c875218a1ff2910dd882e5b9c308f9e430deacb13d1d7e0b2ed1ef682d0bb035aa6f8a6738f54fa2ca3a05acce04e467 lxc.confd
+a1fa4b0bfcfbf8d7bd82d7c8f2e328d3da8d6c0bb013cf294c7db05798f8123ead362c73b7cbb4d164a28430f0d03b1df026a6abfecc3c2ad8ab2cb7a31b6fc8 d524a35c49bdbf7132f91ac7678cbb9876091a68.patch"
diff --git a/main/lxc/d524a35c49bdbf7132f91ac7678cbb9876091a68.patch b/main/lxc/d524a35c49bdbf7132f91ac7678cbb9876091a68.patch
new file mode 100644
index 0000000000..9a70e4af05
--- /dev/null
+++ b/main/lxc/d524a35c49bdbf7132f91ac7678cbb9876091a68.patch
@@ -0,0 +1,232 @@
+From d524a35c49bdbf7132f91ac7678cbb9876091a68 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Thu, 4 Feb 2021 12:20:05 +0100
+Subject: [PATCH] cgroups: fix cgroup mounting
+
+Fixes: #3640
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cgroups/cgfsng.c | 27 +++++++++++++-------
+ src/lxc/cgroups/cgroup.h | 4 +--
+ src/lxc/conf.c | 5 +---
+ src/lxc/syscall_wrappers.h | 19 ++++++++++++++
+ src/lxc/utils.c | 52 ++++++++++++++++++++++++++++++++++++++
+ src/lxc/utils.h | 4 +++
+ 6 files changed, 96 insertions(+), 15 deletions(-)
+
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index 303c2f6ab0..1c3ee7a1a6 100644
+--- a/src/lxc/cgroups/cgfsng.c
++++ b/src/lxc/cgroups/cgfsng.c
+@@ -44,6 +44,7 @@
+ #include "mainloop.h"
+ #include "memory_utils.h"
+ #include "storage/storage.h"
++#include "syscall_wrappers.h"
+ #include "utils.h"
+
+ #ifndef HAVE_STRLCPY
+@@ -1806,11 +1807,12 @@ static inline int cg_mount_cgroup_full(int type, struct hierarchy *h,
+ }
+
+ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
+- struct lxc_handler *handler,
+- const char *root, int type)
++ struct lxc_conf *conf, int type)
+ {
+ __do_free char *cgroup_root = NULL;
+ bool has_cgns = false, wants_force_mount = false;
++ struct lxc_rootfs *rootfs = &conf->rootfs;
++ const char *root = rootfs->path ? rootfs->mount : "";
+ int ret;
+
+ if (!ops)
+@@ -1819,7 +1821,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
+ if (!ops->hierarchies)
+ return true;
+
+- if (!handler || !handler->conf)
++ if (!conf)
+ return ret_set_errno(false, EINVAL);
+
+ if ((type & LXC_AUTO_CGROUP_MASK) == 0)
+@@ -1831,7 +1833,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
+ }
+
+ if (!wants_force_mount) {
+- wants_force_mount = lxc_wants_cap(CAP_SYS_ADMIN, handler->conf);
++ wants_force_mount = !lxc_wants_cap(CAP_SYS_ADMIN, conf);
+
+ /*
+ * Most recent distro versions currently have init system that
+@@ -1870,13 +1872,20 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
+ return cg_mount_cgroup_full(type, ops->unified, cgroup_root) == 0;
+ }
+
+- /* mount tmpfs */
+- ret = safe_mount_beneath(root, NULL, DEFAULT_CGROUP_MOUNTPOINT, "tmpfs",
+- MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
+- "size=10240k,mode=755");
++ /*
++ * Mount a tmpfs over DEFAULT_CGROUP_MOUNTPOINT. Note that we're
++ * relying on RESOLVE_BENEATH so we need to skip the leading "/" in the
++ * DEFAULT_CGROUP_MOUNTPOINT define.
