Re: [PATCH] lxc: upstream fixes for lxc-execute

[Bogdan Purcareata <bogdan.purcareata@nxp.com>]

Thank you!

Could you kindly cherry-pick this commit on the jethro branch as well? Sorry I 
failed to mention this in the initial patch.

Thank you!
Bogdan P.

On 07.03.2016 18:33, Bruce Ashfield wrote:
> merged to master.
>
> Bruce
>
> On Mon, Feb 29, 2016 at 10:27 AM, Bogdan Purcareata <
> bogdan.purcareata@nxp.com> wrote:
>
>> These patches address some warnings that LXC throws when running
>> an application container. They are currently applied in the official
>> repository.
>>
>> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> ---
>>   ...s-Create-dev-shm-folder-if-it-doesn-t-exi.patch | 39 ++++++++++++
>>   ...if_needed-only-safe-mount-when-rootfs-is-.patch | 69
>> ++++++++++++++++++++++
>>   ...t_symlink-Account-when-prefix-is-empty-st.patch | 37 ++++++++++++
>>   recipes-containers/lxc/lxc_1.1.4.bb                |  3 +
>>   4 files changed, 148 insertions(+)
>>   create mode 100644
>> recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>>   create mode 100644
>> recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>>   create mode 100644
>> recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>>
>> diff --git
>> a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>> b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>> new file mode 100644
>> index 0000000..751a7ac
>> --- /dev/null
>> +++
>> b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>> @@ -0,0 +1,39 @@
>> +From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
>> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Date: Fri, 8 Jan 2016 15:38:44 +0000
>> +Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
>> +
>> +When running application containers with lxc-execute, /dev is
>> +populated only with device entries. Since /dev is a tmpfs mount in
>> +the container environment, the /dev/shm folder not being present is not
>> +a sufficient reason for the /dev/shm mount to fail.
>> +
>> +Create the /dev/shm directory if not present.
>> +
>> +Upstream-status: Accepted
>> +[
>> https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46
>> ]
>> +
>> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
>> +---
>> + src/lxc/initutils.c | 4 ++++
>> + 1 file changed, 4 insertions(+)
>> +
>> +diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
>> +index 45df60f..8d9016c 100644
>> +--- a/src/lxc/initutils.c
>> ++++ b/src/lxc/initutils.c
>> +@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
>> +       if (mount_fs("proc", "/proc", "proc"))
>> +               INFO("failed to remount proc");
>> +
>> ++      /* if /dev has been populated by us, /dev/shm does not exist */
>> ++      if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
>> ++              INFO("failed to create /dev/shm");
>> ++
>> +       /* if we can't mount /dev/shm, continue anyway */
>> +       if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
>> +               INFO("failed to mount /dev/shm");
>> +--
>> +1.9.1
>> +
>> diff --git
>> a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>> b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>> new file mode 100644
>> index 0000000..c3afd85
>> --- /dev/null
>> +++
>> b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>> @@ -0,0 +1,69 @@
>> +From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
>> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Date: Wed, 20 Jan 2016 10:53:57 +0000
>> +Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is
>> defined
>> +
>> +The safe_mount function was introduced in order to address CVE-2015-1335,
>> +one of the vulnerabilities being a mount with a symlink for the
>> +destination path. In scenarios such as lxc-execute with no rootfs, the
>> +destination path is the host /proc, which is previously mounted by the
>> +host, and is unmounted and mounted again in a new set of namespaces,
>> +therefore eliminating the need to check for it being a symlink.
>> +
>> +Mount the rootfs normally if the rootfs is NULL, keep the safe mount
>> +only for scenarios where a different rootfs is defined.
>> +
>> +Upstream-status: Accepted
>> +[
>> https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab
>> ]
>> +
>> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
>> +---
>> + src/lxc/conf.c  |  1 +
>> + src/lxc/utils.c | 10 +++++++++-
>> + 2 files changed, 10 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/src/lxc/conf.c b/src/lxc/conf.c
>> +index 632dde3..1e30c0c 100644
>> +--- a/src/lxc/conf.c
>> ++++ b/src/lxc/conf.c
>> +@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
>> +       return 0;
>> + }
>> +
>> ++/* NOTE: not to be called from inside the container namespace! */
>> + int tmp_proc_mount(struct lxc_conf *lxc_conf)
>> + {
>> +       int mounted;
>> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c
>> +index 4e96a50..0bc7a20 100644
>> +--- a/src/lxc/utils.c
>> ++++ b/src/lxc/utils.c
>> +@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest,
>> const char *fstype,
>> +  *
>> +  * Returns < 0 on failure, 0 if the correct proc was already mounted
>> +  * and 1 if a new proc was mounted.
>> ++ *
>> ++ * NOTE: not to be called from inside the container namespace!
>> +  */
>> + int mount_proc_if_needed(const char *rootfs)
>> + {
>> +@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
>> +       return 0;
>> +
>> + domount:
>> +-      if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
>> ++      if (!strcmp(rootfs,"")) /* rootfs is NULL */
>> ++              ret = mount("proc", path, "proc", 0, NULL);
>> ++      else
>> ++              ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
>> ++
>> ++      if (ret < 0)
>> +               return -1;
>> ++
>> +       INFO("Mounted /proc in container for security transition");
>> +       return 1;
>> + }
>> +--
>> +1.9.1
>> +
>> diff --git
>> a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>> b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>> new file mode 100644
>> index 0000000..28f9889
>> --- /dev/null
>> +++
>> b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>> @@ -0,0 +1,37 @@
>> +From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
>> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Date: Fri, 8 Jan 2016 15:38:35 +0000
>> +Subject: [PATCH] open_without_symlink: Account when prefix is empty string
>> +
>> +In the current implementation, the open_without_symlink function
>> +will default to opening the root mount only if the passed rootfs
>> +prefix is null. It doesn't account for the case where this prefix
>> +is passed as an empty string.
>> +
>> +Properly handle this second case as well.
>> +
>> +Upstream-Status: Accepted
>> +[
>> https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639
>> ]
>> +
>> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
>> +---
>> + src/lxc/utils.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c
>> +index ed8c4c4..4e96a50 100644
>> +--- a/src/lxc/utils.c
>> ++++ b/src/lxc/utils.c
>> +@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char *target,
>> const char *prefix_skip)
>> +       fulllen = strlen(target);
>> +
>> +       /* make sure prefix-skip makes sense */
>> +-      if (prefix_skip) {
>> ++      if (prefix_skip && strlen(prefix_skip) > 0) {
>> +               curlen = strlen(prefix_skip);
>> +               if (!is_subdir(target, prefix_skip, curlen)) {
>> +                       ERROR("WHOA there - target '%s' didn't start with
>> prefix '%s'",
>> +--
>> +1.9.1
>> +
>> diff --git a/recipes-containers/lxc/lxc_1.1.4.bb b/recipes-containers/lxc/
>> lxc_1.1.4.bb
>> index 4006deb..e017dcf 100644
>> --- a/recipes-containers/lxc/lxc_1.1.4.bb
>> +++ b/recipes-containers/lxc/lxc_1.1.4.bb
>> @@ -34,6 +34,9 @@ SRC_URI = "
>> http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
>>          file://make-some-OpenSSH-tools-optional.patch \
>>          file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
>>          file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
>> +       file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
>> +       file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
>> +       file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
>>          "
>>
>>   SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"
>> --
>> 1.9.1
>>
>> --
>> _______________________________________________
>> meta-virtualization mailing list
>> meta-virtualization@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/meta-virtualization
>>
>
>
>