* [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
@ 2020-04-09 13:00 Xu, Yanfei
2020-04-13 17:54 ` Bruce Ashfield
0 siblings, 1 reply; 5+ messages in thread
From: Xu, Yanfei @ 2020-04-09 13:00 UTC (permalink / raw)
To: bruce.ashfield, meta-virtualization
From: Yanfei Xu <yanfei.xu@windriver.com>
Update to the just released 4.0.1. And drop some patches contained
in this released.
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
---
...dd-option-to-set-keyring-SELinux-con.patch | 275 ------------------
...-rename-internal-memfd_create-to-mem.patch | 46 ---
...dd-option-to-disable-session-keyring.patch | 217 --------------
...tore-ability-to-move-nl80211-devices.patch | 94 ------
.../lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} | 10 +-
5 files changed, 3 insertions(+), 639 deletions(-)
delete mode 100644 recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
delete mode 100644 recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
delete mode 100644 recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
delete mode 100644 recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
rename recipes-containers/lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} (92%)
diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
deleted file mode 100644
index 0da1be0..0000000
--- a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
+++ /dev/null
@@ -1,275 +0,0 @@
-From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001
-From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
-Date: Wed, 29 Jan 2020 17:09:50 +0100
-Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context
-
-lxc set's up a new session keyring for every container by default.
-If executed on an SELinux enabled system, by default, the keyring
-inherits the label of the creating process. If executed with the
-currently available SELinux policy, this means that the keyring
-is labeled with the lxc_t type. Applications inside the container,
-however, might expect that the keyring is labeled with a certain
-context (and will fail to access the keyring if it's not explicitly
-allowed in the global policy). This patch introduces the config
-option lxc.selinux.context.keyring which enables to specify the
-label of the newly created keyring. That is, the keyring can be
-labeled with the label expected by the started application.
-
-Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
----
- config/selinux/lxc.te | 3 +++
- src/lxc/conf.c | 10 +++++++++-
- src/lxc/conf.h | 1 +
- src/lxc/confile.c | 24 ++++++++++++++++++++++++
- src/lxc/lsm/lsm.c | 13 +++++++++++++
- src/lxc/lsm/lsm.h | 2 ++
- src/lxc/lsm/selinux.c | 13 +++++++++++++
- src/lxc/utils.c | 9 ++++++++-
- src/lxc/utils.h | 2 +-
- 9 files changed, 74 insertions(+), 3 deletions(-)
-
-diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
-index bb4bfe3a8..d3f78d80b 100644
---- a/config/selinux/lxc.te
-+++ b/config/selinux/lxc.te
-@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
- allow lxc_t self:rawip_socket create_socket_perms;
- allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
-
-+# Needed to set label that the keyring will be created with
-+allow lxc_t self:process { setkeycreate };
-+
- dontaudit lxc_t sysctl_kernel_t:file write;
- dontaudit lxc_t sysctl_modprobe_t:file write;
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index 0f8b3c928..b06fbf047 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void)
- new->lsm_aa_profile = NULL;
- lxc_list_init(&new->lsm_aa_raw);
- new->lsm_se_context = NULL;
-+ new->lsm_se_keyring_context = NULL;
- new->tmp_umount_proc = false;
- new->tmp_umount_proc = 0;
- new->shmount.path_host = NULL;
-@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler)
- int ret;
- const char *lxcpath = handler->lxcpath, *name = handler->name;
- struct lxc_conf *lxc_conf = handler->conf;
-+ char *keyring_context = NULL;
-
- ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
- if (ret < 0) {
-@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler)
- }
- }
-
-- ret = lxc_setup_keyring();
-+ if (lxc_conf->lsm_se_keyring_context) {
-+ keyring_context = lxc_conf->lsm_se_keyring_context;
-+ } else if (lxc_conf->lsm_se_context) {
-+ keyring_context = lxc_conf->lsm_se_context;
-+ }
-+
-+ ret = lxc_setup_keyring(keyring_context);
- if (ret < 0)
- return -1;
-
-diff --git a/src/lxc/conf.h b/src/lxc/conf.h
-index 2664a1527..bb47b720e 100644
---- a/src/lxc/conf.h
-+++ b/src/lxc/conf.h
-@@ -295,6 +295,7 @@ struct lxc_conf {
- unsigned int lsm_aa_allow_incomplete;
- struct lxc_list lsm_aa_raw;
- char *lsm_se_context;
-+ char *lsm_se_keyring_context;
- bool tmp_umount_proc;
- struct lxc_seccomp seccomp;
- int maincmd_fd;
-diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 36d62cbca..df184af73 100644
---- a/src/lxc/confile.c
-+++ b/src/lxc/confile.c
-@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting);
- lxc_config_define(seccomp_notify_cookie);
- lxc_config_define(seccomp_notify_proxy);
- lxc_config_define(selinux_context);
-+lxc_config_define(selinux_context_keyring);
- lxc_config_define(signal_halt);
- lxc_config_define(signal_reboot);
- lxc_config_define(signal_stop);
-@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = {
- { "lxc.seccomp.notify.proxy", set_config_seccomp_notify_proxy, get_config_seccomp_notify_proxy, clr_config_seccomp_notify_proxy, },
- { "lxc.seccomp.profile", set_config_seccomp_profile, get_config_seccomp_profile, clr_config_seccomp_profile, },
- { "lxc.selinux.context", set_config_selinux_context, get_config_selinux_context, clr_config_selinux_context, },
-+ { "lxc.selinux.context.keyring", set_config_selinux_context_keyring, get_config_selinux_context_keyring, clr_config_selinux_context_keyring },
- { "lxc.signal.halt", set_config_signal_halt, get_config_signal_halt, clr_config_signal_halt, },
- { "lxc.signal.reboot", set_config_signal_reboot, get_config_signal_reboot, clr_config_signal_reboot, },
- { "lxc.signal.stop", set_config_signal_stop, get_config_signal_stop, clr_config_signal_stop, },
-@@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char *key, const char *value,
- return set_config_string_item(&lxc_conf->lsm_se_context, value);
- }
-
-+static int set_config_selinux_context_keyring(const char *key, const char *value,
-+ struct lxc_conf *lxc_conf, void *data)
-+{
-+ return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
-+}
-+
- static int set_config_log_file(const char *key, const char *value,
- struct lxc_conf *c, void *data)
- {
-@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen,
- return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
- }
-
-+static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen,
-+ struct lxc_conf *c, void *data)
-+{
-+ return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
-+}
-+
-+
- /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
- * just the value(s) will be printed. Since there still could be more than one,
- * it is newline-separated.
-@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key,
- return 0;
- }
-
-+static inline int clr_config_selinux_context_keyring(const char *key,
-+ struct lxc_conf *c, void *data)
-+{
-+ free(c->lsm_se_keyring_context);
-+ c->lsm_se_keyring_context = NULL;
-+ return 0;
-+}
-+
- static inline int clr_config_cgroup_controller(const char *key,
- struct lxc_conf *c, void *data)
- {
-@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
- strprint(retv, inlen, "dir\n");
- } else if (!strcmp(key, "lxc.selinux")) {
- strprint(retv, inlen, "context\n");
-+ strprint(retv, inlen, "context.keyring\n");
- } else if (!strcmp(key, "lxc.mount")) {
- strprint(retv, inlen, "auto\n");
- strprint(retv, inlen, "entry\n");
-diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
-index 5538c9e84..48c22b700 100644
---- a/src/lxc/lsm/lsm.c
-+++ b/src/lxc/lsm/lsm.c
-@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath)
-
- drv->cleanup(conf, lxcpath);
- }
-+
-+int lsm_keyring_label_set(char *label) {
-+
-+ if (!drv) {
-+ ERROR("LSM driver not inited");
-+ return -1;
-+ }
-+
-+ if (!drv->keyring_label_set)
-+ return 0;
-+
-+ return drv->keyring_label_set(label);
-+}
-diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
-index dda740b3d..a645a2fa0 100644
---- a/src/lxc/lsm/lsm.h
-+++ b/src/lxc/lsm/lsm.h
-@@ -38,6 +38,7 @@ struct lsm_drv {
- char *(*process_label_get)(pid_t pid);
- int (*process_label_set)(const char *label, struct lxc_conf *conf,
- bool on_exec);
-+ int (*keyring_label_set)(char* label);
- int (*prepare)(struct lxc_conf *conf, const char *lxcpath);
- void (*cleanup)(struct lxc_conf *conf, const char *lxcpath);
- };
-@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
- extern int lsm_process_label_set_at(int label_fd, const char *label,
- bool on_exec);
- extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath);
-+extern int lsm_keyring_label_set(char *label);
-
- #endif /* __LXC_LSM_H */
-diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
-index 625bcae90..b3d95c310 100644
---- a/src/lxc/lsm/selinux.c
-+++ b/src/lxc/lsm/selinux.c
-@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
- return 0;
- }
-
-+/*
-+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring
-+ *
-+ * @label : label string
-+ *
-+ * Returns 0 on success, < 0 on failure
-+ */
-+static int selinux_keyring_label_set(char *label)
-+{
-+ return setkeycreatecon_raw(label);
-+};
-+
- static struct lsm_drv selinux_drv = {
- .name = "SELinux",
- .enabled = is_selinux_enabled,
- .process_label_get = selinux_process_label_get,
- .process_label_set = selinux_process_label_set,
-+ .keyring_label_set = selinux_keyring_label_set,
- };
-
- struct lsm_drv *lsm_selinux_drv_init(void)
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c
-index bf4a9c2cb..90852eb87 100644
---- a/src/lxc/utils.c
-+++ b/src/lxc/utils.c
-@@ -48,6 +48,7 @@
-
- #include "config.h"
- #include "log.h"
-+#include "lsm/lsm.h"
- #include "lxclock.h"
- #include "memory_utils.h"
- #include "namespace.h"
-@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname)
- return r;
- }
-
--int lxc_setup_keyring(void)
-+int lxc_setup_keyring(char *keyring_label)
- {
- key_serial_t keyring;
- int ret = 0;
-
-+ if (keyring_label) {
-+ if (lsm_keyring_label_set(keyring_label) < 0) {
-+ ERROR("Couldn't set keyring label");
-+ }
-+ }
-+
- /* Try to allocate a new session keyring for the container to prevent
- * information leaks.
- */
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h
-index dd6404f0b..7560711b7 100644
---- a/src/lxc/utils.h
-+++ b/src/lxc/utils.h
-@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
- extern int lxc_set_death_signal(int signal, pid_t parent);
- extern int fd_cloexec(int fd, bool cloexec);
- extern int recursive_destroy(char *dirname);
--extern int lxc_setup_keyring(void);
-+extern int lxc_setup_keyring(char *keyring_label);
-
- #endif /* __LXC_UTILS_H */
---
-2.24.1
-
diff --git a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch b/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
deleted file mode 100644
index 9d5b5b8..0000000
--- a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From b1694cccddadc8b084cd9eb502d9e86e0728709b Mon Sep 17 00:00:00 2001
-From: Patrick Havelange <patrick.havelange@essensium.com>
-Date: Tue, 22 Oct 2019 12:29:54 +0200
-Subject: [PATCH v2] syscall_wrappers: rename internal memfd_create to
- memfd_create_lxc
-
-In case the internal memfd_create has to be used, make sure we don't
-clash with the already existing memfd_create function from glibc.
-
-This can happen if this glibc function is a stub. In this case, at
-./configure time, the test for this function will return false, however
-the declaration of that function is still available. This leads to
-compilation errors.
-
-Upstream-Status: Backport [lxc-3.2.1 https://github.com/lxc/lxc/pull/3168]
-
-Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
-(cherry picked from commit 40b06c78773dfd5e12e568a576b1abb133f61b71)
-Signed-off-by: Oleksii Kurochko <olkuroch@cisco.com>
----
- v2: added Upstream-Status
-
- src/lxc/syscall_wrappers.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
-index ce67da5b5308..b7edba63f5d7 100644
---- a/src/lxc/syscall_wrappers.h
-+++ b/src/lxc/syscall_wrappers.h
-@@ -74,7 +74,7 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3,
- #endif
-
- #ifndef HAVE_MEMFD_CREATE
--static inline int memfd_create(const char *name, unsigned int flags) {
-+static inline int memfd_create_lxc(const char *name, unsigned int flags) {
- #ifndef __NR_memfd_create
- #if defined __i386__
- #define __NR_memfd_create 356
-@@ -113,6 +113,7 @@ static inline int memfd_create(const char *name, unsigned int flags) {
- return -1;
- #endif
- }
-+#define memfd_create memfd_create_lxc
- #else
- extern int memfd_create(const char *name, unsigned int flags);
- #endif
diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
deleted file mode 100644
index 34647c8..0000000
--- a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
+++ /dev/null
@@ -1,217 +0,0 @@
-From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
-From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
-Date: Thu, 30 Jan 2020 19:21:10 +0100
-Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
- creation
-
-lxc set's up a new session keyring for every container by default.
-There might be valid use-cases where this is not wanted / needed
-(e.g. systemd by default creates a new session keyring anyway).
-
-Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
----
- src/lxc/conf.c | 19 ++++++++++--------
- src/lxc/conf.h | 1 +
- src/lxc/confile.c | 44 ++++++++++++++++++++++-------------------
- src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
- src/lxc/confile_utils.h | 2 ++
- 5 files changed, 62 insertions(+), 28 deletions(-)
-
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index b06fbf047..be4761a54 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
- lxc_list_init(&new->lsm_aa_raw);
- new->lsm_se_context = NULL;
- new->lsm_se_keyring_context = NULL;
-+ new->keyring_disable_session = false;
- new->tmp_umount_proc = false;
- new->tmp_umount_proc = 0;
- new->shmount.path_host = NULL;
-@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
- }
- }
-
-- if (lxc_conf->lsm_se_keyring_context) {
-- keyring_context = lxc_conf->lsm_se_keyring_context;
-- } else if (lxc_conf->lsm_se_context) {
-- keyring_context = lxc_conf->lsm_se_context;
-- }
-+ if (!lxc_conf->keyring_disable_session) {
-+ if (lxc_conf->lsm_se_keyring_context) {
-+ keyring_context = lxc_conf->lsm_se_keyring_context;
-+ } else if (lxc_conf->lsm_se_context) {
-+ keyring_context = lxc_conf->lsm_se_context;
-+ }
-
-- ret = lxc_setup_keyring(keyring_context);
-- if (ret < 0)
-- return -1;
-+ ret = lxc_setup_keyring(keyring_context);
-+ if (ret < 0)
-+ return -1;
-+ }
-
- if (handler->ns_clone_flags & CLONE_NEWNET) {
- ret = lxc_setup_network_in_child_namespaces(lxc_conf,
-diff --git a/src/lxc/conf.h b/src/lxc/conf.h
-index bb47b720e..b81786838 100644
---- a/src/lxc/conf.h
-+++ b/src/lxc/conf.h
-@@ -296,6 +296,7 @@ struct lxc_conf {
- struct lxc_list lsm_aa_raw;
- char *lsm_se_context;
- char *lsm_se_keyring_context;
-+ bool keyring_disable_session;
- bool tmp_umount_proc;
- struct lxc_seccomp seccomp;
- int maincmd_fd;
-diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index df184af73..fd8b3aaba 100644
---- a/src/lxc/confile.c
-+++ b/src/lxc/confile.c
-@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
- lxc_config_define(init_cwd);
- lxc_config_define(init_gid);
- lxc_config_define(init_uid);
-+lxc_config_define(keyring_session);
- lxc_config_define(log_file);
- lxc_config_define(log_level);
- lxc_config_define(log_syslog);
-@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
- { "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, },
- { "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, },
- { "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, },
-+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session },
- { "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, },
- { "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, },
- { "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, },
-@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
- return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
- }
-
-+static int set_config_keyring_session(const char *key, const char *value,
-+ struct lxc_conf *lxc_conf, void *data)
-+{
-+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
-+}
-+
- static int set_config_log_file(const char *key, const char *value,
- struct lxc_conf *c, void *data)
- {
-@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
- static int set_config_rootfs_managed(const char *key, const char *value,
- struct lxc_conf *lxc_conf, void *data)
- {
-- unsigned int val = 0;
--
-- if (lxc_config_value_empty(value)) {
-- lxc_conf->rootfs.managed = true;
-- return 0;
-- }
--
-- if (lxc_safe_uint(value, &val) < 0)
-- return -EINVAL;
--
-- switch (val) {
-- case 0:
-- lxc_conf->rootfs.managed = false;
-- return 0;
-- case 1:
-- lxc_conf->rootfs.managed = true;
-- return 0;
-- }
--
-- return -EINVAL;
-+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
- }
-
- static int set_config_rootfs_mount(const char *key, const char *value,
-@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
- return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
- }
-
-+static int get_config_keyring_session(const char *key, char *retv, int inlen,
-+ struct lxc_conf *c, void *data)
-+{
-+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
-+}
-+
-
- /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
- * just the value(s) will be printed. Since there still could be more than one,
-@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
- return 0;
- }
-
-+static inline int clr_config_keyring_session(const char *key,
-+ struct lxc_conf *c, void *data)
-+{
-+ c->keyring_disable_session = false;
-+ return 0;
-+}
-+
- static inline int clr_config_cgroup_controller(const char *key,
- struct lxc_conf *c, void *data)
- {
-@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
- strprint(retv, inlen, "order\n");
- } else if (!strcmp(key, "lxc.monitor")) {
- strprint(retv, inlen, "unshare\n");
-+ } else if (!strcmp(key, "lxc.keyring")) {
-+ strprint(retv, inlen, "session\n");
- } else {
- fulllen = -1;
- }
-diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
-index 6941f4026..02e48454b 100644
---- a/src/lxc/confile_utils.c
-+++ b/src/lxc/confile_utils.c
-@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
- return set_config_string_item_max(conf_item, value, PATH_MAX);
- }
-
-+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
-+{
-+ unsigned int val = 0;
-+
-+ if (lxc_config_value_empty(value)) {
-+ *conf_item = empty_conf_action;
-+ return 0;
-+ }
-+
-+ if (lxc_safe_uint(value, &val) < 0)
-+ return -EINVAL;
-+
-+ switch (val) {
-+ case 0:
-+ *conf_item = false;
-+ return 0;
-+ case 1:
-+ *conf_item = true;
-+ return 0;
-+ }
-+
-+ return -EINVAL;
-+}
-+
- int config_ip_prefix(struct in_addr *addr)
- {
- if (IN_CLASSA(addr->s_addr))
-diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
-index f68f9604f..83d49bace 100644
---- a/src/lxc/confile_utils.h
-+++ b/src/lxc/confile_utils.h
-@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
- extern int set_config_string_item_max(char **conf_item, const char *value,
- size_t max);
- extern int set_config_path_item(char **conf_item, const char *value);
-+extern int set_config_bool_item(bool *conf_item, const char *value,
-+ bool empty_conf_action);
- extern int config_ip_prefix(struct in_addr *addr);
- extern int network_ifname(char *valuep, const char *value, size_t size);
- extern void rand_complete_hwaddr(char *hwaddr);
---
-2.24.1
-
diff --git a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch b/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
deleted file mode 100644
index aa1aecd..0000000
--- a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Fri, 26 Jul 2019 08:20:02 +0200
-Subject: [PATCH] network: restore ability to move nl80211 devices
-
-Closes #3105.