++ */
++ ret = mount_at(rootfs->mntpt_fd, NULL, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE,
++ PROTECT_OPATH_DIRECTORY, PROTECT_LOOKUP_BENEATH_XDEV,
++ "tmpfs", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
++ "size=10240k,mode=755");
+ if (ret < 0) {
+ if (errno != ENOSYS)
+- return false;
++ return log_error_errno(false, errno,
++ "Failed to mount tmpfs on %s",
++ DEFAULT_CGROUP_MOUNTPOINT_RELATIVE);
+
+ ret = safe_mount(NULL, cgroup_root, "tmpfs",
+ MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
+diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h
+index 7dec05a5c2..8f46330303 100644
+--- a/src/lxc/cgroups/cgroup.h
++++ b/src/lxc/cgroups/cgroup.h
+@@ -11,6 +11,7 @@
+ #include "macro.h"
+ #include "memory_utils.h"
+
++#define DEFAULT_CGROUP_MOUNTPOINT_RELATIVE "sys/fs/cgroup"
+ #define DEFAULT_CGROUP_MOUNTPOINT "/sys/fs/cgroup"
+ #define DEFAULT_PAYLOAD_CGROUP_PREFIX "lxc.payload."
+ #define DEFAULT_MONITOR_CGROUP_PREFIX "lxc.monitor."
+@@ -170,8 +171,7 @@ struct cgroup_ops {
+ bool (*chown)(struct cgroup_ops *ops, struct lxc_conf *conf);
+ bool (*attach)(struct cgroup_ops *ops, const struct lxc_conf *conf,
+ const char *name, const char *lxcpath, pid_t pid);
+- bool (*mount)(struct cgroup_ops *ops, struct lxc_handler *handler,
+- const char *root, int type);
++ bool (*mount)(struct cgroup_ops *ops, struct lxc_conf *conf, int type);
+ bool (*devices_activate)(struct cgroup_ops *ops,
+ struct lxc_handler *handler);
+ bool (*monitor_delegate_controllers)(struct cgroup_ops *ops);
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index ae4972551e..786582776e 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -718,10 +718,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_ha
+ if (flags & LXC_AUTO_CGROUP_FORCE)
+ cg_flags |= LXC_AUTO_CGROUP_FORCE;
+
+- if (!handler->cgroup_ops->mount(handler->cgroup_ops,
+- handler,
+- conf->rootfs.path ? conf->rootfs.mount : "",
+- cg_flags))
++ if (!handler->cgroup_ops->mount(handler->cgroup_ops, conf, cg_flags))
+ return log_error_errno(-1, errno, "Failed to mount \"/sys/fs/cgroup\"");
+ }
+
+diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
+index 37aa76c284..26574002b3 100644
+--- a/src/lxc/syscall_wrappers.h
++++ b/src/lxc/syscall_wrappers.h
+@@ -254,6 +254,25 @@ struct lxc_open_how {
+ (similar to chroot(2)). */
+ #endif
+
++#define PROTECT_LOOKUP_BENEATH (RESOLVE_BENEATH | RESOLVE_NO_XDEV | RESOLVE_NO_MAGICLINKS | RESOLVE_NO_SYMLINKS)
++#define PROTECT_LOOKUP_BENEATH_WITH_SYMLINKS (PROTECT_LOOKUP_BENEATH & ~RESOLVE_NO_SYMLINKS)
++#define PROTECT_LOOKUP_BENEATH_WITH_MAGICLINKS (PROTECT_LOOKUP_BENEATH & ~(RESOLVE_NO_SYMLINKS | RESOLVE_NO_MAGICLINKS))
++#define PROTECT_LOOKUP_BENEATH_XDEV (PROTECT_LOOKUP_BENEATH & ~RESOLVE_NO_XDEV)
++
++#define PROTECT_LOOKUP_ABSOLUTE (PROTECT_LOOKUP_BENEATH & ~RESOLVE_BENEATH)
++#define PROTECT_LOOKUP_ABSOLUTE_WITH_SYMLINKS (PROTECT_LOOKUP_ABSOLUTE & ~RESOLVE_NO_SYMLINKS)
++#define PROTECT_LOOKUP_ABSOLUTE_WITH_MAGICLINKS (PROTECT_LOOKUP_ABSOLUTE & ~(RESOLVE_NO_SYMLINKS | RESOLVE_NO_MAGICLINKS))
++#define PROTECT_LOOKUP_ABSOLUTE_XDEV (PROTECT_LOOKUP_ABSOLUTE & ~RESOLVE_NO_XDEV)
