Add a patch to fix handling of mount points for block devices; also add some warnings related to grsecurity and LXC.

(Portage version: 2.2.0_alpha101/cvs/Linux x86_64)
author: Diego Elio Pettenò <flameeyes@gentoo.org> 2012-04-28 00:17:01 +0000
committer: Diego Elio Pettenò <flameeyes@gentoo.org> 2012-04-28 00:17:01 +0000
commit: b673c36d865ca34c7e30d453a72bb8f5e61bd1a0 (patch)
tree: d30f87015e145fd98fcd620ae24b5ae79c388912
parent: Initial commit (diff)
download: gentoo-2-b673c36d865ca34c7e30d453a72bb8f5e61bd1a0.tar.gz
gentoo-2-b673c36d865ca34c7e30d453a72bb8f5e61bd1a0.tar.bz2
gentoo-2-b673c36d865ca34c7e30d453a72bb8f5e61bd1a0.zip
3 files changed, 180 insertions, 4 deletions
diff --git a/app-emulation/lxc/ChangeLog b/app-emulation/lxc/ChangeLog
index 9c49d1e82484..c1eda5d20dcc 100644
--- a/app-emulation/lxc/ChangeLog
+++ b/app-emulation/lxc/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-emulation/lxc
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/lxc/ChangeLog,v 1.32 2012/03/27 19:01:25 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/lxc/ChangeLog,v 1.33 2012/04/28 00:17:01 flameeyes Exp $
+
+*lxc-0.8.0_rc1-r2 (28 Apr 2012)
+
+  28 Apr 2012; Diego E. Pettenò <flameeyes@gentoo.org>
+  +files/lxc-0.8.0_rc1-blockmount.patch, +lxc-0.8.0_rc1-r2.ebuild,
+  -lxc-0.8.0_rc1-r1.ebuild:
+  Add a patch to fix handling of mount points for block devices; also add some
+  warnings related to grsecurity and LXC.
 