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/network.c | 31 +++++++++++++++++--------------
- 1 file changed, 17 insertions(+), 14 deletions(-)
-
-diff --git a/src/lxc/network.c b/src/lxc/network.c
-index 9755116..7684f95 100644
---- a/src/lxc/network.c
-+++ b/src/lxc/network.c
-@@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old,
- static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
- const char *newname)
- {
-- char *cmd;
-+ __do_free char *cmd = NULL;
- pid_t fpid;
-- int err = -1;
-
- /* Move phyN into the container. TODO - do this using netlink.
- * However, IIUC this involves a bit more complicated work to talk to
- * the 80211 module, so for now just call out to iw.
- */
- cmd = on_path("iw", NULL);
-- if (!cmd)
-- goto out1;
-- free(cmd);
-+ if (!cmd) {
-+ return -1;
-+ }
-
- fpid = fork();
- if (fpid < 0)
-- goto out1;
-+ return -1;
-
- if (fpid == 0) {
- char pidstr[30];
-@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
- }
-
- if (wait_for_pid(fpid))
-- goto out1;
-+ return -1;
-
-- err = 0;
- if (newname)
-- err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
-+ return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
-
--out1:
-- free(physname);
-- return err;
-+ return 0;
- }
-
- int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname)
- {
-+ __do_free char *physname = NULL;
- int index;
-- char *physname;
-
- if (!ifname)
- return -EINVAL;
-@@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler)
- return 0;
-
- lxc_list_for_each(iterator, network) {
-+ __do_free char *physname = NULL;
- int ret;
- struct lxc_netdev *netdev = iterator->elem;
-
- if (!netdev->ifindex)
- continue;
-
-- ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
-+ if (netdev->type == LXC_NET_PHYS)
-+ physname = is_wlan(netdev->link);
-+
-+ if (physname)
-+ ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL);
-+ else
-+ ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
- if (ret) {
- errno = -ret;
- SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d",
---
-2.7.4
-
diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_4.0.1.bb
similarity index 92%
rename from recipes-containers/lxc/lxc_3.2.1.bb
rename to recipes-containers/lxc/lxc_4.0.1.bb
index 9592dd9..a3de38e 100644
--- a/recipes-containers/lxc/lxc_3.2.1.bb
+++ b/recipes-containers/lxc/lxc_4.0.1.bb
@@ -1,7 +1,7 @@
DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object"
SECTION = "console/utils"
LICENSE = "LGPLv2.1"
-LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
DEPENDS = "libxml2 libcap"
RDEPENDS_${PN} = " \
rsync \
@@ -44,16 +44,12 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
file://templates-use-curl-instead-of-wget.patch \
file://tests-our-init-is-not-busybox.patch \
file://tests-add-no-validate-when-using-download-template.patch \
- file://network-restore-ability-to-move-nl80211-devices.patch \
- file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \
- file://0002-container.conf-Add-option-to-disable-session-keyring.patch \
file://dnsmasq.conf \
file://lxc-net \
- file://0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch \
"
-SRC_URI[md5sum] = "4886c8d1c8e221fe526eefcb47857b85"
-SRC_URI[sha256sum] = "5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4"
+SRC_URI[md5sum] = "5f19f13eafdde24c75ba459fc6c28156"
+SRC_URI[sha256sum] = "70bbaac1df097f32ee5493a5e67a52365f7cdda28529f40197d6160bbec4139d"
S = "${WORKDIR}/${BPN}-${PV}"
--
2.18.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
2020-04-09 13:00 [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1 Xu, Yanfei
@ 2020-04-13 17:54 ` Bruce Ashfield
2020-04-14 18:39 ` Mark Asselstine
0 siblings, 1 reply; 5+ messages in thread
From: Bruce Ashfield @ 2020-04-13 17:54 UTC (permalink / raw)
To: yanfei.xu; +Cc: meta-virtualization
Thanks for the quick turnaround on the uprev! We are much
better off with the LTS version.
Everything worked here, so this is now merged.
Bruce
In message: [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
on 09/04/2020 yanfei.xu@windriver.com wrote:
> From: Yanfei Xu <yanfei.xu@windriver.com>
>
> Update to the just released 4.0.1. And drop some patches contained
> in this released.
>
> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> ---
> ...dd-option-to-set-keyring-SELinux-con.patch | 275 ------------------
> ...-rename-internal-memfd_create-to-mem.patch | 46 ---
> ...dd-option-to-disable-session-keyring.patch | 217 --------------
> ...tore-ability-to-move-nl80211-devices.patch | 94 ------
> .../lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} | 10 +-
> 5 files changed, 3 insertions(+), 639 deletions(-)
> delete mode 100644 recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> delete mode 100644 recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> delete mode 100644 recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> delete mode 100644 recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> rename recipes-containers/lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} (92%)
>
> diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> deleted file mode 100644
> index 0da1be0..0000000
> --- a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> +++ /dev/null
> @@ -1,275 +0,0 @@
> -From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001
> -From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> -Date: Wed, 29 Jan 2020 17:09:50 +0100
> -Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context
> -
> -lxc set's up a new session keyring for every container by default.
> -If executed on an SELinux enabled system, by default, the keyring
> -inherits the label of the creating process. If executed with the
> -currently available SELinux policy, this means that the keyring
> -is labeled with the lxc_t type. Applications inside the container,
> -however, might expect that the keyring is labeled with a certain
> -context (and will fail to access the keyring if it's not explicitly
> -allowed in the global policy). This patch introduces the config
> -option lxc.selinux.context.keyring which enables to specify the
> -label of the newly created keyring. That is, the keyring can be
> -labeled with the label expected by the started application.
> -
> -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> ----
> - config/selinux/lxc.te | 3 +++
> - src/lxc/conf.c | 10 +++++++++-
> - src/lxc/conf.h | 1 +
> - src/lxc/confile.c | 24 ++++++++++++++++++++++++
> - src/lxc/lsm/lsm.c | 13 +++++++++++++
> - src/lxc/lsm/lsm.h | 2 ++
> - src/lxc/lsm/selinux.c | 13 +++++++++++++
> - src/lxc/utils.c | 9 ++++++++-
> - src/lxc/utils.h | 2 +-
> - 9 files changed, 74 insertions(+), 3 deletions(-)
> -
> -diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
> -index bb4bfe3a8..d3f78d80b 100644
> ---- a/config/selinux/lxc.te
> -+++ b/config/selinux/lxc.te
> -@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
> - allow lxc_t self:rawip_socket create_socket_perms;
> - allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
> -
> -+# Needed to set label that the keyring will be created with
> -+allow lxc_t self:process { setkeycreate };
> -+
> - dontaudit lxc_t sysctl_kernel_t:file write;
> - dontaudit lxc_t sysctl_modprobe_t:file write;
> -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> -index 0f8b3c928..b06fbf047 100644
> ---- a/src/lxc/conf.c
> -+++ b/src/lxc/conf.c
> -@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void)
> - new->lsm_aa_profile = NULL;
> - lxc_list_init(&new->lsm_aa_raw);
> - new->lsm_se_context = NULL;
> -+ new->lsm_se_keyring_context = NULL;
> - new->tmp_umount_proc = false;
> - new->tmp_umount_proc = 0;
> - new->shmount.path_host = NULL;
> -@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler)
> - int ret;
> - const char *lxcpath = handler->lxcpath, *name = handler->name;
> - struct lxc_conf *lxc_conf = handler->conf;
> -+ char *keyring_context = NULL;
> -
> - ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
> - if (ret < 0) {
> -@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler)
> - }
> - }
> -
> -- ret = lxc_setup_keyring();
> -+ if (lxc_conf->lsm_se_keyring_context) {
> -+ keyring_context = lxc_conf->lsm_se_keyring_context;
> -+ } else if (lxc_conf->lsm_se_context) {
> -+ keyring_context = lxc_conf->lsm_se_context;
> -+ }
> -+
> -+ ret = lxc_setup_keyring(keyring_context);
> - if (ret < 0)
> - return -1;
> -
> -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> -index 2664a1527..bb47b720e 100644
> ---- a/src/lxc/conf.h
> -+++ b/src/lxc/conf.h
> -@@ -295,6 +295,7 @@ struct lxc_conf {
> - unsigned int lsm_aa_allow_incomplete;
> - struct lxc_list lsm_aa_raw;
> - char *lsm_se_context;
> -+ char *lsm_se_keyring_context;
> - bool tmp_umount_proc;
> - struct lxc_seccomp seccomp;
> - int maincmd_fd;
> -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> -index 36d62cbca..df184af73 100644
> ---- a/src/lxc/confile.c
> -+++ b/src/lxc/confile.c
> -@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting);
> - lxc_config_define(seccomp_notify_cookie);
> - lxc_config_define(seccomp_notify_proxy);
> - lxc_config_define(selinux_context);
> -+lxc_config_define(selinux_context_keyring);
> - lxc_config_define(signal_halt);
> - lxc_config_define(signal_reboot);
> - lxc_config_define(signal_stop);
> -@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = {
> - { "lxc.seccomp.notify.proxy", set_config_seccomp_notify_proxy, get_config_seccomp_notify_proxy, clr_config_seccomp_notify_proxy, },
> - { "lxc.seccomp.profile", set_config_seccomp_profile, get_config_seccomp_profile, clr_config_seccomp_profile, },
> - { "lxc.selinux.context", set_config_selinux_context, get_config_selinux_context, clr_config_selinux_context, },
> -+ { "lxc.selinux.context.keyring", set_config_selinux_context_keyring, get_config_selinux_context_keyring, clr_config_selinux_context_keyring },
> - { "lxc.signal.halt", set_config_signal_halt, get_config_signal_halt, clr_config_signal_halt, },
> - { "lxc.signal.reboot", set_config_signal_reboot, get_config_signal_reboot, clr_config_signal_reboot, },
> - { "lxc.signal.stop", set_config_signal_stop, get_config_signal_stop, clr_config_signal_stop, },
> -@@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char *key, const char *value,
> - return set_config_string_item(&lxc_conf->lsm_se_context, value);
> - }
> -
> -+static int set_config_selinux_context_keyring(const char *key, const char *value,
> -+ struct lxc_conf *lxc_conf, void *data)
> -+{
> -+ return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
> -+}
> -+
> - static int set_config_log_file(const char *key, const char *value,
> - struct lxc_conf *c, void *data)
> - {
> -@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen,
> - return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
> - }
> -
> -+static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen,
> -+ struct lxc_conf *c, void *data)
> -+{
> -+ return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
> -+}
> -+
> -+
> - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
> - * just the value(s) will be printed. Since there still could be more than one,
> - * it is newline-separated.
> -@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key,
> - return 0;
> - }
> -
> -+static inline int clr_config_selinux_context_keyring(const char *key,
> -+ struct lxc_conf *c, void *data)
> -+{
> -+ free(c->lsm_se_keyring_context);
> -+ c->lsm_se_keyring_context = NULL;
> -+ return 0;
> -+}
> -+
> - static inline int clr_config_cgroup_controller(const char *key,
> - struct lxc_conf *c, void *data)
> - {
> -@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
> - strprint(retv, inlen, "dir\n");
> - } else if (!strcmp(key, "lxc.selinux")) {
> - strprint(retv, inlen, "context\n");
> -+ strprint(retv, inlen, "context.keyring\n");
> - } else if (!strcmp(key, "lxc.mount")) {
> - strprint(retv, inlen, "auto\n");
> - strprint(retv, inlen, "entry\n");
> -diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> -index 5538c9e84..48c22b700 100644
> ---- a/src/lxc/lsm/lsm.c
> -+++ b/src/lxc/lsm/lsm.c
> -@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath)
> -
> - drv->cleanup(conf, lxcpath);
> - }
> -+
> -+int lsm_keyring_label_set(char *label) {
> -+
> -+ if (!drv) {
> -+ ERROR("LSM driver not inited");
> -+ return -1;
> -+ }
> -+
> -+ if (!drv->keyring_label_set)
> -+ return 0;
> -+
> -+ return drv->keyring_label_set(label);
> -+}
> -diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> -index dda740b3d..a645a2fa0 100644
> ---- a/src/lxc/lsm/lsm.h
> -+++ b/src/lxc/lsm/lsm.h
> -@@ -38,6 +38,7 @@ struct lsm_drv {
> - char *(*process_label_get)(pid_t pid);
> - int (*process_label_set)(const char *label, struct lxc_conf *conf,
> - bool on_exec);
> -+ int (*keyring_label_set)(char* label);
> - int (*prepare)(struct lxc_conf *conf, const char *lxcpath);
> - void (*cleanup)(struct lxc_conf *conf, const char *lxcpath);
> - };
> -@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
> - extern int lsm_process_label_set_at(int label_fd, const char *label,
> - bool on_exec);
> - extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath);
> -+extern int lsm_keyring_label_set(char *label);
> -
> - #endif /* __LXC_LSM_H */
> -diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
> -index 625bcae90..b3d95c310 100644
> ---- a/src/lxc/lsm/selinux.c
> -+++ b/src/lxc/lsm/selinux.c
> -@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
> - return 0;
> - }
> -
> -+/*
> -+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring
> -+ *
> -+ * @label : label string
> -+ *
> -+ * Returns 0 on success, < 0 on failure
> -+ */
> -+static int selinux_keyring_label_set(char *label)
> -+{
> -+ return setkeycreatecon_raw(label);
> -+};
> -+
> - static struct lsm_drv selinux_drv = {
> - .name = "SELinux",
> - .enabled = is_selinux_enabled,
> - .process_label_get = selinux_process_label_get,
> - .process_label_set = selinux_process_label_set,
> -+ .keyring_label_set = selinux_keyring_label_set,
> - };
> -
> - struct lsm_drv *lsm_selinux_drv_init(void)
> -diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> -index bf4a9c2cb..90852eb87 100644
> ---- a/src/lxc/utils.c
> -+++ b/src/lxc/utils.c
> -@@ -48,6 +48,7 @@
> -
> - #include "config.h"
> - #include "log.h"
> -+#include "lsm/lsm.h"
> - #include "lxclock.h"
> - #include "memory_utils.h"
> - #include "namespace.h"
> -@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname)
> - return r;
> - }
> -
> --int lxc_setup_keyring(void)
> -+int lxc_setup_keyring(char *keyring_label)
> - {
> - key_serial_t keyring;
> - int ret = 0;
> -
> -+ if (keyring_label) {
> -+ if (lsm_keyring_label_set(keyring_label) < 0) {
> -+ ERROR("Couldn't set keyring label");
> -+ }
> -+ }
> -+
> - /* Try to allocate a new session keyring for the container to prevent
> - * information leaks.
> - */
> -diff --git a/src/lxc/utils.h b/src/lxc/utils.h
> -index dd6404f0b..7560711b7 100644
> ---- a/src/lxc/utils.h
> -+++ b/src/lxc/utils.h
> -@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
> - extern int lxc_set_death_signal(int signal, pid_t parent);
> - extern int fd_cloexec(int fd, bool cloexec);
> - extern int recursive_destroy(char *dirname);
> --extern int lxc_setup_keyring(void);
> -+extern int lxc_setup_keyring(char *keyring_label);
> -
> - #endif /* __LXC_UTILS_H */
> ---
> -2.24.1
> -
> diff --git a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch b/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> deleted file mode 100644
> index 9d5b5b8..0000000
> --- a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -From b1694cccddadc8b084cd9eb502d9e86e0728709b Mon Sep 17 00:00:00 2001
> -From: Patrick Havelange <patrick.havelange@essensium.com>
> -Date: Tue, 22 Oct 2019 12:29:54 +0200
> -Subject: [PATCH v2] syscall_wrappers: rename internal memfd_create to
> - memfd_create_lxc
> -
> -In case the internal memfd_create has to be used, make sure we don't
> -clash with the already existing memfd_create function from glibc.
> -
> -This can happen if this glibc function is a stub. In this case, at
> -./configure time, the test for this function will return false, however
> -the declaration of that function is still available. This leads to
> -compilation errors.
