[PATCH] lxc: upstream fixes for lxc-execute

[PATCH] lxc: upstream fixes for lxc-execute

[Bogdan Purcareata]

These patches address some warnings that LXC throws when running
an application container. They are currently applied in the official
repository.

Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
---
 ...s-Create-dev-shm-folder-if-it-doesn-t-exi.patch | 39 ++++++++++++
 ...if_needed-only-safe-mount-when-rootfs-is-.patch | 69 ++++++++++++++++++++++
 ...t_symlink-Account-when-prefix-is-empty-st.patch | 37 ++++++++++++
 recipes-containers/lxc/lxc_1.1.4.bb                |  3 +
 4 files changed, 148 insertions(+)
 create mode 100644 recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
 create mode 100644 recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
 create mode 100644 recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch

diff --git a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
new file mode 100644
index 0000000..751a7ac
--- /dev/null
+++ b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
@@ -0,0 +1,39 @@
+From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Date: Fri, 8 Jan 2016 15:38:44 +0000
+Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
+
+When running application containers with lxc-execute, /dev is
+populated only with device entries. Since /dev is a tmpfs mount in
+the container environment, the /dev/shm folder not being present is not
+a sufficient reason for the /dev/shm mount to fail.
+
+Create the /dev/shm directory if not present.
+
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/lxc/initutils.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
+index 45df60f..8d9016c 100644
+--- a/src/lxc/initutils.c
++++ b/src/lxc/initutils.c
+@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
+ 	if (mount_fs("proc", "/proc", "proc"))
+ 		INFO("failed to remount proc");
+ 
++	/* if /dev has been populated by us, /dev/shm does not exist */
++	if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
++		INFO("failed to create /dev/shm");
++
+ 	/* if we can't mount /dev/shm, continue anyway */
+ 	if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
+ 		INFO("failed to mount /dev/shm");
+-- 
+1.9.1
+
diff --git a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
new file mode 100644
index 0000000..c3afd85
--- /dev/null
+++ b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
@@ -0,0 +1,69 @@
+From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Date: Wed, 20 Jan 2016 10:53:57 +0000
+Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is defined
+
+The safe_mount function was introduced in order to address CVE-2015-1335,
+one of the vulnerabilities being a mount with a symlink for the
+destination path. In scenarios such as lxc-execute with no rootfs, the
+destination path is the host /proc, which is previously mounted by the
+host, and is unmounted and mounted again in a new set of namespaces,
+therefore eliminating the need to check for it being a symlink.
+
+Mount the rootfs normally if the rootfs is NULL, keep the safe mount
+only for scenarios where a different rootfs is defined.
+
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/lxc/conf.c  |  1 +
+ src/lxc/utils.c | 10 +++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 632dde3..1e30c0c 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
+ 	return 0;
+ }
+ 
++/* NOTE: not to be called from inside the container namespace! */
+ int tmp_proc_mount(struct lxc_conf *lxc_conf)
+ {
+ 	int mounted;
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 4e96a50..0bc7a20 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
+  *
+  * Returns < 0 on failure, 0 if the correct proc was already mounted
+  * and 1 if a new proc was mounted.
++ *
++ * NOTE: not to be called from inside the container namespace!
+  */
+ int mount_proc_if_needed(const char *rootfs)
+ {
+@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
+ 	return 0;
+ 
+ domount:
+-	if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
++	if (!strcmp(rootfs,"")) /* rootfs is NULL */
++		ret = mount("proc", path, "proc", 0, NULL);
++	else
++		ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
++
++	if (ret < 0)
+ 		return -1;
++
+ 	INFO("Mounted /proc in container for security transition");
+ 	return 1;
+ }
+-- 
+1.9.1
+
diff --git a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
new file mode 100644
index 0000000..28f9889
--- /dev/null
+++ b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
@@ -0,0 +1,37 @@
+From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Date: Fri, 8 Jan 2016 15:38:35 +0000
+Subject: [PATCH] open_without_symlink: Account when prefix is empty string
+
+In the current implementation, the open_without_symlink function
+will default to opening the root mount only if the passed rootfs
+prefix is null. It doesn't account for the case where this prefix
+is passed as an empty string.
+
+Properly handle this second case as well.
+
+Upstream-Status: Accepted
+[https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/lxc/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index ed8c4c4..4e96a50 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char *target, const char *prefix_skip)
+ 	fulllen = strlen(target);
+ 
+ 	/* make sure prefix-skip makes sense */
+-	if (prefix_skip) {
++	if (prefix_skip && strlen(prefix_skip) > 0) {
+ 		curlen = strlen(prefix_skip);
+ 		if (!is_subdir(target, prefix_skip, curlen)) {
+ 			ERROR("WHOA there - target '%s' didn't start with prefix '%s'",
+-- 
+1.9.1
+
diff --git a/recipes-containers/lxc/lxc_1.1.4.bb b/recipes-containers/lxc/lxc_1.1.4.bb
index 4006deb..e017dcf 100644
--- a/recipes-containers/lxc/lxc_1.1.4.bb
+++ b/recipes-containers/lxc/lxc_1.1.4.bb
@@ -34,6 +34,9 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
 	file://make-some-OpenSSH-tools-optional.patch \
 	file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
 	file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
+	file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
+	file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
+	file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
 	"
 
 SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"
-- 
1.9.1

Re: [PATCH] lxc: upstream fixes for lxc-execute

[Bruce Ashfield]

[-- Attachment #1: Type: text/plain, Size: 9181 bytes --]

merged to master.

Bruce

On Mon, Feb 29, 2016 at 10:27 AM, Bogdan Purcareata <
bogdan.purcareata@nxp.com> wrote:

> These patches address some warnings that LXC throws when running
> an application container. They are currently applied in the official
> repository.
>
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> ---
>  ...s-Create-dev-shm-folder-if-it-doesn-t-exi.patch | 39 ++++++++++++
>  ...if_needed-only-safe-mount-when-rootfs-is-.patch | 69
> ++++++++++++++++++++++
>  ...t_symlink-Account-when-prefix-is-empty-st.patch | 37 ++++++++++++
>  recipes-containers/lxc/lxc_1.1.4.bb                |  3 +
>  4 files changed, 148 insertions(+)
>  create mode 100644
> recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>  create mode 100644
> recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>  create mode 100644
> recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>
> diff --git
> a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
> b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
> new file mode 100644
> index 0000000..751a7ac
> --- /dev/null
> +++
> b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
> @@ -0,0 +1,39 @@
> +From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> +Date: Fri, 8 Jan 2016 15:38:44 +0000
> +Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
> +
> +When running application containers with lxc-execute, /dev is
> +populated only with device entries. Since /dev is a tmpfs mount in
> +the container environment, the /dev/shm folder not being present is not
> +a sufficient reason for the /dev/shm mount to fail.
> +
> +Create the /dev/shm directory if not present.
> +
> +Upstream-status: Accepted
> +[
> https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46
> ]
> +
> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
> +---
> + src/lxc/initutils.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
> +index 45df60f..8d9016c 100644
> +--- a/src/lxc/initutils.c
> ++++ b/src/lxc/initutils.c
> +@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
> +       if (mount_fs("proc", "/proc", "proc"))
> +               INFO("failed to remount proc");
> +
> ++      /* if /dev has been populated by us, /dev/shm does not exist */
> ++      if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
> ++              INFO("failed to create /dev/shm");
> ++
> +       /* if we can't mount /dev/shm, continue anyway */
> +       if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
> +               INFO("failed to mount /dev/shm");
> +--
> +1.9.1
> +
> diff --git
> a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
> b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
> new file mode 100644
> index 0000000..c3afd85
> --- /dev/null
> +++
> b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
> @@ -0,0 +1,69 @@
> +From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> +Date: Wed, 20 Jan 2016 10:53:57 +0000
> +Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is
> defined
> +
> +The safe_mount function was introduced in order to address CVE-2015-1335,
> +one of the vulnerabilities being a mount with a symlink for the
> +destination path. In scenarios such as lxc-execute with no rootfs, the
> +destination path is the host /proc, which is previously mounted by the
> +host, and is unmounted and mounted again in a new set of namespaces,
> +therefore eliminating the need to check for it being a symlink.
> +
> +Mount the rootfs normally if the rootfs is NULL, keep the safe mount
> +only for scenarios where a different rootfs is defined.
> +
> +Upstream-status: Accepted
> +[
> https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab
> ]
> +
> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
> +---
> + src/lxc/conf.c  |  1 +
> + src/lxc/utils.c | 10 +++++++++-
> + 2 files changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> +index 632dde3..1e30c0c 100644