   27 Mar 2012; Diego E. Pettenò <flameeyes@gentoo.org> -lxc-0.8.0_rc1.ebuild,
   lxc-0.7.5-r3.ebuild, lxc-0.8.0_rc1-r1.ebuild:
diff --git a/app-emulation/lxc/files/lxc-0.8.0_rc1-blockmount.patch b/app-emulation/lxc/files/lxc-0.8.0_rc1-blockmount.patch
new file mode 100644
index 000000000000..f7e6d250ef3d
--- /dev/null
+++ b/app-emulation/lxc/files/lxc-0.8.0_rc1-blockmount.patch
@@ -0,0 +1,148 @@
+From f895fe1ad3aca8fed492df12adcd8710bca8ca32 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= <flameeyes@flameeyes.eu>
+Date: Fri, 27 Apr 2012 17:01:33 -0700
+Subject: [PATCH] Workaround requirement to use the realname of the block
+ device.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Instead of checking always the source path, check the source path if
+mounting a directory, and the mount path if mounting a block device or
+file.
+
+Signed-off-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
+---
+ src/lxc/conf.c |   34 +++++++++++++++++++---------------
+ src/lxc/conf.h |    1 +
+ 2 files changed, 20 insertions(+), 15 deletions(-)
+
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index e8088bb..593871a 100644
+--- a/src/lxc/conf.c
++++ b/src/lxc/conf.c
+@@ -350,9 +350,9 @@ static int mount_unknow_fs(const char *rootfs, const char *target, int mntopt)
+ 	return -1;
+ }
+ 
+-static int mount_rootfs_dir(const char *rootfs, const char *target)
++static int mount_rootfs_dir(struct lxc_rootfs *rootfs)
+ {
+-	return mount(rootfs, target, "none", MS_BIND | MS_REC, NULL);
++	return mount(rootfs->path, rootfs->mount, "none", MS_BIND | MS_REC, NULL);
+ }
+ 
+ static int setup_lodev(const char *rootfs, int fd, struct loop_info64 *loinfo)
+@@ -387,7 +387,7 @@ out:
+ 	return ret;
+ }
+ 
+-static int mount_rootfs_file(const char *rootfs, const char *target)
++static int mount_rootfs_file(struct lxc_rootfs *rootfs)
+ {
+ 	struct dirent dirent, *direntp;
+ 	struct loop_info64 loinfo;
+@@ -433,9 +433,9 @@ static int mount_rootfs_file(const char *rootfs, const char *target)
+ 
+ 		DEBUG("found '%s' free lodev", path);
+ 
+-		ret = setup_lodev(rootfs, fd, &loinfo);
++		ret = setup_lodev(rootfs->path, fd, &loinfo);
+ 		if (!ret)
+-			ret = mount_unknow_fs(path, target, 0);
++			ret = mount_unknow_fs(path, rootfs->mount, 0);
+ 		close(fd);
+ 
+ 		break;
+@@ -444,21 +444,23 @@ static int mount_rootfs_file(const char *rootfs, const char *target)
+ 	if (closedir(dir))
+ 		WARN("failed to close directory");
+ 
++	rootfs->isblock = 1;
+ 	return ret;
+ }
+ 
+-static int mount_rootfs_block(const char *rootfs, const char *target)
++static int mount_rootfs_block(struct lxc_rootfs *rootfs)
+ {
+-	return mount_unknow_fs(rootfs, target, 0);
++	rootfs->isblock = 1;
++	return mount_unknow_fs(rootfs->path, rootfs->mount, 0);
+ }
+ 
+-static int mount_rootfs(const char *rootfs, const char *target)
++static int mount_rootfs(struct lxc_rootfs *rootfs)
+ {
+ 	char absrootfs[MAXPATHLEN];
+ 	struct stat s;
+ 	int i;
+ 
+-	typedef int (*rootfs_cb)(const char *, const char *);
++	typedef int (*rootfs_cb)(struct lxc_rootfs *rootfs);
+ 
+ 	struct rootfs_type {
+ 		int type;
+@@ -469,8 +471,8 @@ static int mount_rootfs(const char *rootfs, const char *target)
+ 		{ S_IFREG, mount_rootfs_file },
+ 	};
+ 
+-	if (!realpath(rootfs, absrootfs)) {
+-		SYSERROR("failed to get real path for '%s'", rootfs);
++	if (!realpath(rootfs->path, absrootfs)) {
++		SYSERROR("failed to get real path for '%s'", rootfs->path);
+ 		return -1;
+ 	}
+ 
+@@ -489,7 +491,7 @@ static int mount_rootfs(const char *rootfs, const char *target)
+ 		if (!__S_ISTYPE(s.st_mode, rtfs_type[i].type))
+ 			continue;
+ 
+-		return rtfs_type[i].cb(absrootfs, target);
++		return rtfs_type[i].cb(rootfs);
+ 	}
+ 
+ 	ERROR("unsupported rootfs type for '%s'", absrootfs);
+@@ -756,7 +758,7 @@ static int setup_rootfs_pivot_root(const char *rootfs, const char *pivotdir)
+ 	return 0;
+ }
+ 
+-static int setup_rootfs(const struct lxc_rootfs *rootfs)
++static int setup_rootfs(struct lxc_rootfs *rootfs)
+ {
+ 	if (!rootfs->path)
+ 		return 0;
+@@ -767,7 +769,7 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
+ 		return -1;
+ 	}
+ 
+-	if (mount_rootfs(rootfs->path, rootfs->mount)) {
++	if (mount_rootfs(rootfs)) {
+ 		ERROR("failed to mount rootfs");
+ 		return -1;
+ 	}
+@@ -1110,7 +1112,9 @@ static int mount_entry_on_absolute_rootfs(struct mntent *mntent,
+ 		return -1;
+ 	}
+ 
+-	aux = strstr(mntent->mnt_dir, rootfs->path);
++	aux = rootfs->isblock ? rootfs->mount : rootfs->path;
++
++	aux = strstr(mntent->mnt_dir, aux);
+ 	if (!aux) {
+ 		WARN("ignoring mount point '%s'", mntent->mnt_dir);
+ 		goto out;
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index 09f55cb..b70e637 100644
+--- a/src/lxc/conf.h
++++ b/src/lxc/conf.h
+@@ -181,6 +181,7 @@ struct lxc_rootfs {
+ 	char *path;
+ 	char *mount;
+ 	char *pivot;
++	int isblock;
+ };
+ 
+ /*
+-- 
+1.7.8.6
+
diff --git a/app-emulation/lxc/lxc-0.8.0_rc1-r1.ebuild b/app-emulation/lxc/lxc-0.8.0_rc1-r2.ebuild
index 390a5f33572d..36705aeddce3 100644
--- a/app-emulation/lxc/lxc-0.8.0_rc1-r1.ebuild
+++ b/app-emulation/lxc/lxc-0.8.0_rc1-r2.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/lxc/lxc-0.8.0_rc1-r1.ebuild,v 1.2 2012/03/27 19:01:25 flameeyes Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/lxc/lxc-0.8.0_rc1-r2.ebuild,v 1.1 2012/04/28 00:17:01 flameeyes Exp $
 