> -
> -Upstream-Status: Backport [lxc-3.2.1 https://github.com/lxc/lxc/pull/3168]
> -
> -Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
> -(cherry picked from commit 40b06c78773dfd5e12e568a576b1abb133f61b71)
> -Signed-off-by: Oleksii Kurochko <olkuroch@cisco.com>
> ----
> - v2: added Upstream-Status
> -
> - src/lxc/syscall_wrappers.h | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
> -index ce67da5b5308..b7edba63f5d7 100644
> ---- a/src/lxc/syscall_wrappers.h
> -+++ b/src/lxc/syscall_wrappers.h
> -@@ -74,7 +74,7 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3,
> - #endif
> -
> - #ifndef HAVE_MEMFD_CREATE
> --static inline int memfd_create(const char *name, unsigned int flags) {
> -+static inline int memfd_create_lxc(const char *name, unsigned int flags) {
> - #ifndef __NR_memfd_create
> - #if defined __i386__
> - #define __NR_memfd_create 356
> -@@ -113,6 +113,7 @@ static inline int memfd_create(const char *name, unsigned int flags) {
> - return -1;
> - #endif
> - }
> -+#define memfd_create memfd_create_lxc
> - #else
> - extern int memfd_create(const char *name, unsigned int flags);
> - #endif
> diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> deleted file mode 100644
> index 34647c8..0000000
> --- a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> +++ /dev/null
> @@ -1,217 +0,0 @@
> -From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
> -From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> -Date: Thu, 30 Jan 2020 19:21:10 +0100
> -Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
> - creation
> -
> -lxc set's up a new session keyring for every container by default.
> -There might be valid use-cases where this is not wanted / needed
> -(e.g. systemd by default creates a new session keyring anyway).
> -
> -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> ----
> - src/lxc/conf.c | 19 ++++++++++--------
> - src/lxc/conf.h | 1 +
> - src/lxc/confile.c | 44 ++++++++++++++++++++++-------------------
> - src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
> - src/lxc/confile_utils.h | 2 ++
> - 5 files changed, 62 insertions(+), 28 deletions(-)
> -
> -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> -index b06fbf047..be4761a54 100644
> ---- a/src/lxc/conf.c
> -+++ b/src/lxc/conf.c
> -@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
> - lxc_list_init(&new->lsm_aa_raw);
> - new->lsm_se_context = NULL;
> - new->lsm_se_keyring_context = NULL;
> -+ new->keyring_disable_session = false;
> - new->tmp_umount_proc = false;
> - new->tmp_umount_proc = 0;
> - new->shmount.path_host = NULL;
> -@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
> - }
> - }
> -
> -- if (lxc_conf->lsm_se_keyring_context) {
> -- keyring_context = lxc_conf->lsm_se_keyring_context;
> -- } else if (lxc_conf->lsm_se_context) {
> -- keyring_context = lxc_conf->lsm_se_context;
> -- }
> -+ if (!lxc_conf->keyring_disable_session) {
> -+ if (lxc_conf->lsm_se_keyring_context) {
> -+ keyring_context = lxc_conf->lsm_se_keyring_context;
> -+ } else if (lxc_conf->lsm_se_context) {
> -+ keyring_context = lxc_conf->lsm_se_context;
> -+ }
> -
> -- ret = lxc_setup_keyring(keyring_context);
> -- if (ret < 0)
> -- return -1;
> -+ ret = lxc_setup_keyring(keyring_context);
> -+ if (ret < 0)
> -+ return -1;
> -+ }
> -
> - if (handler->ns_clone_flags & CLONE_NEWNET) {
> - ret = lxc_setup_network_in_child_namespaces(lxc_conf,
> -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> -index bb47b720e..b81786838 100644
> ---- a/src/lxc/conf.h
> -+++ b/src/lxc/conf.h
> -@@ -296,6 +296,7 @@ struct lxc_conf {
> - struct lxc_list lsm_aa_raw;
> - char *lsm_se_context;
> - char *lsm_se_keyring_context;
> -+ bool keyring_disable_session;
> - bool tmp_umount_proc;
> - struct lxc_seccomp seccomp;
> - int maincmd_fd;
> -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> -index df184af73..fd8b3aaba 100644
> ---- a/src/lxc/confile.c
> -+++ b/src/lxc/confile.c
> -@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
> - lxc_config_define(init_cwd);
> - lxc_config_define(init_gid);
> - lxc_config_define(init_uid);
> -+lxc_config_define(keyring_session);
> - lxc_config_define(log_file);
> - lxc_config_define(log_level);
> - lxc_config_define(log_syslog);
> -@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
> - { "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, },
> - { "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, },
> - { "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, },
> -+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session },
> - { "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, },
> - { "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, },
> - { "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, },
> -@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
> - return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
> - }
> -
> -+static int set_config_keyring_session(const char *key, const char *value,
> -+ struct lxc_conf *lxc_conf, void *data)
> -+{
> -+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
> -+}
> -+
> - static int set_config_log_file(const char *key, const char *value,
> - struct lxc_conf *c, void *data)
> - {
> -@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
> - static int set_config_rootfs_managed(const char *key, const char *value,
> - struct lxc_conf *lxc_conf, void *data)
> - {
> -- unsigned int val = 0;
> --
> -- if (lxc_config_value_empty(value)) {
> -- lxc_conf->rootfs.managed = true;
> -- return 0;
> -- }
> --
> -- if (lxc_safe_uint(value, &val) < 0)
> -- return -EINVAL;
> --
> -- switch (val) {
> -- case 0:
> -- lxc_conf->rootfs.managed = false;
> -- return 0;
> -- case 1:
> -- lxc_conf->rootfs.managed = true;
> -- return 0;
> -- }
> --
> -- return -EINVAL;
> -+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
> - }
> -
> - static int set_config_rootfs_mount(const char *key, const char *value,
> -@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
> - return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
> - }
> -
> -+static int get_config_keyring_session(const char *key, char *retv, int inlen,
> -+ struct lxc_conf *c, void *data)
> -+{
> -+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
> -+}
> -+
> -
> - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
> - * just the value(s) will be printed. Since there still could be more than one,
> -@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
> - return 0;
> - }
> -
> -+static inline int clr_config_keyring_session(const char *key,
> -+ struct lxc_conf *c, void *data)
> -+{
> -+ c->keyring_disable_session = false;
> -+ return 0;
> -+}
> -+
> - static inline int clr_config_cgroup_controller(const char *key,
> - struct lxc_conf *c, void *data)
> - {
> -@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
> - strprint(retv, inlen, "order\n");
> - } else if (!strcmp(key, "lxc.monitor")) {
> - strprint(retv, inlen, "unshare\n");
> -+ } else if (!strcmp(key, "lxc.keyring")) {
> -+ strprint(retv, inlen, "session\n");
> - } else {
> - fulllen = -1;
> - }
> -diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
> -index 6941f4026..02e48454b 100644
> ---- a/src/lxc/confile_utils.c
> -+++ b/src/lxc/confile_utils.c
> -@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
> - return set_config_string_item_max(conf_item, value, PATH_MAX);
> - }
> -
> -+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
> -+{
> -+ unsigned int val = 0;
> -+
> -+ if (lxc_config_value_empty(value)) {
> -+ *conf_item = empty_conf_action;
> -+ return 0;
> -+ }
> -+
> -+ if (lxc_safe_uint(value, &val) < 0)
> -+ return -EINVAL;
> -+
> -+ switch (val) {
> -+ case 0:
> -+ *conf_item = false;
> -+ return 0;
> -+ case 1:
> -+ *conf_item = true;
> -+ return 0;
> -+ }
> -+
> -+ return -EINVAL;
> -+}
> -+
> - int config_ip_prefix(struct in_addr *addr)
> - {
> - if (IN_CLASSA(addr->s_addr))
> -diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
> -index f68f9604f..83d49bace 100644
> ---- a/src/lxc/confile_utils.h
> -+++ b/src/lxc/confile_utils.h
> -@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
> - extern int set_config_string_item_max(char **conf_item, const char *value,
> - size_t max);
> - extern int set_config_path_item(char **conf_item, const char *value);
> -+extern int set_config_bool_item(bool *conf_item, const char *value,
> -+ bool empty_conf_action);
> - extern int config_ip_prefix(struct in_addr *addr);
> - extern int network_ifname(char *valuep, const char *value, size_t size);
> - extern void rand_complete_hwaddr(char *hwaddr);
> ---
> -2.24.1
> -
> diff --git a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch b/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> deleted file mode 100644
> index aa1aecd..0000000
> --- a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> +++ /dev/null
> @@ -1,94 +0,0 @@
> -From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001
> -From: Christian Brauner <christian.brauner@ubuntu.com>
> -Date: Fri, 26 Jul 2019 08:20:02 +0200
> -Subject: [PATCH] network: restore ability to move nl80211 devices
> -
> -Closes #3105.
> -Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> ----
> - src/lxc/network.c | 31 +++++++++++++++++--------------
> - 1 file changed, 17 insertions(+), 14 deletions(-)
> -
> -diff --git a/src/lxc/network.c b/src/lxc/network.c
> -index 9755116..7684f95 100644
> ---- a/src/lxc/network.c
> -+++ b/src/lxc/network.c
> -@@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old,
> - static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
> - const char *newname)
> - {
> -- char *cmd;
> -+ __do_free char *cmd = NULL;
> - pid_t fpid;
> -- int err = -1;
> -
> - /* Move phyN into the container. TODO - do this using netlink.
> - * However, IIUC this involves a bit more complicated work to talk to
> - * the 80211 module, so for now just call out to iw.
> - */
> - cmd = on_path("iw", NULL);
> -- if (!cmd)
> -- goto out1;
> -- free(cmd);
> -+ if (!cmd) {
> -+ return -1;
> -+ }
> -
> - fpid = fork();
> - if (fpid < 0)
> -- goto out1;
> -+ return -1;
> -
> - if (fpid == 0) {
> - char pidstr[30];
> -@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
> - }
> -
> - if (wait_for_pid(fpid))
> -- goto out1;
> -+ return -1;
> -
> -- err = 0;
> - if (newname)
> -- err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
> -+ return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
> -
> --out1:
> -- free(physname);
> -- return err;
> -+ return 0;
> - }
> -
> - int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname)
> - {
> -+ __do_free char *physname = NULL;
> - int index;
> -- char *physname;
> -
> - if (!ifname)
> - return -EINVAL;
> -@@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler)
> - return 0;
> -
> - lxc_list_for_each(iterator, network) {
> -+ __do_free char *physname = NULL;
> - int ret;
> - struct lxc_netdev *netdev = iterator->elem;
> -
> - if (!netdev->ifindex)
> - continue;
> -
> -- ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
> -+ if (netdev->type == LXC_NET_PHYS)
> -+ physname = is_wlan(netdev->link);
> -+
> -+ if (physname)
> -+ ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL);
> -+ else
> -+ ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
> - if (ret) {
> - errno = -ret;
> - SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d",
> ---
> -2.7.4
> -
> diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_4.0.1.bb
> similarity index 92%
> rename from recipes-containers/lxc/lxc_3.2.1.bb
> rename to recipes-containers/lxc/lxc_4.0.1.bb
> index 9592dd9..a3de38e 100644
> --- a/recipes-containers/lxc/lxc_3.2.1.bb
> +++ b/recipes-containers/lxc/lxc_4.0.1.bb
> @@ -1,7 +1,7 @@
> DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object"
> SECTION = "console/utils"
> LICENSE = "LGPLv2.1"
> -LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
> DEPENDS = "libxml2 libcap"
> RDEPENDS_${PN} = " \
> rsync \
> @@ -44,16 +44,12 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
> file://templates-use-curl-instead-of-wget.patch \
> file://tests-our-init-is-not-busybox.patch \
> file://tests-add-no-validate-when-using-download-template.patch \
> - file://network-restore-ability-to-move-nl80211-devices.patch \
> - file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \
> - file://0002-container.conf-Add-option-to-disable-session-keyring.patch \
> file://dnsmasq.conf \
> file://lxc-net \
> - file://0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch \
> "
>
> -SRC_URI[md5sum] = "4886c8d1c8e221fe526eefcb47857b85"
> -SRC_URI[sha256sum] = "5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4"
> +SRC_URI[md5sum] = "5f19f13eafdde24c75ba459fc6c28156"
> +SRC_URI[sha256sum] = "70bbaac1df097f32ee5493a5e67a52365f7cdda28529f40197d6160bbec4139d"
>
> S = "${WORKDIR}/${BPN}-${PV}"
>
> --
> 2.18.2
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
2020-04-13 17:54 ` Bruce Ashfield
@ 2020-04-14 18:39 ` Mark Asselstine
2020-04-14 18:45 ` Bruce Ashfield
0 siblings, 1 reply; 5+ messages in thread
From: Mark Asselstine @ 2020-04-14 18:39 UTC (permalink / raw)
To: yanfei.xu; +Cc: Bruce Ashfield, meta-virtualization
On Mon, Apr 13, 2020 at 1:54 PM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
>
> Thanks for the quick turnaround on the uprev! We are much
> better off with the LTS version.
>
> Everything worked here, so this is now merged.
This appears to have caused some patch fuzz
Applying patch logs-optionally-use-base-filenames-to-report-src-fil.patch
patching file configure.ac
Hunk #1 succeeded at 378 with fuzz 1 (offset 22 lines).
patching file src/lxc/log.h
Hunk #1 succeeded at 47 (offset -30 lines).
Yanfei, can you confirm and refresh the patch?
Mark
>
> Bruce
>
> In message: [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
> on 09/04/2020 yanfei.xu@windriver.com wrote:
>
> > From: Yanfei Xu <yanfei.xu@windriver.com>
> >
> > Update to the just released 4.0.1. And drop some patches contained
> > in this released.
> >
> > Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> > ---
> > ...dd-option-to-set-keyring-SELinux-con.patch | 275 ------------------
> > ...-rename-internal-memfd_create-to-mem.patch | 46 ---
> > ...dd-option-to-disable-session-keyring.patch | 217 --------------
> > ...tore-ability-to-move-nl80211-devices.patch | 94 ------
> > .../lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} | 10 +-
> > 5 files changed, 3 insertions(+), 639 deletions(-)
> > delete mode 100644 recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> > delete mode 100644 recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> > delete mode 100644 recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> > delete mode 100644 recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> > rename recipes-containers/lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} (92%)
> >
> > diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> > deleted file mode 100644
> > index 0da1be0..0000000
> > --- a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> > +++ /dev/null
> > @@ -1,275 +0,0 @@
> > -From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001
> > -From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > -Date: Wed, 29 Jan 2020 17:09:50 +0100
> > -Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context
> > -
> > -lxc set's up a new session keyring for every container by default.
> > -If executed on an SELinux enabled system, by default, the keyring
> > -inherits the label of the creating process. If executed with the
> > -currently available SELinux policy, this means that the keyring
> > -is labeled with the lxc_t type. Applications inside the container,
> > -however, might expect that the keyring is labeled with a certain
> > -context (and will fail to access the keyring if it's not explicitly
> > -allowed in the global policy). This patch introduces the config
> > -option lxc.selinux.context.keyring which enables to specify the
> > -label of the newly created keyring. That is, the keyring can be
> > -labeled with the label expected by the started application.
> > -
> > -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > ----
> > - config/selinux/lxc.te | 3 +++
> > - src/lxc/conf.c | 10 +++++++++-
> > - src/lxc/conf.h | 1 +
> > - src/lxc/confile.c | 24 ++++++++++++++++++++++++
> > - src/lxc/lsm/lsm.c | 13 +++++++++++++
> > - src/lxc/lsm/lsm.h | 2 ++
> > - src/lxc/lsm/selinux.c | 13 +++++++++++++
> > - src/lxc/utils.c | 9 ++++++++-
> > - src/lxc/utils.h | 2 +-
> > - 9 files changed, 74 insertions(+), 3 deletions(-)
> > -
> > -diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
> > -index bb4bfe3a8..d3f78d80b 100644
> > ---- a/config/selinux/lxc.te
> > -+++ b/config/selinux/lxc.te
> > -@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
> > - allow lxc_t self:rawip_socket create_socket_perms;
> > - allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
> > -
> > -+# Needed to set label that the keyring will be created with
> > -+allow lxc_t self:process { setkeycreate };
> > -+
> > - dontaudit lxc_t sysctl_kernel_t:file write;
> > - dontaudit lxc_t sysctl_modprobe_t:file write;
> > -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > -index 0f8b3c928..b06fbf047 100644
> > ---- a/src/lxc/conf.c
> > -+++ b/src/lxc/conf.c
> > -@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void)
> > - new->lsm_aa_profile = NULL;
> > - lxc_list_init(&new->lsm_aa_raw);
> > - new->lsm_se_context = NULL;
> > -+ new->lsm_se_keyring_context = NULL;
> > - new->tmp_umount_proc = false;
> > - new->tmp_umount_proc = 0;
> > - new->shmount.path_host = NULL;
> > -@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler)
> > - int ret;
> > - const char *lxcpath = handler->lxcpath, *name = handler->name;
> > - struct lxc_conf *lxc_conf = handler->conf;
> > -+ char *keyring_context = NULL;
> > -
> > - ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
> > - if (ret < 0) {
> > -@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler)
> > - }
> > - }
> > -
> > -- ret = lxc_setup_keyring();
> > -+ if (lxc_conf->lsm_se_keyring_context) {
> > -+ keyring_context = lxc_conf->lsm_se_keyring_context;
> > -+ } else if (lxc_conf->lsm_se_context) {
> > -+ keyring_context = lxc_conf->lsm_se_context;
> > -+ }
> > -+
> > -+ ret = lxc_setup_keyring(keyring_context);
> > - if (ret < 0)
> > - return -1;
> > -
> > -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> > -index 2664a1527..bb47b720e 100644
> > ---- a/src/lxc/conf.h
> > -+++ b/src/lxc/conf.h
> > -@@ -295,6 +295,7 @@ struct lxc_conf {
> > - unsigned int lsm_aa_allow_incomplete;
> > - struct lxc_list lsm_aa_raw;
> > - char *lsm_se_context;
> > -+ char *lsm_se_keyring_context;
> > - bool tmp_umount_proc;
> > - struct lxc_seccomp seccomp;
> > - int maincmd_fd;
> > -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> > -index 36d62cbca..df184af73 100644
> > ---- a/src/lxc/confile.c
> > -+++ b/src/lxc/confile.c
> > -@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting);
> > - lxc_config_define(seccomp_notify_cookie);
> > - lxc_config_define(seccomp_notify_proxy);
> > - lxc_config_define(selinux_context);
> > -+lxc_config_define(selinux_context_keyring);
> > - lxc_config_define(signal_halt);
> > - lxc_config_define(signal_reboot);
> > - lxc_config_define(signal_stop);
> > -@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = {
> > - { "lxc.seccomp.notify.proxy", set_config_seccomp_notify_proxy, get_config_seccomp_notify_proxy, clr_config_seccomp_notify_proxy, },
> > - { "lxc.seccomp.profile", set_config_seccomp_profile, get_config_seccomp_profile, clr_config_seccomp_profile, },
> > - { "lxc.selinux.context", set_config_selinux_context, get_config_selinux_context, clr_config_selinux_context, },
> > -+ { "lxc.selinux.context.keyring", set_config_selinux_context_keyring, get_config_selinux_context_keyring, clr_config_selinux_context_keyring },
> > - { "lxc.signal.halt", set_config_signal_halt, get_config_signal_halt, clr_config_signal_halt, },
> > - { "lxc.signal.reboot", set_config_signal_reboot, get_config_signal_reboot, clr_config_signal_reboot, },
> > - { "lxc.signal.stop", set_config_signal_stop, get_config_signal_stop, clr_config_signal_stop, },
> > -@@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char *key, const char *value,
> > - return set_config_string_item(&lxc_conf->lsm_se_context, value);
> > - }
> > -
> > -+static int set_config_selinux_context_keyring(const char *key, const char *value,
> > -+ struct lxc_conf *lxc_conf, void *data)
> > -+{
> > -+ return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
> > -+}
> > -+
> > - static int set_config_log_file(const char *key, const char *value,
> > - struct lxc_conf *c, void *data)
> > - {
> > -@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen,
> > - return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
> > - }
> > -
> > -+static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen,
> > -+ struct lxc_conf *c, void *data)
> > -+{
> > -+ return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
> > -+}
> > -+
> > -+
> > - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
> > - * just the value(s) will be printed. Since there still could be more than one,
> > - * it is newline-separated.