> +--- a/src/lxc/conf.c
> ++++ b/src/lxc/conf.c
> +@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
> +       return 0;
> + }
> +
> ++/* NOTE: not to be called from inside the container namespace! */
> + int tmp_proc_mount(struct lxc_conf *lxc_conf)
> + {
> +       int mounted;
> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> +index 4e96a50..0bc7a20 100644
> +--- a/src/lxc/utils.c
> ++++ b/src/lxc/utils.c
> +@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest,
> const char *fstype,
> +  *
> +  * Returns < 0 on failure, 0 if the correct proc was already mounted
> +  * and 1 if a new proc was mounted.
> ++ *
> ++ * NOTE: not to be called from inside the container namespace!
> +  */
> + int mount_proc_if_needed(const char *rootfs)
> + {
> +@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
> +       return 0;
> +
> + domount:
> +-      if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
> ++      if (!strcmp(rootfs,"")) /* rootfs is NULL */
> ++              ret = mount("proc", path, "proc", 0, NULL);
> ++      else
> ++              ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
> ++
> ++      if (ret < 0)
> +               return -1;
> ++
> +       INFO("Mounted /proc in container for security transition");
> +       return 1;
> + }
> +--
> +1.9.1
> +
> diff --git
> a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
> b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
> new file mode 100644
> index 0000000..28f9889
> --- /dev/null
> +++
> b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
> @@ -0,0 +1,37 @@
> +From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> +Date: Fri, 8 Jan 2016 15:38:35 +0000
> +Subject: [PATCH] open_without_symlink: Account when prefix is empty string
> +
> +In the current implementation, the open_without_symlink function
> +will default to opening the root mount only if the passed rootfs
> +prefix is null. It doesn't account for the case where this prefix
> +is passed as an empty string.
> +
> +Properly handle this second case as well.
> +
> +Upstream-Status: Accepted
> +[
> https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639
> ]
> +
> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
> +---
> + src/lxc/utils.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> +index ed8c4c4..4e96a50 100644
> +--- a/src/lxc/utils.c
> ++++ b/src/lxc/utils.c
> +@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char *target,
> const char *prefix_skip)
> +       fulllen = strlen(target);
> +
> +       /* make sure prefix-skip makes sense */
> +-      if (prefix_skip) {
> ++      if (prefix_skip && strlen(prefix_skip) > 0) {
> +               curlen = strlen(prefix_skip);
> +               if (!is_subdir(target, prefix_skip, curlen)) {
> +                       ERROR("WHOA there - target '%s' didn't start with
> prefix '%s'",
> +--
> +1.9.1
> +
> diff --git a/recipes-containers/lxc/lxc_1.1.4.bb b/recipes-containers/lxc/
> lxc_1.1.4.bb
> index 4006deb..e017dcf 100644
> --- a/recipes-containers/lxc/lxc_1.1.4.bb
> +++ b/recipes-containers/lxc/lxc_1.1.4.bb
> @@ -34,6 +34,9 @@ SRC_URI = "
> http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
>         file://make-some-OpenSSH-tools-optional.patch \
>         file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
>         file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
> +       file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
> +       file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
> +       file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
>         "
>
>  SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"
> --
> 1.9.1
>
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization
>



-- 
"Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end"

[-- Attachment #2: Type: text/html, Size: 11906 bytes --]

Re: [PATCH] lxc: upstream fixes for lxc-execute

[Bogdan Purcareata]

Thank you!

Could you kindly cherry-pick this commit on the jethro branch as well? Sorry I 
failed to mention this in the initial patch.

Thank you!
Bogdan P.