++
++#define PROTECT_OPATH_FILE (O_NOFOLLOW | O_PATH | O_CLOEXEC)
++#define PROTECT_OPATH_DIRECTORY (PROTECT_OPATH_FILE | O_DIRECTORY)
++
++#define PROTECT_OPEN_WITH_TRAILING_SYMLINKS (O_CLOEXEC | O_NOCTTY | O_RDONLY)
++#define PROTECT_OPEN (PROTECT_OPEN_WITH_TRAILING_SYMLINKS | O_NOFOLLOW)
++
++#define PROTECT_OPEN_W_WITH_TRAILING_SYMLINKS (O_CLOEXEC | O_NOCTTY | O_WRONLY)
++#define PROTECT_OPEN_W (PROTECT_OPEN_WITH_TRAILING_SYMLINKS | O_NOFOLLOW)
++
+ #ifndef HAVE_OPENAT2
+ static inline int openat2(int dfd, const char *filename, struct lxc_open_how *how, size_t size)
+ {
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 2ea54f7b3d..05cdb7f60e 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -1208,6 +1208,58 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
+ return 0;
+ }
+
++int mount_at(int dfd,
++ const char *src_under_dfd,
++ const char *dst_under_dfd,
++ __u64 o_flags,
++ __u64 resolve_flags,
++ const char *fstype,
++ unsigned int mnt_flags,
++ const void *data)
++{
++ __do_close int source_fd = -EBADF, target_fd = -EBADF;
++ struct lxc_open_how how = {
++ .flags = o_flags,
++ .resolve = resolve_flags,
++ };
++ int ret;
++ char src_buf[LXC_PROC_PID_FD_LEN], dst_buf[LXC_PROC_PID_FD_LEN];
++
++ if (dfd < 0)
++ return ret_errno(EINVAL);
++
++ if (!is_empty_string(src_buf) && *src_buf == '/')
++ return log_error_errno(-EINVAL, EINVAL, "Absolute path specified");
++
++ if (is_empty_string(dst_under_dfd))
++ return log_error_errno(-EINVAL, EINVAL, "No target path specified");
++
++ if (!is_empty_string(src_under_dfd)) {
++ source_fd = openat2(dfd, src_under_dfd, &how, sizeof(how));
++ if (source_fd < 0)
++ return -errno;
++
++ ret = snprintf(src_buf, sizeof(src_buf), "/proc/self/fd/%d", source_fd);
++ if (ret < 0 || ret >= sizeof(src_buf))
++ return -EIO;
++ }
++
++ target_fd = openat2(dfd, dst_under_dfd, &how, sizeof(how));
++ if (target_fd < 0)
++ return log_error_errno(-errno, errno, "Failed to open %d(%s)", dfd, dst_under_dfd);
++
++ ret = snprintf(dst_buf, sizeof(dst_buf), "/proc/self/fd/%d", target_fd);
++ if (ret < 0 || ret >= sizeof(dst_buf))
++ return -EIO;
++
++ if (!is_empty_string(src_buf))
++ ret = mount(src_under_dfd, dst_buf, fstype, mnt_flags, data);
++ else
++ ret = mount(NULL, dst_buf, fstype, mnt_flags, data);
++
++ return ret;
++}
++
+ /*
+ * Mount a proc under @rootfs if proc self points to a pid other than
+ * my own. This is needed to have a known-good proc mount for setting
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index bebbcb64e4..41044f5d25 100644
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -243,5 +243,9 @@ __hidden extern int safe_mount_beneath(const char *beneath, const char *src, con
+ const char *fstype, unsigned int flags, const void *data);
+ __hidden extern int safe_mount_beneath_at(int beneat_fd, const char *src, const char *dst,
+ const char *fstype, unsigned int flags, const void *data);
++__hidden extern int mount_at(int dfd, const char *src_under_dfd,
++ const char *dst_under_dfd, __u64 o_flags,
++ __u64 resolve_flags, const char *fstype,
++ unsigned int mnt_flags, const void *data);
+
+ #endif /* __LXC_UTILS_H */