> > -@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key,
> > - return 0;
> > - }
> > -
> > -+static inline int clr_config_selinux_context_keyring(const char *key,
> > -+ struct lxc_conf *c, void *data)
> > -+{
> > -+ free(c->lsm_se_keyring_context);
> > -+ c->lsm_se_keyring_context = NULL;
> > -+ return 0;
> > -+}
> > -+
> > - static inline int clr_config_cgroup_controller(const char *key,
> > - struct lxc_conf *c, void *data)
> > - {
> > -@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
> > - strprint(retv, inlen, "dir\n");
> > - } else if (!strcmp(key, "lxc.selinux")) {
> > - strprint(retv, inlen, "context\n");
> > -+ strprint(retv, inlen, "context.keyring\n");
> > - } else if (!strcmp(key, "lxc.mount")) {
> > - strprint(retv, inlen, "auto\n");
> > - strprint(retv, inlen, "entry\n");
> > -diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> > -index 5538c9e84..48c22b700 100644
> > ---- a/src/lxc/lsm/lsm.c
> > -+++ b/src/lxc/lsm/lsm.c
> > -@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath)
> > -
> > - drv->cleanup(conf, lxcpath);
> > - }
> > -+
> > -+int lsm_keyring_label_set(char *label) {
> > -+
> > -+ if (!drv) {
> > -+ ERROR("LSM driver not inited");
> > -+ return -1;
> > -+ }
> > -+
> > -+ if (!drv->keyring_label_set)
> > -+ return 0;
> > -+
> > -+ return drv->keyring_label_set(label);
> > -+}
> > -diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> > -index dda740b3d..a645a2fa0 100644
> > ---- a/src/lxc/lsm/lsm.h
> > -+++ b/src/lxc/lsm/lsm.h
> > -@@ -38,6 +38,7 @@ struct lsm_drv {
> > - char *(*process_label_get)(pid_t pid);
> > - int (*process_label_set)(const char *label, struct lxc_conf *conf,
> > - bool on_exec);
> > -+ int (*keyring_label_set)(char* label);
> > - int (*prepare)(struct lxc_conf *conf, const char *lxcpath);
> > - void (*cleanup)(struct lxc_conf *conf, const char *lxcpath);
> > - };
> > -@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
> > - extern int lsm_process_label_set_at(int label_fd, const char *label,
> > - bool on_exec);
> > - extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath);
> > -+extern int lsm_keyring_label_set(char *label);
> > -
> > - #endif /* __LXC_LSM_H */
> > -diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
> > -index 625bcae90..b3d95c310 100644
> > ---- a/src/lxc/lsm/selinux.c
> > -+++ b/src/lxc/lsm/selinux.c
> > -@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
> > - return 0;
> > - }
> > -
> > -+/*
> > -+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring
> > -+ *
> > -+ * @label : label string
> > -+ *
> > -+ * Returns 0 on success, < 0 on failure
> > -+ */
> > -+static int selinux_keyring_label_set(char *label)
> > -+{
> > -+ return setkeycreatecon_raw(label);
> > -+};
> > -+
> > - static struct lsm_drv selinux_drv = {
> > - .name = "SELinux",
> > - .enabled = is_selinux_enabled,
> > - .process_label_get = selinux_process_label_get,
> > - .process_label_set = selinux_process_label_set,
> > -+ .keyring_label_set = selinux_keyring_label_set,
> > - };
> > -
> > - struct lsm_drv *lsm_selinux_drv_init(void)
> > -diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> > -index bf4a9c2cb..90852eb87 100644
> > ---- a/src/lxc/utils.c
> > -+++ b/src/lxc/utils.c
> > -@@ -48,6 +48,7 @@
> > -
> > - #include "config.h"
> > - #include "log.h"
> > -+#include "lsm/lsm.h"
> > - #include "lxclock.h"
> > - #include "memory_utils.h"
> > - #include "namespace.h"
> > -@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname)
> > - return r;
> > - }
> > -
> > --int lxc_setup_keyring(void)
> > -+int lxc_setup_keyring(char *keyring_label)
> > - {
> > - key_serial_t keyring;
> > - int ret = 0;
> > -
> > -+ if (keyring_label) {
> > -+ if (lsm_keyring_label_set(keyring_label) < 0) {
> > -+ ERROR("Couldn't set keyring label");
> > -+ }
> > -+ }
> > -+
> > - /* Try to allocate a new session keyring for the container to prevent
> > - * information leaks.
> > - */
> > -diff --git a/src/lxc/utils.h b/src/lxc/utils.h
> > -index dd6404f0b..7560711b7 100644
> > ---- a/src/lxc/utils.h
> > -+++ b/src/lxc/utils.h
> > -@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
> > - extern int lxc_set_death_signal(int signal, pid_t parent);
> > - extern int fd_cloexec(int fd, bool cloexec);
> > - extern int recursive_destroy(char *dirname);
> > --extern int lxc_setup_keyring(void);
> > -+extern int lxc_setup_keyring(char *keyring_label);
> > -
> > - #endif /* __LXC_UTILS_H */
> > ---
> > -2.24.1
> > -
> > diff --git a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch b/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> > deleted file mode 100644
> > index 9d5b5b8..0000000
> > --- a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> > +++ /dev/null
> > @@ -1,46 +0,0 @@
> > -From b1694cccddadc8b084cd9eb502d9e86e0728709b Mon Sep 17 00:00:00 2001
> > -From: Patrick Havelange <patrick.havelange@essensium.com>
> > -Date: Tue, 22 Oct 2019 12:29:54 +0200
> > -Subject: [PATCH v2] syscall_wrappers: rename internal memfd_create to
> > - memfd_create_lxc
> > -
> > -In case the internal memfd_create has to be used, make sure we don't
> > -clash with the already existing memfd_create function from glibc.
> > -
> > -This can happen if this glibc function is a stub. In this case, at
> > -./configure time, the test for this function will return false, however
> > -the declaration of that function is still available. This leads to
> > -compilation errors.
> > -
> > -Upstream-Status: Backport [lxc-3.2.1 https://github.com/lxc/lxc/pull/3168]
> > -
> > -Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
> > -(cherry picked from commit 40b06c78773dfd5e12e568a576b1abb133f61b71)
> > -Signed-off-by: Oleksii Kurochko <olkuroch@cisco.com>
> > ----
> > - v2: added Upstream-Status
> > -
> > - src/lxc/syscall_wrappers.h | 3 ++-
> > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > -
> > -diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
> > -index ce67da5b5308..b7edba63f5d7 100644
> > ---- a/src/lxc/syscall_wrappers.h
> > -+++ b/src/lxc/syscall_wrappers.h
> > -@@ -74,7 +74,7 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3,
> > - #endif
> > -
> > - #ifndef HAVE_MEMFD_CREATE
> > --static inline int memfd_create(const char *name, unsigned int flags) {
> > -+static inline int memfd_create_lxc(const char *name, unsigned int flags) {
> > - #ifndef __NR_memfd_create
> > - #if defined __i386__
> > - #define __NR_memfd_create 356
> > -@@ -113,6 +113,7 @@ static inline int memfd_create(const char *name, unsigned int flags) {
> > - return -1;
> > - #endif
> > - }
> > -+#define memfd_create memfd_create_lxc
> > - #else
> > - extern int memfd_create(const char *name, unsigned int flags);
> > - #endif
> > diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> > deleted file mode 100644
> > index 34647c8..0000000
> > --- a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> > +++ /dev/null
> > @@ -1,217 +0,0 @@
> > -From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
> > -From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > -Date: Thu, 30 Jan 2020 19:21:10 +0100
> > -Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
> > - creation
> > -
> > -lxc set's up a new session keyring for every container by default.
> > -There might be valid use-cases where this is not wanted / needed
> > -(e.g. systemd by default creates a new session keyring anyway).
> > -
> > -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > ----
> > - src/lxc/conf.c | 19 ++++++++++--------
> > - src/lxc/conf.h | 1 +
> > - src/lxc/confile.c | 44 ++++++++++++++++++++++-------------------
> > - src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
> > - src/lxc/confile_utils.h | 2 ++
> > - 5 files changed, 62 insertions(+), 28 deletions(-)
> > -
> > -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > -index b06fbf047..be4761a54 100644
> > ---- a/src/lxc/conf.c
> > -+++ b/src/lxc/conf.c
> > -@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
> > - lxc_list_init(&new->lsm_aa_raw);
> > - new->lsm_se_context = NULL;
> > - new->lsm_se_keyring_context = NULL;
> > -+ new->keyring_disable_session = false;
> > - new->tmp_umount_proc = false;
> > - new->tmp_umount_proc = 0;
> > - new->shmount.path_host = NULL;
> > -@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
> > - }
> > - }
> > -
> > -- if (lxc_conf->lsm_se_keyring_context) {
> > -- keyring_context = lxc_conf->lsm_se_keyring_context;
> > -- } else if (lxc_conf->lsm_se_context) {
> > -- keyring_context = lxc_conf->lsm_se_context;
> > -- }
> > -+ if (!lxc_conf->keyring_disable_session) {
> > -+ if (lxc_conf->lsm_se_keyring_context) {
> > -+ keyring_context = lxc_conf->lsm_se_keyring_context;
> > -+ } else if (lxc_conf->lsm_se_context) {
> > -+ keyring_context = lxc_conf->lsm_se_context;
> > -+ }
> > -
> > -- ret = lxc_setup_keyring(keyring_context);
> > -- if (ret < 0)
> > -- return -1;
> > -+ ret = lxc_setup_keyring(keyring_context);
> > -+ if (ret < 0)
> > -+ return -1;
> > -+ }
> > -
> > - if (handler->ns_clone_flags & CLONE_NEWNET) {
> > - ret = lxc_setup_network_in_child_namespaces(lxc_conf,
> > -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> > -index bb47b720e..b81786838 100644
> > ---- a/src/lxc/conf.h
> > -+++ b/src/lxc/conf.h
> > -@@ -296,6 +296,7 @@ struct lxc_conf {
> > - struct lxc_list lsm_aa_raw;
> > - char *lsm_se_context;
> > - char *lsm_se_keyring_context;
> > -+ bool keyring_disable_session;
> > - bool tmp_umount_proc;
> > - struct lxc_seccomp seccomp;
> > - int maincmd_fd;
> > -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> > -index df184af73..fd8b3aaba 100644
> > ---- a/src/lxc/confile.c
> > -+++ b/src/lxc/confile.c
> > -@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
> > - lxc_config_define(init_cwd);
> > - lxc_config_define(init_gid);
> > - lxc_config_define(init_uid);
> > -+lxc_config_define(keyring_session);
> > - lxc_config_define(log_file);
> > - lxc_config_define(log_level);
> > - lxc_config_define(log_syslog);
> > -@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
> > - { "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, },
> > - { "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, },
> > - { "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, },
> > -+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session },
> > - { "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, },
> > - { "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, },
> > - { "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, },
> > -@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
> > - return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
> > - }
> > -
> > -+static int set_config_keyring_session(const char *key, const char *value,
> > -+ struct lxc_conf *lxc_conf, void *data)
> > -+{
> > -+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
> > -+}
> > -+
> > - static int set_config_log_file(const char *key, const char *value,
> > - struct lxc_conf *c, void *data)
> > - {
> > -@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
> > - static int set_config_rootfs_managed(const char *key, const char *value,
> > - struct lxc_conf *lxc_conf, void *data)
> > - {
> > -- unsigned int val = 0;
> > --
> > -- if (lxc_config_value_empty(value)) {
> > -- lxc_conf->rootfs.managed = true;
> > -- return 0;
> > -- }
> > --
> > -- if (lxc_safe_uint(value, &val) < 0)
> > -- return -EINVAL;
> > --
> > -- switch (val) {
> > -- case 0:
> > -- lxc_conf->rootfs.managed = false;
> > -- return 0;
> > -- case 1:
> > -- lxc_conf->rootfs.managed = true;
> > -- return 0;
> > -- }
> > --
> > -- return -EINVAL;
> > -+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
> > - }
> > -
> > - static int set_config_rootfs_mount(const char *key, const char *value,
> > -@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
> > - return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
> > - }
> > -
> > -+static int get_config_keyring_session(const char *key, char *retv, int inlen,
> > -+ struct lxc_conf *c, void *data)
> > -+{
> > -+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
> > -+}
> > -+
> > -
> > - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
> > - * just the value(s) will be printed. Since there still could be more than one,
> > -@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
> > - return 0;
> > - }
> > -
> > -+static inline int clr_config_keyring_session(const char *key,
> > -+ struct lxc_conf *c, void *data)
> > -+{
> > -+ c->keyring_disable_session = false;
> > -+ return 0;
> > -+}
> > -+
> > - static inline int clr_config_cgroup_controller(const char *key,
> > - struct lxc_conf *c, void *data)
> > - {
> > -@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
> > - strprint(retv, inlen, "order\n");
> > - } else if (!strcmp(key, "lxc.monitor")) {
> > - strprint(retv, inlen, "unshare\n");
> > -+ } else if (!strcmp(key, "lxc.keyring")) {
> > -+ strprint(retv, inlen, "session\n");
> > - } else {
> > - fulllen = -1;
> > - }
> > -diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
> > -index 6941f4026..02e48454b 100644
> > ---- a/src/lxc/confile_utils.c
> > -+++ b/src/lxc/confile_utils.c
> > -@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
> > - return set_config_string_item_max(conf_item, value, PATH_MAX);
> > - }
> > -
> > -+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
> > -+{
> > -+ unsigned int val = 0;
> > -+
> > -+ if (lxc_config_value_empty(value)) {
> > -+ *conf_item = empty_conf_action;
> > -+ return 0;
> > -+ }
> > -+
> > -+ if (lxc_safe_uint(value, &val) < 0)
> > -+ return -EINVAL;
> > -+
> > -+ switch (val) {
> > -+ case 0:
> > -+ *conf_item = false;
> > -+ return 0;
> > -+ case 1:
> > -+ *conf_item = true;
> > -+ return 0;
> > -+ }
> > -+
> > -+ return -EINVAL;
> > -+}
> > -+
> > - int config_ip_prefix(struct in_addr *addr)
> > - {
> > - if (IN_CLASSA(addr->s_addr))
> > -diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
> > -index f68f9604f..83d49bace 100644
> > ---- a/src/lxc/confile_utils.h
> > -+++ b/src/lxc/confile_utils.h
> > -@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
> > - extern int set_config_string_item_max(char **conf_item, const char *value,
> > - size_t max);
> > - extern int set_config_path_item(char **conf_item, const char *value);
> > -+extern int set_config_bool_item(bool *conf_item, const char *value,
> > -+ bool empty_conf_action);
> > - extern int config_ip_prefix(struct in_addr *addr);
> > - extern int network_ifname(char *valuep, const char *value, size_t size);
> > - extern void rand_complete_hwaddr(char *hwaddr);
> > ---
> > -2.24.1
> > -
> > diff --git a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch b/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> > deleted file mode 100644
> > index aa1aecd..0000000
> > --- a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> > +++ /dev/null
> > @@ -1,94 +0,0 @@
> > -From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001
> > -From: Christian Brauner <christian.brauner@ubuntu.com>
> > -Date: Fri, 26 Jul 2019 08:20:02 +0200
> > -Subject: [PATCH] network: restore ability to move nl80211 devices
> > -
> > -Closes #3105.