On 07.03.2016 18:33, Bruce Ashfield wrote:
> merged to master.
>
> Bruce
>
> On Mon, Feb 29, 2016 at 10:27 AM, Bogdan Purcareata <
> bogdan.purcareata@nxp.com> wrote:
>
>> These patches address some warnings that LXC throws when running
>> an application container. They are currently applied in the official
>> repository.
>>
>> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> ---
>>   ...s-Create-dev-shm-folder-if-it-doesn-t-exi.patch | 39 ++++++++++++
>>   ...if_needed-only-safe-mount-when-rootfs-is-.patch | 69
>> ++++++++++++++++++++++
>>   ...t_symlink-Account-when-prefix-is-empty-st.patch | 37 ++++++++++++
>>   recipes-containers/lxc/lxc_1.1.4.bb                |  3 +
>>   4 files changed, 148 insertions(+)
>>   create mode 100644
>> recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>>   create mode 100644
>> recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>>   create mode 100644
>> recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>>
>> diff --git
>> a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>> b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>> new file mode 100644
>> index 0000000..751a7ac
>> --- /dev/null
>> +++
>> b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
>> @@ -0,0 +1,39 @@
>> +From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
>> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Date: Fri, 8 Jan 2016 15:38:44 +0000
>> +Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
>> +
>> +When running application containers with lxc-execute, /dev is
>> +populated only with device entries. Since /dev is a tmpfs mount in
>> +the container environment, the /dev/shm folder not being present is not
>> +a sufficient reason for the /dev/shm mount to fail.
>> +
>> +Create the /dev/shm directory if not present.
>> +
>> +Upstream-status: Accepted
>> +[
>> https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46
>> ]
>> +
>> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
>> +---
>> + src/lxc/initutils.c | 4 ++++
>> + 1 file changed, 4 insertions(+)
>> +
>> +diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
>> +index 45df60f..8d9016c 100644
>> +--- a/src/lxc/initutils.c
>> ++++ b/src/lxc/initutils.c
>> +@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
>> +       if (mount_fs("proc", "/proc", "proc"))
>> +               INFO("failed to remount proc");
>> +
>> ++      /* if /dev has been populated by us, /dev/shm does not exist */
>> ++      if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
>> ++              INFO("failed to create /dev/shm");
>> ++
>> +       /* if we can't mount /dev/shm, continue anyway */
>> +       if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
>> +               INFO("failed to mount /dev/shm");
>> +--
>> +1.9.1
>> +
>> diff --git
>> a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>> b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>> new file mode 100644
>> index 0000000..c3afd85
>> --- /dev/null
>> +++
>> b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
>> @@ -0,0 +1,69 @@
>> +From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
>> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Date: Wed, 20 Jan 2016 10:53:57 +0000
>> +Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is
>> defined
>> +
>> +The safe_mount function was introduced in order to address CVE-2015-1335,
>> +one of the vulnerabilities being a mount with a symlink for the
>> +destination path. In scenarios such as lxc-execute with no rootfs, the
>> +destination path is the host /proc, which is previously mounted by the
>> +host, and is unmounted and mounted again in a new set of namespaces,
>> +therefore eliminating the need to check for it being a symlink.
>> +
>> +Mount the rootfs normally if the rootfs is NULL, keep the safe mount
>> +only for scenarios where a different rootfs is defined.
>> +
>> +Upstream-status: Accepted
>> +[
>> https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab
>> ]
>> +
>> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
>> +---
>> + src/lxc/conf.c  |  1 +
>> + src/lxc/utils.c | 10 +++++++++-
>> + 2 files changed, 10 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/src/lxc/conf.c b/src/lxc/conf.c