 EAPI="4"
 
@@ -23,7 +23,8 @@ RDEPEND="sys-libs/libcap"
 
 DEPEND="${RDEPEND}
 	app-text/docbook-sgml-utils
-	>=sys-kernel/linux-headers-2.6.29"
+	>=sys-kernel/linux-headers-2.6.29
+	virtual/linux-sources"
 
 # For init script, so protect with vanilla, they are not strictly
 # needed.
@@ -48,7 +49,14 @@ CONFIG_CHECK="~CGROUPS
 	~VETH ~MACVLAN
 
 	~POSIX_MQUEUE
-	~!NETPRIO_CGROUP"
+	~!NETPRIO_CGROUP
+
+	~!GRKERNSEC_CHROOT_MOUNT
+	~!GRKERNSEC_CHROOT_DOUBLE
+	~!GRKERNSEC_CHROOT_PIVOT
+	~!GRKERNSEC_CHROOT_CHMOD
+	~!GRKERNSEC_CHROOT_CAPS
+"
 
 ERROR_DEVPTS_MULTIPLE_INSTANCES="CONFIG_DEVPTS_MULTIPLE_INSTANCES:	needed for pts inside container"
 
@@ -64,11 +72,18 @@ ERROR_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE:	needed for lxc-execute command"
 
 ERROR_NETPRIO_CGROUP="CONFIG_NETPRIO_CGROUP:	as of kernel 3.3 and lxc 0.8.0_rc1 this causes LXCs to fail booting."
 
+ERROR_GRKERNSEC_CHROOT_MOUNT=":CONFIG_GRKERNSEC_CHROOT_MOUNT	some GRSEC features make LXC unusable see postinst notes"
+ERROR_GRKERNSEC_CHROOT_DOUBLE=":CONFIG_GRKERNSEC_CHROOT_DOUBLE	some GRSEC features make LXC unusable see postinst notes"
+ERROR_GRKERNSEC_CHROOT_PIVOT=":CONFIG_GRKERNSEC_CHROOT_PIVOT	some GRSEC features make LXC unusable see postinst notes"
+ERROR_GRKERNSEC_CHROOT_CHMOD=":CONFIG_GRKERNSEC_CHROOT_CHMOD	some GRSEC features make LXC unusable see postinst notes"
+ERROR_GRKERNSEC_CHROOT_CAPS=":CONFIG_GRKERNSEC_CHROOT_CAPS	some GRSEC features make LXC unusable see postinst notes"
+
 DOCS=(AUTHORS CONTRIBUTING MAINTAINERS TODO README doc/FAQ.txt)
 
 src_prepare() {
 	if ! use vanilla; then
 		epatch "${FILESDIR}/${P}-libtoolize.patch"
+		epatch "${FILESDIR}/${P}-blockmount.patch"
 
 		eautoreconf
 	fi
@@ -124,4 +139,9 @@ pkg_postinst() {
 	ewarn ""
 	ewarn "To use the Fedora, Debian and (various) Ubuntu auto-configuration scripts, you"
 	ewarn "will need sys-apps/yum or dev-util/debootstrap."
+	ewarn ""
+	ewarn "Some GrSecurity settings in relation to chroot security will cause LXC not to"
+	ewarn "work, while others will actually make it much more secure. Please refer to"
+	ewarn "Diego Elio Pettenò's weblog at http://blog.flameeyes.eu/tag/lxc for further"
+	ewarn "details."
 }
author	Diego Elio Pettenò <flameeyes@gentoo.org>	2012-04-28 00:17:01 +0000
committer	Diego Elio Pettenò <flameeyes@gentoo.org>	2012-04-28 00:17:01 +0000
commit	b673c36d865ca34c7e30d453a72bb8f5e61bd1a0 (patch)
tree	d30f87015e145fd98fcd620ae24b5ae79c388912
parent	Initial commit (diff)
download	gentoo-2-b673c36d865ca34c7e30d453a72bb8f5e61bd1a0.tar.gz gentoo-2-b673c36d865ca34c7e30d453a72bb8f5e61bd1a0.tar.bz2 gentoo-2-b673c36d865ca34c7e30d453a72bb8f5e61bd1a0.zip