> > -Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > ----
> > - src/lxc/network.c | 31 +++++++++++++++++--------------
> > - 1 file changed, 17 insertions(+), 14 deletions(-)
> > -
> > -diff --git a/src/lxc/network.c b/src/lxc/network.c
> > -index 9755116..7684f95 100644
> > ---- a/src/lxc/network.c
> > -+++ b/src/lxc/network.c
> > -@@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old,
> > - static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
> > - const char *newname)
> > - {
> > -- char *cmd;
> > -+ __do_free char *cmd = NULL;
> > - pid_t fpid;
> > -- int err = -1;
> > -
> > - /* Move phyN into the container. TODO - do this using netlink.
> > - * However, IIUC this involves a bit more complicated work to talk to
> > - * the 80211 module, so for now just call out to iw.
> > - */
> > - cmd = on_path("iw", NULL);
> > -- if (!cmd)
> > -- goto out1;
> > -- free(cmd);
> > -+ if (!cmd) {
> > -+ return -1;
> > -+ }
> > -
> > - fpid = fork();
> > - if (fpid < 0)
> > -- goto out1;
> > -+ return -1;
> > -
> > - if (fpid == 0) {
> > - char pidstr[30];
> > -@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
> > - }
> > -
> > - if (wait_for_pid(fpid))
> > -- goto out1;
> > -+ return -1;
> > -
> > -- err = 0;
> > - if (newname)
> > -- err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
> > -+ return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
> > -
> > --out1:
> > -- free(physname);
> > -- return err;
> > -+ return 0;
> > - }
> > -
> > - int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname)
> > - {
> > -+ __do_free char *physname = NULL;
> > - int index;
> > -- char *physname;
> > -
> > - if (!ifname)
> > - return -EINVAL;
> > -@@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler)
> > - return 0;
> > -
> > - lxc_list_for_each(iterator, network) {
> > -+ __do_free char *physname = NULL;
> > - int ret;
> > - struct lxc_netdev *netdev = iterator->elem;
> > -
> > - if (!netdev->ifindex)
> > - continue;
> > -
> > -- ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
> > -+ if (netdev->type == LXC_NET_PHYS)
> > -+ physname = is_wlan(netdev->link);
> > -+
> > -+ if (physname)
> > -+ ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL);
> > -+ else
> > -+ ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
> > - if (ret) {
> > - errno = -ret;
> > - SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d",
> > ---
> > -2.7.4
> > -
> > diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_4.0.1.bb
> > similarity index 92%
> > rename from recipes-containers/lxc/lxc_3.2.1.bb
> > rename to recipes-containers/lxc/lxc_4.0.1.bb
> > index 9592dd9..a3de38e 100644
> > --- a/recipes-containers/lxc/lxc_3.2.1.bb
> > +++ b/recipes-containers/lxc/lxc_4.0.1.bb
> > @@ -1,7 +1,7 @@
> > DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object"
> > SECTION = "console/utils"
> > LICENSE = "LGPLv2.1"
> > -LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
> > +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
> > DEPENDS = "libxml2 libcap"
> > RDEPENDS_${PN} = " \
> > rsync \
> > @@ -44,16 +44,12 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
> > file://templates-use-curl-instead-of-wget.patch \
> > file://tests-our-init-is-not-busybox.patch \
> > file://tests-add-no-validate-when-using-download-template.patch \
> > - file://network-restore-ability-to-move-nl80211-devices.patch \
> > - file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \
> > - file://0002-container.conf-Add-option-to-disable-session-keyring.patch \
> > file://dnsmasq.conf \
> > file://lxc-net \
> > - file://0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch \
> > "
> >
> > -SRC_URI[md5sum] = "4886c8d1c8e221fe526eefcb47857b85"
> > -SRC_URI[sha256sum] = "5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4"
> > +SRC_URI[md5sum] = "5f19f13eafdde24c75ba459fc6c28156"
> > +SRC_URI[sha256sum] = "70bbaac1df097f32ee5493a5e67a52365f7cdda28529f40197d6160bbec4139d"
> >
> > S = "${WORKDIR}/${BPN}-${PV}"
> >
> > --
> > 2.18.2
> >
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
2020-04-14 18:39 ` Mark Asselstine
@ 2020-04-14 18:45 ` Bruce Ashfield
2020-04-14 18:47 ` Mark Asselstine
0 siblings, 1 reply; 5+ messages in thread
From: Bruce Ashfield @ 2020-04-14 18:45 UTC (permalink / raw)
To: Mark Asselstine; +Cc: Xu, Yanfei, meta-virtualization
On Tue, Apr 14, 2020 at 2:39 PM Mark Asselstine
<mark.asselstine@windriver.com> wrote:
>
> On Mon, Apr 13, 2020 at 1:54 PM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
> >
> > Thanks for the quick turnaround on the uprev! We are much
> > better off with the LTS version.
> >
> > Everything worked here, so this is now merged.
>
> This appears to have caused some patch fuzz
>
> Applying patch logs-optionally-use-base-filenames-to-report-src-fil.patch
> patching file configure.ac
> Hunk #1 succeeded at 378 with fuzz 1 (offset 22 lines).
> patching file src/lxc/log.h
> Hunk #1 succeeded at 47 (offset -30 lines).
>
> Yanfei, can you confirm and refresh the patch?
I noticed this myself when testing the license patches and am refreshing now.
Bruce
>
> Mark
>
> >
> > Bruce
> >
> > In message: [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
> > on 09/04/2020 yanfei.xu@windriver.com wrote:
> >
> > > From: Yanfei Xu <yanfei.xu@windriver.com>
> > >
> > > Update to the just released 4.0.1. And drop some patches contained
> > > in this released.
> > >
> > > Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> > > ---
> > > ...dd-option-to-set-keyring-SELinux-con.patch | 275 ------------------
> > > ...-rename-internal-memfd_create-to-mem.patch | 46 ---
> > > ...dd-option-to-disable-session-keyring.patch | 217 --------------
> > > ...tore-ability-to-move-nl80211-devices.patch | 94 ------
> > > .../lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} | 10 +-
> > > 5 files changed, 3 insertions(+), 639 deletions(-)
> > > delete mode 100644 recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> > > delete mode 100644 recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> > > delete mode 100644 recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> > > delete mode 100644 recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> > > rename recipes-containers/lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} (92%)
> > >
> > > diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> > > deleted file mode 100644
> > > index 0da1be0..0000000
> > > --- a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
> > > +++ /dev/null
> > > @@ -1,275 +0,0 @@
> > > -From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001
> > > -From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > > -Date: Wed, 29 Jan 2020 17:09:50 +0100
> > > -Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context
> > > -
> > > -lxc set's up a new session keyring for every container by default.
> > > -If executed on an SELinux enabled system, by default, the keyring
> > > -inherits the label of the creating process. If executed with the
> > > -currently available SELinux policy, this means that the keyring
> > > -is labeled with the lxc_t type. Applications inside the container,
> > > -however, might expect that the keyring is labeled with a certain
> > > -context (and will fail to access the keyring if it's not explicitly
> > > -allowed in the global policy). This patch introduces the config
> > > -option lxc.selinux.context.keyring which enables to specify the
> > > -label of the newly created keyring. That is, the keyring can be
> > > -labeled with the label expected by the started application.
> > > -
> > > -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > > ----
> > > - config/selinux/lxc.te | 3 +++
> > > - src/lxc/conf.c | 10 +++++++++-
> > > - src/lxc/conf.h | 1 +
> > > - src/lxc/confile.c | 24 ++++++++++++++++++++++++
> > > - src/lxc/lsm/lsm.c | 13 +++++++++++++
> > > - src/lxc/lsm/lsm.h | 2 ++
> > > - src/lxc/lsm/selinux.c | 13 +++++++++++++
> > > - src/lxc/utils.c | 9 ++++++++-
> > > - src/lxc/utils.h | 2 +-
> > > - 9 files changed, 74 insertions(+), 3 deletions(-)
> > > -
> > > -diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
> > > -index bb4bfe3a8..d3f78d80b 100644
> > > ---- a/config/selinux/lxc.te
> > > -+++ b/config/selinux/lxc.te
> > > -@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
> > > - allow lxc_t self:rawip_socket create_socket_perms;
> > > - allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
> > > -
> > > -+# Needed to set label that the keyring will be created with
> > > -+allow lxc_t self:process { setkeycreate };
> > > -+
> > > - dontaudit lxc_t sysctl_kernel_t:file write;
> > > - dontaudit lxc_t sysctl_modprobe_t:file write;
> > > -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > > -index 0f8b3c928..b06fbf047 100644
> > > ---- a/src/lxc/conf.c
> > > -+++ b/src/lxc/conf.c
> > > -@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void)
> > > - new->lsm_aa_profile = NULL;
> > > - lxc_list_init(&new->lsm_aa_raw);
> > > - new->lsm_se_context = NULL;
> > > -+ new->lsm_se_keyring_context = NULL;
> > > - new->tmp_umount_proc = false;
> > > - new->tmp_umount_proc = 0;
> > > - new->shmount.path_host = NULL;
> > > -@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler)
> > > - int ret;
> > > - const char *lxcpath = handler->lxcpath, *name = handler->name;
> > > - struct lxc_conf *lxc_conf = handler->conf;
> > > -+ char *keyring_context = NULL;
> > > -
> > > - ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
> > > - if (ret < 0) {
> > > -@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler)
> > > - }
> > > - }
> > > -
> > > -- ret = lxc_setup_keyring();
> > > -+ if (lxc_conf->lsm_se_keyring_context) {
> > > -+ keyring_context = lxc_conf->lsm_se_keyring_context;
> > > -+ } else if (lxc_conf->lsm_se_context) {
> > > -+ keyring_context = lxc_conf->lsm_se_context;
> > > -+ }
> > > -+
> > > -+ ret = lxc_setup_keyring(keyring_context);
> > > - if (ret < 0)
> > > - return -1;
> > > -
> > > -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> > > -index 2664a1527..bb47b720e 100644
> > > ---- a/src/lxc/conf.h
> > > -+++ b/src/lxc/conf.h
> > > -@@ -295,6 +295,7 @@ struct lxc_conf {
> > > - unsigned int lsm_aa_allow_incomplete;
> > > - struct lxc_list lsm_aa_raw;
> > > - char *lsm_se_context;
> > > -+ char *lsm_se_keyring_context;
> > > - bool tmp_umount_proc;
> > > - struct lxc_seccomp seccomp;
> > > - int maincmd_fd;
> > > -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> > > -index 36d62cbca..df184af73 100644
> > > ---- a/src/lxc/confile.c
> > > -+++ b/src/lxc/confile.c
> > > -@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting);
> > > - lxc_config_define(seccomp_notify_cookie);
> > > - lxc_config_define(seccomp_notify_proxy);
> > > - lxc_config_define(selinux_context);
> > > -+lxc_config_define(selinux_context_keyring);
> > > - lxc_config_define(signal_halt);
> > > - lxc_config_define(signal_reboot);
> > > - lxc_config_define(signal_stop);
> > > -@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = {
> > > - { "lxc.seccomp.notify.proxy", set_config_seccomp_notify_proxy, get_config_seccomp_notify_proxy, clr_config_seccomp_notify_proxy, },
> > > - { "lxc.seccomp.profile", set_config_seccomp_profile, get_config_seccomp_profile, clr_config_seccomp_profile, },
> > > - { "lxc.selinux.context", set_config_selinux_context, get_config_selinux_context, clr_config_selinux_context, },
> > > -+ { "lxc.selinux.context.keyring", set_config_selinux_context_keyring, get_config_selinux_context_keyring, clr_config_selinux_context_keyring },
> > > - { "lxc.signal.halt", set_config_signal_halt, get_config_signal_halt, clr_config_signal_halt, },
> > > - { "lxc.signal.reboot", set_config_signal_reboot, get_config_signal_reboot, clr_config_signal_reboot, },
> > > - { "lxc.signal.stop", set_config_signal_stop, get_config_signal_stop, clr_config_signal_stop, },
> > > -@@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char *key, const char *value,
> > > - return set_config_string_item(&lxc_conf->lsm_se_context, value);
> > > - }
> > > -
> > > -+static int set_config_selinux_context_keyring(const char *key, const char *value,
> > > -+ struct lxc_conf *lxc_conf, void *data)
> > > -+{
> > > -+ return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
> > > -+}
> > > -+
> > > - static int set_config_log_file(const char *key, const char *value,
> > > - struct lxc_conf *c, void *data)
> > > - {
> > > -@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen,
> > > - return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
> > > - }
> > > -
> > > -+static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen,
> > > -+ struct lxc_conf *c, void *data)
> > > -+{
> > > -+ return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
> > > -+}
> > > -+
> > > -+
> > > - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
> > > - * just the value(s) will be printed. Since there still could be more than one,
> > > - * it is newline-separated.
> > > -@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key,
> > > - return 0;
> > > - }
> > > -
> > > -+static inline int clr_config_selinux_context_keyring(const char *key,
> > > -+ struct lxc_conf *c, void *data)
> > > -+{
> > > -+ free(c->lsm_se_keyring_context);
> > > -+ c->lsm_se_keyring_context = NULL;
> > > -+ return 0;
> > > -+}
> > > -+
> > > - static inline int clr_config_cgroup_controller(const char *key,
> > > - struct lxc_conf *c, void *data)
> > > - {
> > > -@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
> > > - strprint(retv, inlen, "dir\n");
> > > - } else if (!strcmp(key, "lxc.selinux")) {
> > > - strprint(retv, inlen, "context\n");
> > > -+ strprint(retv, inlen, "context.keyring\n");
> > > - } else if (!strcmp(key, "lxc.mount")) {
> > > - strprint(retv, inlen, "auto\n");
> > > - strprint(retv, inlen, "entry\n");
> > > -diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> > > -index 5538c9e84..48c22b700 100644
> > > ---- a/src/lxc/lsm/lsm.c
> > > -+++ b/src/lxc/lsm/lsm.c
> > > -@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath)
> > > -
> > > - drv->cleanup(conf, lxcpath);
> > > - }
> > > -+
> > > -+int lsm_keyring_label_set(char *label) {
> > > -+
> > > -+ if (!drv) {
> > > -+ ERROR("LSM driver not inited");
> > > -+ return -1;
> > > -+ }
> > > -+
> > > -+ if (!drv->keyring_label_set)
> > > -+ return 0;
> > > -+
> > > -+ return drv->keyring_label_set(label);
> > > -+}
> > > -diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> > > -index dda740b3d..a645a2fa0 100644
> > > ---- a/src/lxc/lsm/lsm.h
> > > -+++ b/src/lxc/lsm/lsm.h
> > > -@@ -38,6 +38,7 @@ struct lsm_drv {
> > > - char *(*process_label_get)(pid_t pid);
> > > - int (*process_label_set)(const char *label, struct lxc_conf *conf,
> > > - bool on_exec);
> > > -+ int (*keyring_label_set)(char* label);
> > > - int (*prepare)(struct lxc_conf *conf, const char *lxcpath);
> > > - void (*cleanup)(struct lxc_conf *conf, const char *lxcpath);
> > > - };
> > > -@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
> > > - extern int lsm_process_label_set_at(int label_fd, const char *label,
> > > - bool on_exec);
> > > - extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath);
> > > -+extern int lsm_keyring_label_set(char *label);
> > > -
> > > - #endif /* __LXC_LSM_H */
> > > -diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
> > > -index 625bcae90..b3d95c310 100644
> > > ---- a/src/lxc/lsm/selinux.c
> > > -+++ b/src/lxc/lsm/selinux.c
> > > -@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
> > > - return 0;
> > > - }
> > > -
> > > -+/*
> > > -+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring
> > > -+ *
> > > -+ * @label : label string
> > > -+ *
> > > -+ * Returns 0 on success, < 0 on failure
> > > -+ */
> > > -+static int selinux_keyring_label_set(char *label)
> > > -+{
> > > -+ return setkeycreatecon_raw(label);
> > > -+};
> > > -+
> > > - static struct lsm_drv selinux_drv = {
> > > - .name = "SELinux",
> > > - .enabled = is_selinux_enabled,
> > > - .process_label_get = selinux_process_label_get,
> > > - .process_label_set = selinux_process_label_set,
> > > -+ .keyring_label_set = selinux_keyring_label_set,
> > > - };
> > > -
> > > - struct lsm_drv *lsm_selinux_drv_init(void)
> > > -diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> > > -index bf4a9c2cb..90852eb87 100644
> > > ---- a/src/lxc/utils.c
> > > -+++ b/src/lxc/utils.c
> > > -@@ -48,6 +48,7 @@
> > > -
> > > - #include "config.h"
> > > - #include "log.h"
> > > -+#include "lsm/lsm.h"
> > > - #include "lxclock.h"
> > > - #include "memory_utils.h"
> > > - #include "namespace.h"
> > > -@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname)
> > > - return r;
> > > - }
> > > -
> > > --int lxc_setup_keyring(void)
> > > -+int lxc_setup_keyring(char *keyring_label)
> > > - {
> > > - key_serial_t keyring;
> > > - int ret = 0;
> > > -
> > > -+ if (keyring_label) {
> > > -+ if (lsm_keyring_label_set(keyring_label) < 0) {
> > > -+ ERROR("Couldn't set keyring label");
> > > -+ }
> > > -+ }
> > > -+
> > > - /* Try to allocate a new session keyring for the container to prevent
> > > - * information leaks.