>> +index 632dde3..1e30c0c 100644
>> +--- a/src/lxc/conf.c
>> ++++ b/src/lxc/conf.c
>> +@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
>> +       return 0;
>> + }
>> +
>> ++/* NOTE: not to be called from inside the container namespace! */
>> + int tmp_proc_mount(struct lxc_conf *lxc_conf)
>> + {
>> +       int mounted;
>> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c
>> +index 4e96a50..0bc7a20 100644
>> +--- a/src/lxc/utils.c
>> ++++ b/src/lxc/utils.c
>> +@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest,
>> const char *fstype,
>> +  *
>> +  * Returns < 0 on failure, 0 if the correct proc was already mounted
>> +  * and 1 if a new proc was mounted.
>> ++ *
>> ++ * NOTE: not to be called from inside the container namespace!
>> +  */
>> + int mount_proc_if_needed(const char *rootfs)
>> + {
>> +@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
>> +       return 0;
>> +
>> + domount:
>> +-      if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
>> ++      if (!strcmp(rootfs,"")) /* rootfs is NULL */
>> ++              ret = mount("proc", path, "proc", 0, NULL);
>> ++      else
>> ++              ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
>> ++
>> ++      if (ret < 0)
>> +               return -1;
>> ++
>> +       INFO("Mounted /proc in container for security transition");
>> +       return 1;
>> + }
>> +--
>> +1.9.1
>> +
>> diff --git
>> a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>> b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>> new file mode 100644
>> index 0000000..28f9889
>> --- /dev/null
>> +++
>> b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
>> @@ -0,0 +1,37 @@
>> +From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
>> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Date: Fri, 8 Jan 2016 15:38:35 +0000
>> +Subject: [PATCH] open_without_symlink: Account when prefix is empty string
>> +
>> +In the current implementation, the open_without_symlink function
>> +will default to opening the root mount only if the passed rootfs
>> +prefix is null. It doesn't account for the case where this prefix
>> +is passed as an empty string.
>> +
>> +Properly handle this second case as well.
>> +
>> +Upstream-Status: Accepted
>> +[
>> https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639
>> ]
>> +
>> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
>> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
>> +---
>> + src/lxc/utils.c | 2 +-
>> + 1 file changed, 1 insertion(+), 1 deletion(-)
>> +
>> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c
>> +index ed8c4c4..4e96a50 100644
>> +--- a/src/lxc/utils.c
>> ++++ b/src/lxc/utils.c
>> +@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char *target,
>> const char *prefix_skip)
>> +       fulllen = strlen(target);
>> +
>> +       /* make sure prefix-skip makes sense */
>> +-      if (prefix_skip) {
>> ++      if (prefix_skip && strlen(prefix_skip) > 0) {
>> +               curlen = strlen(prefix_skip);
>> +               if (!is_subdir(target, prefix_skip, curlen)) {
>> +                       ERROR("WHOA there - target '%s' didn't start with
>> prefix '%s'",
>> +--
>> +1.9.1
>> +
>> diff --git a/recipes-containers/lxc/lxc_1.1.4.bb b/recipes-containers/lxc/
>> lxc_1.1.4.bb
>> index 4006deb..e017dcf 100644
>> --- a/recipes-containers/lxc/lxc_1.1.4.bb
>> +++ b/recipes-containers/lxc/lxc_1.1.4.bb
>> @@ -34,6 +34,9 @@ SRC_URI = "
>> http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
>>          file://make-some-OpenSSH-tools-optional.patch \
>>          file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
>>          file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
>> +       file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
>> +       file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
>> +       file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
>>          "
>>
>>   SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"
>> --
>> 1.9.1
>>
>> --
>> _______________________________________________
>> meta-virtualization mailing list
>> meta-virtualization@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/meta-virtualization
>>
>
>
>

Re: [PATCH] lxc: upstream fixes for lxc-execute

[Bruce Ashfield]

[-- Attachment #1: Type: text/plain, Size: 10329 bytes --]

On Tue, Mar 8, 2016 at 6:03 AM, Bogdan Purcareata <bogdan.purcareata@nxp.com
> wrote:

> Thank you!
>
> Could you kindly cherry-pick this commit on the jethro branch as well?
> Sorry I
> failed to mention this in the initial patch.
>

Cherry picked to jethro.

Bruce


>
> Thank you!
> Bogdan P.
>
> On 07.03.2016 18:33, Bruce Ashfield wrote:
> > merged to master.
> >
> > Bruce
> >
> > On Mon, Feb 29, 2016 at 10:27 AM, Bogdan Purcareata <
> > bogdan.purcareata@nxp.com> wrote:
> >
> >> These patches address some warnings that LXC throws when running
> >> an application container. They are currently applied in the official
> >> repository.
> >>
> >> Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> >> ---
> >>   ...s-Create-dev-shm-folder-if-it-doesn-t-exi.patch | 39 ++++++++++++
> >>   ...if_needed-only-safe-mount-when-rootfs-is-.patch | 69
> >> ++++++++++++++++++++++
> >>   ...t_symlink-Account-when-prefix-is-empty-st.patch | 37 ++++++++++++
> >>   recipes-containers/lxc/lxc_1.1.4.bb                |  3 +
> >>   4 files changed, 148 insertions(+)
> >>   create mode 100644
> >>
> recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
> >>   create mode 100644
> >>
> recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
> >>   create mode 100644
> >>
> recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
> >>
> >> diff --git
> >>
> a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
> >>
> b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
> >> new file mode 100644
> >> index 0000000..751a7ac
> >> --- /dev/null
> >> +++
> >>
> b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
> >> @@ -0,0 +1,39 @@
> >> +From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
> >> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> >> +Date: Fri, 8 Jan 2016 15:38:44 +0000
> >> +Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't
> exist
> >> +
> >> +When running application containers with lxc-execute, /dev is
> >> +populated only with device entries. Since /dev is a tmpfs mount in
> >> +the container environment, the /dev/shm folder not being present is not
> >> +a sufficient reason for the /dev/shm mount to fail.
> >> +
> >> +Create the /dev/shm directory if not present.
> >> +
> >> +Upstream-status: Accepted
> >> +[
> >>
> https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46
> >> ]
> >> +
> >> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> >> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
> >> +---
> >> + src/lxc/initutils.c | 4 ++++
> >> + 1 file changed, 4 insertions(+)
> >> +
> >> +diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
> >> +index 45df60f..8d9016c 100644
> >> +--- a/src/lxc/initutils.c
> >> ++++ b/src/lxc/initutils.c
> >> +@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
> >> +       if (mount_fs("proc", "/proc", "proc"))
> >> +               INFO("failed to remount proc");
> >> +
> >> ++      /* if /dev has been populated by us, /dev/shm does not exist */
> >> ++      if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
> >> ++              INFO("failed to create /dev/shm");
> >> ++
> >> +       /* if we can't mount /dev/shm, continue anyway */
> >> +       if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
> >> +               INFO("failed to mount /dev/shm");
> >> +--
> >> +1.9.1
> >> +
> >> diff --git
> >>
> a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
> >>
> b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
> >> new file mode 100644
> >> index 0000000..c3afd85
> >> --- /dev/null
> >> +++
> >>
> b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
> >> @@ -0,0 +1,69 @@
> >> +From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
> >> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> >> +Date: Wed, 20 Jan 2016 10:53:57 +0000
> >> +Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is
> >> defined
> >> +
> >> +The safe_mount function was introduced in order to address
> CVE-2015-1335,
> >> +one of the vulnerabilities being a mount with a symlink for the
> >> +destination path. In scenarios such as lxc-execute with no rootfs, the
> >> +destination path is the host /proc, which is previously mounted by the
> >> +host, and is unmounted and mounted again in a new set of namespaces,
> >> +therefore eliminating the need to check for it being a symlink.
> >> +
> >> +Mount the rootfs normally if the rootfs is NULL, keep the safe mount
> >> +only for scenarios where a different rootfs is defined.
> >> +
> >> +Upstream-status: Accepted
> >> +[
> >>
> https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab
> >> ]
> >> +
> >> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> >> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