> > > - */
> > > -diff --git a/src/lxc/utils.h b/src/lxc/utils.h
> > > -index dd6404f0b..7560711b7 100644
> > > ---- a/src/lxc/utils.h
> > > -+++ b/src/lxc/utils.h
> > > -@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
> > > - extern int lxc_set_death_signal(int signal, pid_t parent);
> > > - extern int fd_cloexec(int fd, bool cloexec);
> > > - extern int recursive_destroy(char *dirname);
> > > --extern int lxc_setup_keyring(void);
> > > -+extern int lxc_setup_keyring(char *keyring_label);
> > > -
> > > - #endif /* __LXC_UTILS_H */
> > > ---
> > > -2.24.1
> > > -
> > > diff --git a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch b/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> > > deleted file mode 100644
> > > index 9d5b5b8..0000000
> > > --- a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
> > > +++ /dev/null
> > > @@ -1,46 +0,0 @@
> > > -From b1694cccddadc8b084cd9eb502d9e86e0728709b Mon Sep 17 00:00:00 2001
> > > -From: Patrick Havelange <patrick.havelange@essensium.com>
> > > -Date: Tue, 22 Oct 2019 12:29:54 +0200
> > > -Subject: [PATCH v2] syscall_wrappers: rename internal memfd_create to
> > > - memfd_create_lxc
> > > -
> > > -In case the internal memfd_create has to be used, make sure we don't
> > > -clash with the already existing memfd_create function from glibc.
> > > -
> > > -This can happen if this glibc function is a stub. In this case, at
> > > -./configure time, the test for this function will return false, however
> > > -the declaration of that function is still available. This leads to
> > > -compilation errors.
> > > -
> > > -Upstream-Status: Backport [lxc-3.2.1 https://github.com/lxc/lxc/pull/3168]
> > > -
> > > -Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
> > > -(cherry picked from commit 40b06c78773dfd5e12e568a576b1abb133f61b71)
> > > -Signed-off-by: Oleksii Kurochko <olkuroch@cisco.com>
> > > ----
> > > - v2: added Upstream-Status
> > > -
> > > - src/lxc/syscall_wrappers.h | 3 ++-
> > > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > > -
> > > -diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
> > > -index ce67da5b5308..b7edba63f5d7 100644
> > > ---- a/src/lxc/syscall_wrappers.h
> > > -+++ b/src/lxc/syscall_wrappers.h
> > > -@@ -74,7 +74,7 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3,
> > > - #endif
> > > -
> > > - #ifndef HAVE_MEMFD_CREATE
> > > --static inline int memfd_create(const char *name, unsigned int flags) {
> > > -+static inline int memfd_create_lxc(const char *name, unsigned int flags) {
> > > - #ifndef __NR_memfd_create
> > > - #if defined __i386__
> > > - #define __NR_memfd_create 356
> > > -@@ -113,6 +113,7 @@ static inline int memfd_create(const char *name, unsigned int flags) {
> > > - return -1;
> > > - #endif
> > > - }
> > > -+#define memfd_create memfd_create_lxc
> > > - #else
> > > - extern int memfd_create(const char *name, unsigned int flags);
> > > - #endif
> > > diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> > > deleted file mode 100644
> > > index 34647c8..0000000
> > > --- a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
> > > +++ /dev/null
> > > @@ -1,217 +0,0 @@
> > > -From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
> > > -From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > > -Date: Thu, 30 Jan 2020 19:21:10 +0100
> > > -Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
> > > - creation
> > > -
> > > -lxc set's up a new session keyring for every container by default.
> > > -There might be valid use-cases where this is not wanted / needed
> > > -(e.g. systemd by default creates a new session keyring anyway).
> > > -
> > > -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > > ----
> > > - src/lxc/conf.c | 19 ++++++++++--------
> > > - src/lxc/conf.h | 1 +
> > > - src/lxc/confile.c | 44 ++++++++++++++++++++++-------------------
> > > - src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
> > > - src/lxc/confile_utils.h | 2 ++
> > > - 5 files changed, 62 insertions(+), 28 deletions(-)
> > > -
> > > -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > > -index b06fbf047..be4761a54 100644
> > > ---- a/src/lxc/conf.c
> > > -+++ b/src/lxc/conf.c
> > > -@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
> > > - lxc_list_init(&new->lsm_aa_raw);
> > > - new->lsm_se_context = NULL;
> > > - new->lsm_se_keyring_context = NULL;
> > > -+ new->keyring_disable_session = false;
> > > - new->tmp_umount_proc = false;
> > > - new->tmp_umount_proc = 0;
> > > - new->shmount.path_host = NULL;
> > > -@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
> > > - }
> > > - }
> > > -
> > > -- if (lxc_conf->lsm_se_keyring_context) {
> > > -- keyring_context = lxc_conf->lsm_se_keyring_context;
> > > -- } else if (lxc_conf->lsm_se_context) {
> > > -- keyring_context = lxc_conf->lsm_se_context;
> > > -- }
> > > -+ if (!lxc_conf->keyring_disable_session) {
> > > -+ if (lxc_conf->lsm_se_keyring_context) {
> > > -+ keyring_context = lxc_conf->lsm_se_keyring_context;
> > > -+ } else if (lxc_conf->lsm_se_context) {
> > > -+ keyring_context = lxc_conf->lsm_se_context;
> > > -+ }
> > > -
> > > -- ret = lxc_setup_keyring(keyring_context);
> > > -- if (ret < 0)
> > > -- return -1;
> > > -+ ret = lxc_setup_keyring(keyring_context);
> > > -+ if (ret < 0)
> > > -+ return -1;
> > > -+ }
> > > -
> > > - if (handler->ns_clone_flags & CLONE_NEWNET) {
> > > - ret = lxc_setup_network_in_child_namespaces(lxc_conf,
> > > -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> > > -index bb47b720e..b81786838 100644
> > > ---- a/src/lxc/conf.h
> > > -+++ b/src/lxc/conf.h
> > > -@@ -296,6 +296,7 @@ struct lxc_conf {
> > > - struct lxc_list lsm_aa_raw;
> > > - char *lsm_se_context;
> > > - char *lsm_se_keyring_context;
> > > -+ bool keyring_disable_session;
> > > - bool tmp_umount_proc;
> > > - struct lxc_seccomp seccomp;
> > > - int maincmd_fd;
> > > -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> > > -index df184af73..fd8b3aaba 100644
> > > ---- a/src/lxc/confile.c
> > > -+++ b/src/lxc/confile.c
> > > -@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
> > > - lxc_config_define(init_cwd);
> > > - lxc_config_define(init_gid);
> > > - lxc_config_define(init_uid);
> > > -+lxc_config_define(keyring_session);
> > > - lxc_config_define(log_file);
> > > - lxc_config_define(log_level);
> > > - lxc_config_define(log_syslog);
> > > -@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
> > > - { "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, },
> > > - { "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, },
> > > - { "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, },
> > > -+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session },
> > > - { "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, },
> > > - { "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, },
> > > - { "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, },
> > > -@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
> > > - return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
> > > - }
> > > -
> > > -+static int set_config_keyring_session(const char *key, const char *value,
> > > -+ struct lxc_conf *lxc_conf, void *data)
> > > -+{
> > > -+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
> > > -+}
> > > -+
> > > - static int set_config_log_file(const char *key, const char *value,
> > > - struct lxc_conf *c, void *data)
> > > - {
> > > -@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
> > > - static int set_config_rootfs_managed(const char *key, const char *value,
> > > - struct lxc_conf *lxc_conf, void *data)
> > > - {
> > > -- unsigned int val = 0;
> > > --
> > > -- if (lxc_config_value_empty(value)) {
> > > -- lxc_conf->rootfs.managed = true;
> > > -- return 0;
> > > -- }
> > > --
> > > -- if (lxc_safe_uint(value, &val) < 0)
> > > -- return -EINVAL;
> > > --
> > > -- switch (val) {
> > > -- case 0:
> > > -- lxc_conf->rootfs.managed = false;
> > > -- return 0;
> > > -- case 1:
> > > -- lxc_conf->rootfs.managed = true;
> > > -- return 0;
> > > -- }
> > > --
> > > -- return -EINVAL;
> > > -+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
> > > - }
> > > -
> > > - static int set_config_rootfs_mount(const char *key, const char *value,
> > > -@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
> > > - return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
> > > - }
> > > -
> > > -+static int get_config_keyring_session(const char *key, char *retv, int inlen,
> > > -+ struct lxc_conf *c, void *data)
> > > -+{
> > > -+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
> > > -+}
> > > -+
> > > -
> > > - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
> > > - * just the value(s) will be printed. Since there still could be more than one,
> > > -@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
> > > - return 0;
> > > - }
> > > -
> > > -+static inline int clr_config_keyring_session(const char *key,
> > > -+ struct lxc_conf *c, void *data)
> > > -+{
> > > -+ c->keyring_disable_session = false;
> > > -+ return 0;
> > > -+}
> > > -+
> > > - static inline int clr_config_cgroup_controller(const char *key,
> > > - struct lxc_conf *c, void *data)
> > > - {
> > > -@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
> > > - strprint(retv, inlen, "order\n");
> > > - } else if (!strcmp(key, "lxc.monitor")) {
> > > - strprint(retv, inlen, "unshare\n");
> > > -+ } else if (!strcmp(key, "lxc.keyring")) {
> > > -+ strprint(retv, inlen, "session\n");
> > > - } else {
> > > - fulllen = -1;
> > > - }
> > > -diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
> > > -index 6941f4026..02e48454b 100644
> > > ---- a/src/lxc/confile_utils.c
> > > -+++ b/src/lxc/confile_utils.c
> > > -@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
> > > - return set_config_string_item_max(conf_item, value, PATH_MAX);
> > > - }
> > > -
> > > -+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
> > > -+{
> > > -+ unsigned int val = 0;
> > > -+
> > > -+ if (lxc_config_value_empty(value)) {
> > > -+ *conf_item = empty_conf_action;
> > > -+ return 0;
> > > -+ }
> > > -+
> > > -+ if (lxc_safe_uint(value, &val) < 0)
> > > -+ return -EINVAL;
> > > -+
> > > -+ switch (val) {
> > > -+ case 0:
> > > -+ *conf_item = false;
> > > -+ return 0;
> > > -+ case 1:
> > > -+ *conf_item = true;
> > > -+ return 0;
> > > -+ }
> > > -+
> > > -+ return -EINVAL;
> > > -+}
> > > -+
> > > - int config_ip_prefix(struct in_addr *addr)
> > > - {
> > > - if (IN_CLASSA(addr->s_addr))
> > > -diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
> > > -index f68f9604f..83d49bace 100644
> > > ---- a/src/lxc/confile_utils.h
> > > -+++ b/src/lxc/confile_utils.h
> > > -@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
> > > - extern int set_config_string_item_max(char **conf_item, const char *value,
> > > - size_t max);
> > > - extern int set_config_path_item(char **conf_item, const char *value);
> > > -+extern int set_config_bool_item(bool *conf_item, const char *value,
> > > -+ bool empty_conf_action);
> > > - extern int config_ip_prefix(struct in_addr *addr);
> > > - extern int network_ifname(char *valuep, const char *value, size_t size);
> > > - extern void rand_complete_hwaddr(char *hwaddr);
> > > ---
> > > -2.24.1
> > > -
> > > diff --git a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch b/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> > > deleted file mode 100644
> > > index aa1aecd..0000000
> > > --- a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
> > > +++ /dev/null
> > > @@ -1,94 +0,0 @@
> > > -From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001
> > > -From: Christian Brauner <christian.brauner@ubuntu.com>
> > > -Date: Fri, 26 Jul 2019 08:20:02 +0200
> > > -Subject: [PATCH] network: restore ability to move nl80211 devices
> > > -
> > > -Closes #3105.
> > > -Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > > ----
> > > - src/lxc/network.c | 31 +++++++++++++++++--------------
> > > - 1 file changed, 17 insertions(+), 14 deletions(-)
> > > -
> > > -diff --git a/src/lxc/network.c b/src/lxc/network.c
> > > -index 9755116..7684f95 100644
> > > ---- a/src/lxc/network.c
> > > -+++ b/src/lxc/network.c
> > > -@@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old,
> > > - static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
> > > - const char *newname)
> > > - {
> > > -- char *cmd;
> > > -+ __do_free char *cmd = NULL;
> > > - pid_t fpid;
> > > -- int err = -1;
> > > -
> > > - /* Move phyN into the container. TODO - do this using netlink.
> > > - * However, IIUC this involves a bit more complicated work to talk to
> > > - * the 80211 module, so for now just call out to iw.
> > > - */
> > > - cmd = on_path("iw", NULL);
> > > -- if (!cmd)
> > > -- goto out1;
> > > -- free(cmd);
> > > -+ if (!cmd) {
> > > -+ return -1;
> > > -+ }
> > > -
> > > - fpid = fork();
> > > - if (fpid < 0)
> > > -- goto out1;
> > > -+ return -1;
> > > -
> > > - if (fpid == 0) {
> > > - char pidstr[30];
> > > -@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
> > > - }
> > > -
> > > - if (wait_for_pid(fpid))
> > > -- goto out1;
> > > -+ return -1;
> > > -
> > > -- err = 0;
> > > - if (newname)
> > > -- err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
> > > -+ return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
> > > -
> > > --out1:
> > > -- free(physname);
> > > -- return err;
> > > -+ return 0;
> > > - }
> > > -
> > > - int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname)
> > > - {
> > > -+ __do_free char *physname = NULL;
> > > - int index;
> > > -- char *physname;
> > > -
> > > - if (!ifname)
> > > - return -EINVAL;
> > > -@@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler)
> > > - return 0;
> > > -
> > > - lxc_list_for_each(iterator, network) {
> > > -+ __do_free char *physname = NULL;
> > > - int ret;
> > > - struct lxc_netdev *netdev = iterator->elem;
> > > -
> > > - if (!netdev->ifindex)
> > > - continue;
> > > -
> > > -- ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
> > > -+ if (netdev->type == LXC_NET_PHYS)
> > > -+ physname = is_wlan(netdev->link);
> > > -+
> > > -+ if (physname)
> > > -+ ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL);
> > > -+ else
> > > -+ ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
> > > - if (ret) {
> > > - errno = -ret;
> > > - SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d",
> > > ---
> > > -2.7.4
> > > -
> > > diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_4.0.1.bb
> > > similarity index 92%
> > > rename from recipes-containers/lxc/lxc_3.2.1.bb
> > > rename to recipes-containers/lxc/lxc_4.0.1.bb
> > > index 9592dd9..a3de38e 100644
> > > --- a/recipes-containers/lxc/lxc_3.2.1.bb
> > > +++ b/recipes-containers/lxc/lxc_4.0.1.bb
> > > @@ -1,7 +1,7 @@
> > > DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object"
> > > SECTION = "console/utils"
> > > LICENSE = "LGPLv2.1"
> > > -LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
> > > +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
> > > DEPENDS = "libxml2 libcap"
> > > RDEPENDS_${PN} = " \
> > > rsync \
> > > @@ -44,16 +44,12 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
> > > file://templates-use-curl-instead-of-wget.patch \
> > > file://tests-our-init-is-not-busybox.patch \
> > > file://tests-add-no-validate-when-using-download-template.patch \
> > > - file://network-restore-ability-to-move-nl80211-devices.patch \
> > > - file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \
> > > - file://0002-container.conf-Add-option-to-disable-session-keyring.patch \
> > > file://dnsmasq.conf \
> > > file://lxc-net \
> > > - file://0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch \
> > > "
> > >
> > > -SRC_URI[md5sum] = "4886c8d1c8e221fe526eefcb47857b85"
> > > -SRC_URI[sha256sum] = "5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4"
> > > +SRC_URI[md5sum] = "5f19f13eafdde24c75ba459fc6c28156"
> > > +SRC_URI[sha256sum] = "70bbaac1df097f32ee5493a5e67a52365f7cdda28529f40197d6160bbec4139d"
> > >
> > > S = "${WORKDIR}/${BPN}-${PV}"
> > >
> > > --
> > > 2.18.2
> > >
> >
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
2020-04-14 18:45 ` Bruce Ashfield
@ 2020-04-14 18:47 ` Mark Asselstine
0 siblings, 0 replies; 5+ messages in thread
From: Mark Asselstine @ 2020-04-14 18:47 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: Xu, Yanfei, meta-virtualization
On Tuesday, April 14, 2020 2:45:36 P.M. EDT Bruce Ashfield wrote:
> On Tue, Apr 14, 2020 at 2:39 PM Mark Asselstine
>
> <mark.asselstine@windriver.com> wrote:
> > On Mon, Apr 13, 2020 at 1:54 PM Bruce Ashfield <bruce.ashfield@gmail.com>
wrote:
> > > Thanks for the quick turnaround on the uprev! We are much
> > > better off with the LTS version.
> > >
> > > Everything worked here, so this is now merged.
> >
> > This appears to have caused some patch fuzz
> >
> > Applying patch logs-optionally-use-base-filenames-to-report-src-fil.patch
> > patching file configure.ac
> > Hunk #1 succeeded at 378 with fuzz 1 (offset 22 lines).
> > patching file src/lxc/log.h
> > Hunk #1 succeeded at 47 (offset -30 lines).
> >
> > Yanfei, can you confirm and refresh the patch?
>
> I noticed this myself when testing the license patches and am refreshing
> now.
Perfect. Thanks Bruce.
Mark
>
> Bruce
>
> > Mark
> >
> > > Bruce
> > >
> > > In message: [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1
> > >
> > > on 09/04/2020 yanfei.xu@windriver.com wrote:
> > > > From: Yanfei Xu <yanfei.xu@windriver.com>
> > > >
> > > > Update to the just released 4.0.1. And drop some patches contained
> > > > in this released.
> > > >
> > > > Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> > > > ---
> > > >
> > > > ...dd-option-to-set-keyring-SELinux-con.patch | 275
> > > > ------------------
> > > > ...-rename-internal-memfd_create-to-mem.patch | 46 ---
> > > > ...dd-option-to-disable-session-keyring.patch | 217 --------------
> > > > ...tore-ability-to-move-nl80211-devices.patch | 94 ------
> > > > .../lxc/{lxc_3.2.1.bb => lxc_4.0.1.bb} | 10 +-
> > > > 5 files changed, 3 insertions(+), 639 deletions(-)
> > > > delete mode 100644
> > > > recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-k
> > > > eyring-SELinux-con.patch delete mode 100644
> > > > recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-m
> > > > emfd_create-to-mem.patch delete mode 100644
> > > > recipes-containers/lxc/files/0002-container.conf-Add-option-to-disab
> > > > le-session-keyring.patch delete mode 100644
> > > > recipes-containers/lxc/files/network-restore-ability-to-move-nl80211
> > > > -devices.patch rename recipes-containers/lxc/{lxc_3.2.1.bb =>
> > > > lxc_4.0.1.bb} (92%)> > >
> > > > diff --git
> > > > a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-
> > > > keyring-SELinux-con.patch
> > > > b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-
> > > > keyring-SELinux-con.patch deleted file mode 100644
> > > > index 0da1be0..0000000
> > > > ---
> > > > a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-
> > > > keyring-SELinux-con.patch +++ /dev/null
> > > > @@ -1,275 +0,0 @@
> > > > -From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00
> > > > 2001
> > > > -From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > > > -Date: Wed, 29 Jan 2020 17:09:50 +0100
> > > > -Subject: [PATCH 2/3] container.conf: Add option to set keyring
> > > > SELinux context -
> > > > -lxc set's up a new session keyring for every container by default.
> > > > -If executed on an SELinux enabled system, by default, the keyring
> > > > -inherits the label of the creating process. If executed with the
> > > > -currently available SELinux policy, this means that the keyring
> > > > -is labeled with the lxc_t type. Applications inside the container,
> > > > -however, might expect that the keyring is labeled with a certain
> > > > -context (and will fail to access the keyring if it's not explicitly
> > > > -allowed in the global policy). This patch introduces the config
> > > > -option lxc.selinux.context.keyring which enables to specify the
> > > > -label of the newly created keyring. That is, the keyring can be
> > > > -labeled with the label expected by the started application.
> > > > -
> > > > -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > > > ----
> > > > - config/selinux/lxc.te | 3 +++
> > > > - src/lxc/conf.c | 10 +++++++++-
> > > > - src/lxc/conf.h | 1 +
> > > > - src/lxc/confile.c | 24 ++++++++++++++++++++++++
> > > > - src/lxc/lsm/lsm.c | 13 +++++++++++++
> > > > - src/lxc/lsm/lsm.h | 2 ++
> > > > - src/lxc/lsm/selinux.c | 13 +++++++++++++
> > > > - src/lxc/utils.c | 9 ++++++++-
> > > > - src/lxc/utils.h | 2 +-
> > > > - 9 files changed, 74 insertions(+), 3 deletions(-)
> > > > -
> > > > -diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
> > > > -index bb4bfe3a8..d3f78d80b 100644
> > > > ---- a/config/selinux/lxc.te
> > > > -+++ b/config/selinux/lxc.te
> > > > -@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
> > > > - allow lxc_t self:rawip_socket create_socket_perms;
> > > > - allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
> > > > -
> > > > -+# Needed to set label that the keyring will be created with
> > > > -+allow lxc_t self:process { setkeycreate };
> > > > -+
> > > > - dontaudit lxc_t sysctl_kernel_t:file write;
> > > > - dontaudit lxc_t sysctl_modprobe_t:file write;
> > > > -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > > > -index 0f8b3c928..b06fbf047 100644
> > > > ---- a/src/lxc/conf.c
> > > > -+++ b/src/lxc/conf.c
> > > > -@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void)
> > > > - new->lsm_aa_profile = NULL;
> > > > - lxc_list_init(&new->lsm_aa_raw);
> > > > - new->lsm_se_context = NULL;
> > > > -+ new->lsm_se_keyring_context = NULL;
> > > > - new->tmp_umount_proc = false;
> > > > - new->tmp_umount_proc = 0;
> > > > - new->shmount.path_host = NULL;
> > > > -@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler)
> > > > - int ret;
> > > > - const char *lxcpath = handler->lxcpath, *name = handler->name;
> > > > - struct lxc_conf *lxc_conf = handler->conf;
> > > > -+ char *keyring_context = NULL;
> > > > -
> > > > - ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
> > > > - if (ret < 0) {
> > > > -@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler)
> > > > - }
> > > > - }
> > > > -
> > > > -- ret = lxc_setup_keyring();
> > > > -+ if (lxc_conf->lsm_se_keyring_context) {
> > > > -+ keyring_context = lxc_conf->lsm_se_keyring_context;
> > > > -+ } else if (lxc_conf->lsm_se_context) {
> > > > -+ keyring_context = lxc_conf->lsm_se_context;
> > > > -+ }
> > > > -+
> > > > -+ ret = lxc_setup_keyring(keyring_context);
> > > > - if (ret < 0)
> > > > - return -1;
> > > > -
> > > > -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> > > > -index 2664a1527..bb47b720e 100644
> > > > ---- a/src/lxc/conf.h
> > > > -+++ b/src/lxc/conf.h
> > > > -@@ -295,6 +295,7 @@ struct lxc_conf {
> > > > - unsigned int lsm_aa_allow_incomplete;
> > > > - struct lxc_list lsm_aa_raw;
> > > > - char *lsm_se_context;
> > > > -+ char *lsm_se_keyring_context;
> > > > - bool tmp_umount_proc;
> > > > - struct lxc_seccomp seccomp;
> > > > - int maincmd_fd;
> > > > -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> > > > -index 36d62cbca..df184af73 100644
> > > > ---- a/src/lxc/confile.c
> > > > -+++ b/src/lxc/confile.c
> > > > -@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting);
> > > > - lxc_config_define(seccomp_notify_cookie);
> > > > - lxc_config_define(seccomp_notify_proxy);
> > > > - lxc_config_define(selinux_context);
> > > > -+lxc_config_define(selinux_context_keyring);
> > > > - lxc_config_define(signal_halt);
> > > > - lxc_config_define(signal_reboot);
> > > > - lxc_config_define(signal_stop);
> > > > -@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] =
> > > > {
> > > > - { "lxc.seccomp.notify.proxy",
> > > > set_config_seccomp_notify_proxy,
> > > > get_config_seccomp_notify_proxy,
> > > > clr_config_seccomp_notify_proxy, }, - {
> > > > "lxc.seccomp.profile", set_config_seccomp_profile,
> > > > get_config_seccomp_profile,
> > > > clr_config_seccomp_profile, }, - {
> > > > "lxc.selinux.context", set_config_selinux_context,
> > > > get_config_selinux_context,
> > > > clr_config_selinux_context, }, -+ {
> > > > "lxc.selinux.context.keyring", set_config_selinux_context_keyring,
> > > > get_config_selinux_context_keyring,
> > > > clr_config_selinux_context_keyring }, - { "lxc.signal.halt",
> > > > set_config_signal_halt,
> > > > get_config_signal_halt, clr_config_signal_halt,
> > > > }, - { "lxc.signal.reboot",
> > > > set_config_signal_reboot, get_config_signal_reboot,
> > > > clr_config_signal_reboot, }, - {
> > > > "lxc.signal.stop", set_config_signal_stop,
> > > > get_config_signal_stop, clr_config_signal_stop,
> > > > }, -@@ -1489,6 +1491,12 @@ static int
> > > > set_config_selinux_context(const char *key, const char *value, -
> > > > return set_config_string_item(&lxc_conf->lsm_se_context, value); - }
> > > > -
> > > > -+static int set_config_selinux_context_keyring(const char *key, const
> > > > char *value, -+ struct
> > > > lxc_conf *lxc_conf, void *data) -+{
> > > > -+ return set_config_string_item(&lxc_conf->lsm_se_keyring_context,
> > > > value); -+}
> > > > -+
> > > > - static int set_config_log_file(const char *key, const char *value,
> > > > - struct lxc_conf *c, void *data)
> > > > - {
> > > > -@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const
> > > > char *key, char *retv, int inlen, - return lxc_get_conf_str(retv,
> > > > inlen, c->lsm_se_context);
> > > > - }
> > > > -
> > > > -+static int get_config_selinux_context_keyring(const char *key, char
> > > > *retv, int inlen, -+ struct
> > > > lxc_conf *c, void *data) -+{
> > > > -+ return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
> > > > -+}
> > > > -+
> > > > -+
> > > > - /* If you ask for a specific cgroup value, i.e.
> > > > lxc.cgroup.devices.list, then - * just the value(s) will be printed.
> > > > Since there still could be more than one, - * it is
> > > > newline-separated.
> > > > -@@ -4405,6 +4420,14 @@ static inline int
> > > > clr_config_selinux_context(const char *key, - return 0;
> > > > - }
> > > > -
> > > > -+static inline int clr_config_selinux_context_keyring(const char
> > > > *key,
> > > > -+ struct lxc_conf *c,
> > > > void *data) -+{
> > > > -+ free(c->lsm_se_keyring_context);
> > > > -+ c->lsm_se_keyring_context = NULL;
> > > > -+ return 0;
> > > > -+}
> > > > -+
> > > > - static inline int clr_config_cgroup_controller(const char *key,
> > > > - struct lxc_conf *c, void
> > > > *data) - {
> > > > -@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf,
> > > > const char *key, char *retv, - strprint(retv, inlen,
> > > > "dir\n");
> > > > - } else if (!strcmp(key, "lxc.selinux")) {
> > > > - strprint(retv, inlen, "context\n");
> > > > -+ strprint(retv, inlen, "context.keyring\n");
> > > > - } else if (!strcmp(key, "lxc.mount")) {
> > > > - strprint(retv, inlen, "auto\n");
> > > > - strprint(retv, inlen, "entry\n");
> > > > -diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> > > > -index 5538c9e84..48c22b700 100644
> > > > ---- a/src/lxc/lsm/lsm.c
> > > > -+++ b/src/lxc/lsm/lsm.c
> > > > -@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf,
> > > > const char *lxcpath) -
> > > > - drv->cleanup(conf, lxcpath);
> > > > - }
> > > > -+
> > > > -+int lsm_keyring_label_set(char *label) {
> > > > -+
> > > > -+ if (!drv) {
> > > > -+ ERROR("LSM driver not inited");
> > > > -+ return -1;
> > > > -+ }
> > > > -+
> > > > -+ if (!drv->keyring_label_set)
> > > > -+ return 0;
> > > > -+
> > > > -+ return drv->keyring_label_set(label);
> > > > -+}
> > > > -diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> > > > -index dda740b3d..a645a2fa0 100644
> > > > ---- a/src/lxc/lsm/lsm.h
> > > > -+++ b/src/lxc/lsm/lsm.h
> > > > -@@ -38,6 +38,7 @@ struct lsm_drv {
> > > > - char *(*process_label_get)(pid_t pid);
> > > > - int (*process_label_set)(const char *label, struct lxc_conf
> > > > *conf,
> > > > - bool on_exec);
> > > > -+ int (*keyring_label_set)(char* label);
> > > > - int (*prepare)(struct lxc_conf *conf, const char *lxcpath);
> > > > - void (*cleanup)(struct lxc_conf *conf, const char *lxcpath);
> > > > - };
> > > > -@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool
> > > > on_exec); - extern int lsm_process_label_set_at(int label_fd, const
> > > > char *label, - bool on_exec);
> > > > - extern void lsm_process_cleanup(struct lxc_conf *conf, const char
> > > > *lxcpath); -+extern int lsm_keyring_label_set(char *label);
> > > > -
> > > > - #endif /* __LXC_LSM_H */
> > > > -diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
> > > > -index 625bcae90..b3d95c310 100644
> > > > ---- a/src/lxc/lsm/selinux.c
> > > > -+++ b/src/lxc/lsm/selinux.c
> > > > -@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char
> > > > *inlabel, struct lxc_conf *conf, - return 0;
> > > > - }
> > > > -
> > > > -+/*
> > > > -+ * selinux_keyring_label_set: Set SELinux context that will be
> > > > assigned to the keyring -+ *
> > > > -+ * @label : label string
> > > > -+ *
> > > > -+ * Returns 0 on success, < 0 on failure
> > > > -+ */
> > > > -+static int selinux_keyring_label_set(char *label)
> > > > -+{
> > > > -+ return setkeycreatecon_raw(label);
> > > > -+};
> > > > -+
> > > > - static struct lsm_drv selinux_drv = {
> > > > - .name = "SELinux",
> > > > - .enabled = is_selinux_enabled,
> > > > - .process_label_get = selinux_process_label_get,
> > > > - .process_label_set = selinux_process_label_set,
> > > > -+ .keyring_label_set = selinux_keyring_label_set,
> > > > - };
> > > > -
> > > > - struct lsm_drv *lsm_selinux_drv_init(void)
> > > > -diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> > > > -index bf4a9c2cb..90852eb87 100644
> > > > ---- a/src/lxc/utils.c
> > > > -+++ b/src/lxc/utils.c
> > > > -@@ -48,6 +48,7 @@
> > > > -
> > > > - #include "config.h"
> > > > - #include "log.h"
> > > > -+#include "lsm/lsm.h"
> > > > - #include "lxclock.h"
> > > > - #include "memory_utils.h"
> > > > - #include "namespace.h"
> > > > -@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname)
> > > > - return r;
> > > > - }
> > > > -
> > > > --int lxc_setup_keyring(void)
> > > > -+int lxc_setup_keyring(char *keyring_label)
> > > > - {
> > > > - key_serial_t keyring;
> > > > - int ret = 0;
> > > > -
> > > > -+ if (keyring_label) {
> > > > -+ if (lsm_keyring_label_set(keyring_label) < 0) {
> > > > -+ ERROR("Couldn't set keyring label");
> > > > -+ }
> > > > -+ }
> > > > -+
> > > > - /* Try to allocate a new session keyring for the container to
> > > > prevent
> > > > - * information leaks.
> > > > - */
> > > > -diff --git a/src/lxc/utils.h b/src/lxc/utils.h
> > > > -index dd6404f0b..7560711b7 100644
> > > > ---- a/src/lxc/utils.h
> > > > -+++ b/src/lxc/utils.h
> > > > -@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
> > > > - extern int lxc_set_death_signal(int signal, pid_t parent);
> > > > - extern int fd_cloexec(int fd, bool cloexec);
> > > > - extern int recursive_destroy(char *dirname);
> > > > --extern int lxc_setup_keyring(void);
> > > > -+extern int lxc_setup_keyring(char *keyring_label);
> > > > -
> > > > - #endif /* __LXC_UTILS_H */
> > > > ---
> > > > -2.24.1
> > > > -
> > > > diff --git
> > > > a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-
> > > > memfd_create-to-mem.patch
> > > > b/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-
> > > > memfd_create-to-mem.patch deleted file mode 100644
> > > > index 9d5b5b8..0000000
> > > > ---
> > > > a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-
> > > > memfd_create-to-mem.patch +++ /dev/null
> > > > @@ -1,46 +0,0 @@
> > > > -From b1694cccddadc8b084cd9eb502d9e86e0728709b Mon Sep 17 00:00:00
> > > > 2001
> > > > -From: Patrick Havelange <patrick.havelange@essensium.com>
> > > > -Date: Tue, 22 Oct 2019 12:29:54 +0200
> > > > -Subject: [PATCH v2] syscall_wrappers: rename internal memfd_create to
> > > > - memfd_create_lxc
> > > > -
> > > > -In case the internal memfd_create has to be used, make sure we don't
> > > > -clash with the already existing memfd_create function from glibc.
> > > > -
> > > > -This can happen if this glibc function is a stub. In this case, at
> > > > -./configure time, the test for this function will return false,
> > > > however
> > > > -the declaration of that function is still available. This leads to
> > > > -compilation errors.
> > > > -
> > > > -Upstream-Status: Backport [lxc-3.2.1
> > > > https://github.com/lxc/lxc/pull/3168]
> > > > -
> > > > -Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
> > > > -(cherry picked from commit 40b06c78773dfd5e12e568a576b1abb133f61b71)
> > > > -Signed-off-by: Oleksii Kurochko <olkuroch@cisco.com>
> > > > ----
> > > > - v2: added Upstream-Status
> > > > -
> > > > - src/lxc/syscall_wrappers.h | 3 ++-
> > > > - 1 file changed, 2 insertions(+), 1 deletion(-)
> > > > -
> > > > -diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
> > > > -index ce67da5b5308..b7edba63f5d7 100644
> > > > ---- a/src/lxc/syscall_wrappers.h
> > > > -+++ b/src/lxc/syscall_wrappers.h
> > > > -@@ -74,7 +74,7 @@ static inline long __keyctl(int cmd, unsigned long
> > > > arg2, unsigned long arg3, - #endif
> > > > -
> > > > - #ifndef HAVE_MEMFD_CREATE
> > > > --static inline int memfd_create(const char *name, unsigned int flags)
> > > > {
> > > > -+static inline int memfd_create_lxc(const char *name, unsigned int
> > > > flags) { - #ifndef __NR_memfd_create
> > > > - #if defined __i386__
> > > > - #define __NR_memfd_create 356
> > > > -@@ -113,6 +113,7 @@ static inline int memfd_create(const char *name,
> > > > unsigned int flags) { - return -1;
> > > > - #endif
> > > > - }
> > > > -+#define memfd_create memfd_create_lxc
> > > > - #else
> > > > - extern int memfd_create(const char *name, unsigned int flags);
> > > > - #endif
> > > > diff --git
> > > > a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disa
> > > > ble-session-keyring.patch
> > > > b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disa
> > > > ble-session-keyring.patch deleted file mode 100644
> > > > index 34647c8..0000000
> > > > ---
> > > > a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disa
> > > > ble-session-keyring.patch +++ /dev/null
> > > > @@ -1,217 +0,0 @@
> > > > -From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00
> > > > 2001
> > > > -From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > > > -Date: Thu, 30 Jan 2020 19:21:10 +0100
> > > > -Subject: [PATCH 3/3] container.conf: Add option to disable session
> > > > keyring
> > > > - creation
> > > > -
> > > > -lxc set's up a new session keyring for every container by default.