> >> +---
> >> + src/lxc/conf.c  |  1 +
> >> + src/lxc/utils.c | 10 +++++++++-
> >> + 2 files changed, 10 insertions(+), 1 deletion(-)
> >> +
> >> +diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> >> +index 632dde3..1e30c0c 100644
> >> +--- a/src/lxc/conf.c
> >> ++++ b/src/lxc/conf.c
> >> +@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
> >> +       return 0;
> >> + }
> >> +
> >> ++/* NOTE: not to be called from inside the container namespace! */
> >> + int tmp_proc_mount(struct lxc_conf *lxc_conf)
> >> + {
> >> +       int mounted;
> >> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> >> +index 4e96a50..0bc7a20 100644
> >> +--- a/src/lxc/utils.c
> >> ++++ b/src/lxc/utils.c
> >> +@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest,
> >> const char *fstype,
> >> +  *
> >> +  * Returns < 0 on failure, 0 if the correct proc was already mounted
> >> +  * and 1 if a new proc was mounted.
> >> ++ *
> >> ++ * NOTE: not to be called from inside the container namespace!
> >> +  */
> >> + int mount_proc_if_needed(const char *rootfs)
> >> + {
> >> +@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
> >> +       return 0;
> >> +
> >> + domount:
> >> +-      if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
> >> ++      if (!strcmp(rootfs,"")) /* rootfs is NULL */
> >> ++              ret = mount("proc", path, "proc", 0, NULL);
> >> ++      else
> >> ++              ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
> >> ++
> >> ++      if (ret < 0)
> >> +               return -1;
> >> ++
> >> +       INFO("Mounted /proc in container for security transition");
> >> +       return 1;
> >> + }
> >> +--
> >> +1.9.1
> >> +
> >> diff --git
> >>
> a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
> >>
> b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
> >> new file mode 100644
> >> index 0000000..28f9889
> >> --- /dev/null
> >> +++
> >>
> b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
> >> @@ -0,0 +1,37 @@
> >> +From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
> >> +From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> >> +Date: Fri, 8 Jan 2016 15:38:35 +0000
> >> +Subject: [PATCH] open_without_symlink: Account when prefix is empty
> string
> >> +
> >> +In the current implementation, the open_without_symlink function
> >> +will default to opening the root mount only if the passed rootfs
> >> +prefix is null. It doesn't account for the case where this prefix
> >> +is passed as an empty string.
> >> +
> >> +Properly handle this second case as well.
> >> +
> >> +Upstream-Status: Accepted
> >> +[
> >>
> https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639
> >> ]
> >> +
> >> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
> >> +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
> >> +---
> >> + src/lxc/utils.c | 2 +-
> >> + 1 file changed, 1 insertion(+), 1 deletion(-)
> >> +
> >> +diff --git a/src/lxc/utils.c b/src/lxc/utils.c
> >> +index ed8c4c4..4e96a50 100644
> >> +--- a/src/lxc/utils.c
> >> ++++ b/src/lxc/utils.c
> >> +@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char
> *target,
> >> const char *prefix_skip)
> >> +       fulllen = strlen(target);
> >> +
> >> +       /* make sure prefix-skip makes sense */
> >> +-      if (prefix_skip) {
> >> ++      if (prefix_skip && strlen(prefix_skip) > 0) {
> >> +               curlen = strlen(prefix_skip);
> >> +               if (!is_subdir(target, prefix_skip, curlen)) {
> >> +                       ERROR("WHOA there - target '%s' didn't start
> with
> >> prefix '%s'",
> >> +--
> >> +1.9.1
> >> +
> >> diff --git a/recipes-containers/lxc/lxc_1.1.4.bb
> b/recipes-containers/lxc/
> >> lxc_1.1.4.bb
> >> index 4006deb..e017dcf 100644
> >> --- a/recipes-containers/lxc/lxc_1.1.4.bb
> >> +++ b/recipes-containers/lxc/lxc_1.1.4.bb
> >> @@ -34,6 +34,9 @@ SRC_URI = "
> >> http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
> >>          file://make-some-OpenSSH-tools-optional.patch \
> >>          file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
> >>
> file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
> >> +
>  file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
> >> +
>  file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
> >> +
>  file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
> >>          "
> >>
> >>   SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"
> >> --
> >> 1.9.1
> >>
> >> --
> >> _______________________________________________
> >> meta-virtualization mailing list
> >> meta-virtualization@yoctoproject.org
> >> https://lists.yoctoproject.org/listinfo/meta-virtualization
> >>
> >
> >
> >
>



-- 
"Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end"

[-- Attachment #2: Type: text/html, Size: 14749 bytes --]