> > > > -There might be valid use-cases where this is not wanted / needed
> > > > -(e.g. systemd by default creates a new session keyring anyway).
> > > > -
> > > > -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
> > > > ----
> > > > - src/lxc/conf.c | 19 ++++++++++--------
> > > > - src/lxc/conf.h | 1 +
> > > > - src/lxc/confile.c | 44
> > > > ++++++++++++++++++++++-------------------
> > > > - src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
> > > > - src/lxc/confile_utils.h | 2 ++
> > > > - 5 files changed, 62 insertions(+), 28 deletions(-)
> > > > -
> > > > -diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > > > -index b06fbf047..be4761a54 100644
> > > > ---- a/src/lxc/conf.c
> > > > -+++ b/src/lxc/conf.c
> > > > -@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
> > > > - lxc_list_init(&new->lsm_aa_raw);
> > > > - new->lsm_se_context = NULL;
> > > > - new->lsm_se_keyring_context = NULL;
> > > > -+ new->keyring_disable_session = false;
> > > > - new->tmp_umount_proc = false;
> > > > - new->tmp_umount_proc = 0;
> > > > - new->shmount.path_host = NULL;
> > > > -@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
> > > > - }
> > > > - }
> > > > -
> > > > -- if (lxc_conf->lsm_se_keyring_context) {
> > > > -- keyring_context = lxc_conf->lsm_se_keyring_context;
> > > > -- } else if (lxc_conf->lsm_se_context) {
> > > > -- keyring_context = lxc_conf->lsm_se_context;
> > > > -- }
> > > > -+ if (!lxc_conf->keyring_disable_session) {
> > > > -+ if (lxc_conf->lsm_se_keyring_context) {
> > > > -+ keyring_context =
> > > > lxc_conf->lsm_se_keyring_context;
> > > > -+ } else if (lxc_conf->lsm_se_context) {
> > > > -+ keyring_context = lxc_conf->lsm_se_context;
> > > > -+ }
> > > > -
> > > > -- ret = lxc_setup_keyring(keyring_context);
> > > > -- if (ret < 0)
> > > > -- return -1;
> > > > -+ ret = lxc_setup_keyring(keyring_context);
> > > > -+ if (ret < 0)
> > > > -+ return -1;
> > > > -+ }
> > > > -
> > > > - if (handler->ns_clone_flags & CLONE_NEWNET) {
> > > > - ret = lxc_setup_network_in_child_namespaces(lxc_conf,
> > > > -diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> > > > -index bb47b720e..b81786838 100644
> > > > ---- a/src/lxc/conf.h
> > > > -+++ b/src/lxc/conf.h
> > > > -@@ -296,6 +296,7 @@ struct lxc_conf {
> > > > - struct lxc_list lsm_aa_raw;
> > > > - char *lsm_se_context;
> > > > - char *lsm_se_keyring_context;
> > > > -+ bool keyring_disable_session;
> > > > - bool tmp_umount_proc;
> > > > - struct lxc_seccomp seccomp;
> > > > - int maincmd_fd;
> > > > -diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> > > > -index df184af73..fd8b3aaba 100644
> > > > ---- a/src/lxc/confile.c
> > > > -+++ b/src/lxc/confile.c
> > > > -@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
> > > > - lxc_config_define(init_cwd);
> > > > - lxc_config_define(init_gid);
> > > > - lxc_config_define(init_uid);
> > > > -+lxc_config_define(keyring_session);
> > > > - lxc_config_define(log_file);
> > > > - lxc_config_define(log_level);
> > > > - lxc_config_define(log_syslog);
> > > > -@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] =
> > > > {
> > > > - { "lxc.init.gid", set_config_init_gid,
> > > > get_config_init_gid,
> > > > clr_config_init_gid, }, - { "lxc.init.uid",
> > > > set_config_init_uid,
> > > > get_config_init_uid, clr_config_init_uid,
> > > > }, - { "lxc.init.cwd",
> > > > set_config_init_cwd, get_config_init_cwd,
> > > > clr_config_init_cwd, }, -+ {
> > > > "lxc.keyring.session", set_config_keyring_session,
> > > > get_config_keyring_session, clr_config_keyring_session
> > > > }, - { "lxc.log.file",
> > > > set_config_log_file, get_config_log_file,
> > > > clr_config_log_file, }, - {
> > > > "lxc.log.level", set_config_log_level,
> > > > get_config_log_level, clr_config_log_level,
> > > > }, - { "lxc.log.syslog",
> > > > set_config_log_syslog, get_config_log_syslog,
> > > > clr_config_log_syslog, }, -@@ -1497,6
> > > > +1499,12 @@ static int set_config_selinux_context_keyring(const char
> > > > *key, const char *value - return
> > > > set_config_string_item(&lxc_conf->lsm_se_keyring_context, value); - }
> > > > -
> > > > -+static int set_config_keyring_session(const char *key, const char
> > > > *value,
> > > > -+ struct lxc_conf *lxc_conf, void
> > > > *data)
> > > > -+{
> > > > -+ return set_config_bool_item(&lxc_conf->keyring_disable_session,
> > > > value, false); -+}
> > > > -+
> > > > - static int set_config_log_file(const char *key, const char *value,
> > > > - struct lxc_conf *c, void *data)
> > > > - {
> > > > -@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char
> > > > *key, const char *value, - static int set_config_rootfs_managed(const
> > > > char *key, const char *value, -
> > > > struct lxc_conf *lxc_conf, void *data) - {
> > > > -- unsigned int val = 0;
> > > > --
> > > > -- if (lxc_config_value_empty(value)) {
> > > > -- lxc_conf->rootfs.managed = true;
> > > > -- return 0;
> > > > -- }
> > > > --
> > > > -- if (lxc_safe_uint(value, &val) < 0)
> > > > -- return -EINVAL;
> > > > --
> > > > -- switch (val) {
> > > > -- case 0:
> > > > -- lxc_conf->rootfs.managed = false;
> > > > -- return 0;
> > > > -- case 1:
> > > > -- lxc_conf->rootfs.managed = true;
> > > > -- return 0;
> > > > -- }
> > > > --
> > > > -- return -EINVAL;
> > > > -+ return set_config_bool_item(&lxc_conf->rootfs.managed, value,
> > > > true);
> > > > - }
> > > > -
> > > > - static int set_config_rootfs_mount(const char *key, const char
> > > > *value,
> > > > -@@ -3559,6 +3548,12 @@ static int
> > > > get_config_selinux_context_keyring(const char *key, char *retv, int i
> > > > - return lxc_get_conf_str(retv, inlen,
> > > > c->lsm_se_keyring_context); - }
> > > > -
> > > > -+static int get_config_keyring_session(const char *key, char *retv,
> > > > int inlen, -+ struct lxc_conf *c,
> > > > void *data) -+{
> > > > -+ return lxc_get_conf_bool(c, retv, inlen,
> > > > c->keyring_disable_session);
> > > > -+}
> > > > -+
> > > > -
> > > > - /* If you ask for a specific cgroup value, i.e.
> > > > lxc.cgroup.devices.list, then - * just the value(s) will be printed.
> > > > Since there still could be more than one, -@@ -4428,6 +4423,13 @@
> > > > static inline int clr_config_selinux_context_keyring(const char *key,
> > > > - return 0;
> > > > - }
> > > > -
> > > > -+static inline int clr_config_keyring_session(const char *key,
> > > > -+ struct lxc_conf *c, void
> > > > *data)
> > > > -+{
> > > > -+ c->keyring_disable_session = false;
> > > > -+ return 0;
> > > > -+}
> > > > -+
> > > > - static inline int clr_config_cgroup_controller(const char *key,
> > > > - struct lxc_conf *c, void
> > > > *data) - {
> > > > -@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf,
> > > > const char *key, char *retv, - strprint(retv, inlen,
> > > > "order\n");
> > > > - } else if (!strcmp(key, "lxc.monitor")) {
> > > > - strprint(retv, inlen, "unshare\n");
> > > > -+ } else if (!strcmp(key, "lxc.keyring")) {
> > > > -+ strprint(retv, inlen, "session\n");
> > > > - } else {
> > > > - fulllen = -1;
> > > > - }
> > > > -diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
> > > > -index 6941f4026..02e48454b 100644
> > > > ---- a/src/lxc/confile_utils.c
> > > > -+++ b/src/lxc/confile_utils.c
> > > > -@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const
> > > > char *value) - return set_config_string_item_max(conf_item,
> > > > value, PATH_MAX); - }
> > > > -
> > > > -+int set_config_bool_item(bool *conf_item, const char *value, bool
> > > > empty_conf_action) -+{
> > > > -+ unsigned int val = 0;
> > > > -+
> > > > -+ if (lxc_config_value_empty(value)) {
> > > > -+ *conf_item = empty_conf_action;
> > > > -+ return 0;
> > > > -+ }
> > > > -+
> > > > -+ if (lxc_safe_uint(value, &val) < 0)
> > > > -+ return -EINVAL;
> > > > -+
> > > > -+ switch (val) {
> > > > -+ case 0:
> > > > -+ *conf_item = false;
> > > > -+ return 0;
> > > > -+ case 1:
> > > > -+ *conf_item = true;
> > > > -+ return 0;
> > > > -+ }
> > > > -+
> > > > -+ return -EINVAL;
> > > > -+}
> > > > -+
> > > > - int config_ip_prefix(struct in_addr *addr)
> > > > - {
> > > > - if (IN_CLASSA(addr->s_addr))
> > > > -diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
> > > > -index f68f9604f..83d49bace 100644
> > > > ---- a/src/lxc/confile_utils.h
> > > > -+++ b/src/lxc/confile_utils.h
> > > > -@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item,
> > > > const char *value); - extern int set_config_string_item_max(char
> > > > **conf_item, const char *value, -
> > > > size_t max);
> > > > - extern int set_config_path_item(char **conf_item, const char
> > > > *value);
> > > > -+extern int set_config_bool_item(bool *conf_item, const char *value,
> > > > -+ bool empty_conf_action);
> > > > - extern int config_ip_prefix(struct in_addr *addr);
> > > > - extern int network_ifname(char *valuep, const char *value, size_t
> > > > size);
> > > > - extern void rand_complete_hwaddr(char *hwaddr);
> > > > ---
> > > > -2.24.1
> > > > -
> > > > diff --git
> > > > a/recipes-containers/lxc/files/network-restore-ability-to-move-nl8021
> > > > 1-devices.patch
> > > > b/recipes-containers/lxc/files/network-restore-ability-to-move-nl8021
> > > > 1-devices.patch deleted file mode 100644
> > > > index aa1aecd..0000000
> > > > ---
> > > > a/recipes-containers/lxc/files/network-restore-ability-to-move-nl8021
> > > > 1-devices.patch +++ /dev/null
> > > > @@ -1,94 +0,0 @@
> > > > -From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00
> > > > 2001
> > > > -From: Christian Brauner <christian.brauner@ubuntu.com>
> > > > -Date: Fri, 26 Jul 2019 08:20:02 +0200
> > > > -Subject: [PATCH] network: restore ability to move nl80211 devices
> > > > -
> > > > -Closes #3105.
> > > > -Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
> > > > ----
> > > > - src/lxc/network.c | 31 +++++++++++++++++--------------
> > > > - 1 file changed, 17 insertions(+), 14 deletions(-)
> > > > -
> > > > -diff --git a/src/lxc/network.c b/src/lxc/network.c
> > > > -index 9755116..7684f95 100644
> > > > ---- a/src/lxc/network.c
> > > > -+++ b/src/lxc/network.c
> > > > -@@ -1248,22 +1248,21 @@ static int
> > > > lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old, -
> > > > static int lxc_netdev_move_wlan(char *physname, const char *ifname,
> > > > pid_t pid, - const char *newname)
> > > > - {
> > > > -- char *cmd;
> > > > -+ __do_free char *cmd = NULL;
> > > > - pid_t fpid;
> > > > -- int err = -1;
> > > > -
> > > > - /* Move phyN into the container. TODO - do this using netlink.
> > > > - * However, IIUC this involves a bit more complicated work to
> > > > talk to
> > > > - * the 80211 module, so for now just call out to iw.
> > > > - */
> > > > - cmd = on_path("iw", NULL);
> > > > -- if (!cmd)
> > > > -- goto out1;
> > > > -- free(cmd);
> > > > -+ if (!cmd) {
> > > > -+ return -1;
> > > > -+ }
> > > > -
> > > > - fpid = fork();
> > > > - if (fpid < 0)
> > > > -- goto out1;
> > > > -+ return -1;
> > > > -
> > > > - if (fpid == 0) {
> > > > - char pidstr[30];
> > > > -@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char
> > > > *physname, const char *ifname, pid_t pid, - }
> > > > -
> > > > - if (wait_for_pid(fpid))
> > > > -- goto out1;
> > > > -+ return -1;
> > > > -
> > > > -- err = 0;
> > > > - if (newname)
> > > > -- err = lxc_netdev_rename_by_name_in_netns(pid, ifname,
> > > > newname); -+ return
> > > > lxc_netdev_rename_by_name_in_netns(pid, ifname, newname); -
> > > > --out1:
> > > > -- free(physname);
> > > > -- return err;
> > > > -+ return 0;
> > > > - }
> > > > -
> > > > - int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const
> > > > char* newname) - {
> > > > -+ __do_free char *physname = NULL;
> > > > - int index;
> > > > -- char *physname;
> > > > -
> > > > - if (!ifname)
> > > > - return -EINVAL;
> > > > -@@ -3279,13 +3275,20 @@ int
> > > > lxc_network_move_created_netdev_priv(struct lxc_handler *handler) -
> > > > return 0;
> > > > -
> > > > - lxc_list_for_each(iterator, network) {
> > > > -+ __do_free char *physname = NULL;
> > > > - int ret;
> > > > - struct lxc_netdev *netdev = iterator->elem;
> > > > -
> > > > - if (!netdev->ifindex)
> > > > - continue;
> > > > -
> > > > -- ret = lxc_netdev_move_by_index(netdev->ifindex, pid,
> > > > NULL);
> > > > -+ if (netdev->type == LXC_NET_PHYS)
> > > > -+ physname = is_wlan(netdev->link);
> > > > -+
> > > > -+ if (physname)
> > > > -+ ret = lxc_netdev_move_wlan(physname,
> > > > netdev->link, pid, NULL); -+ else
> > > > -+ ret = lxc_netdev_move_by_index(netdev->ifindex,
> > > > pid, NULL); - if (ret) {
> > > > - errno = -ret;
> > > > - SYSERROR("Failed to move network device \"%s\"
> > > > with ifindex %d to network namespace %d", ---
> > > > -2.7.4
> > > > -
> > > > diff --git a/recipes-containers/lxc/lxc_3.2.1.bb
> > > > b/recipes-containers/lxc/lxc_4.0.1.bb similarity index 92%
> > > > rename from recipes-containers/lxc/lxc_3.2.1.bb
> > > > rename to recipes-containers/lxc/lxc_4.0.1.bb
> > > > index 9592dd9..a3de38e 100644
> > > > --- a/recipes-containers/lxc/lxc_3.2.1.bb
> > > > +++ b/recipes-containers/lxc/lxc_4.0.1.bb
> > > > @@ -1,7 +1,7 @@
> > > >
> > > > DESCRIPTION = "lxc aims to use these new functionnalities to provide
> > > > an userspace container object" SECTION = "console/utils"
> > > > LICENSE = "LGPLv2.1"
> > > >
> > > > -LIC_FILES_CHKSUM =
> > > > "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
> > > > +LIC_FILES_CHKSUM =
> > > > "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
> > > >
> > > > DEPENDS = "libxml2 libcap"
> > > > RDEPENDS_${PN} = " \
> > > >
> > > > rsync \
> > > >
> > > > @@ -44,16 +44,12 @@ SRC_URI =
> > > > "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \> > >
> > > > file://templates-use-curl-instead-of-wget.patch \
> > > > file://tests-our-init-is-not-busybox.patch \
> > > > file://tests-add-no-validate-when-using-download-template.patch
> > > > \
> > > >
> > > > - file://network-restore-ability-to-move-nl80211-devices.patch \
> > > > -
> > > > file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patc
> > > > h \ -
> > > > file://0002-container.conf-Add-option-to-disable-session-keyring.patc
> > > > h \> > >
> > > > file://dnsmasq.conf \
> > > > file://lxc-net \
> > > >
> > > > -
> > > > file://0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patc
> > > > h \> > >
> > > > "
> > > >
> > > > -SRC_URI[md5sum] = "4886c8d1c8e221fe526eefcb47857b85"
> > > > -SRC_URI[sha256sum] =
> > > > "5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4"
> > > > +SRC_URI[md5sum] = "5f19f13eafdde24c75ba459fc6c28156"
> > > > +SRC_URI[sha256sum] =
> > > > "70bbaac1df097f32ee5493a5e67a52365f7cdda28529f40197d6160bbec4139d"> >
>
> > > > S = "${WORKDIR}/${BPN}-${PV}"
> > > >
> > > > --
> > > > 2.18.2
> > >
> > >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-04-14 18:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-09 13:00 [meta-virtualization][PATCH] lxc: uprev from 3.2.1 to 4.0.1 Xu, Yanfei
2020-04-13 17:54 ` Bruce Ashfield
2020-04-14 18:39 ` Mark Asselstine
2020-04-14 18:45 ` Bruce Ashfield
2020-04-14 18:47 ` Mark Asselstine
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.