4 files changed, 148 insertions, 0 deletions
diff --git a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
new file mode 100644
index 00000000..751a7ac6
--- /dev/null
+++ b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
@@ -0,0 +1,39 @@
+From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Date: Fri, 8 Jan 2016 15:38:44 +0000
+Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
+When running application containers with lxc-execute, /dev is
+populated only with device entries. Since /dev is a tmpfs mount in
+the container environment, the /dev/shm folder not being present is not
+a sufficient reason for the /dev/shm mount to fail.
+Create the /dev/shm directory if not present.
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46]
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/lxc/initutils.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
+index 45df60f..8d9016c 100644
+--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
+@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
+        if (mount_fs("proc", "/proc", "proc"))
+                INFO("failed to remount proc");
+ 
+       /* if /dev has been populated by us, /dev/shm does not exist */
+       if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
+               INFO("failed to create /dev/shm");
+
+        /* if we can't mount /dev/shm, continue anyway */
+        if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
+                INFO("failed to mount /dev/shm");
+-- 
+1.9.1
diff --git a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
new file mode 100644
index 00000000..c3afd858
--- /dev/null
+++ b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
@@ -0,0 +1,69 @@
+From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Date: Wed, 20 Jan 2016 10:53:57 +0000
+Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is defined
+The safe_mount function was introduced in order to address CVE-2015-1335,
+one of the vulnerabilities being a mount with a symlink for the
+destination path. In scenarios such as lxc-execute with no rootfs, the
+destination path is the host /proc, which is previously mounted by the
+host, and is unmounted and mounted again in a new set of namespaces,
+therefore eliminating the need to check for it being a symlink.
+Mount the rootfs normally if the rootfs is NULL, keep the safe mount
+only for scenarios where a different rootfs is defined.
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab]
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/lxc/conf.c  |  1 +
+ src/lxc/utils.c | 10 +++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+diff --git a/src/lxc/conf.c b/src/lxc/conf.c
+index 632dde3..1e30c0c 100644
+--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
+@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
+        return 0;
+ }
+ 
+/* NOTE: not to be called from inside the container namespace! */
+ int tmp_proc_mount(struct lxc_conf *lxc_conf)
+ {
+        int mounted;
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 4e96a50..0bc7a20 100644
+--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
+@@ -1704,6 +1704,8 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
+  *
+  * Returns < 0 on failure, 0 if the correct proc was already mounted
+  * and 1 if a new proc was mounted.
+ *
+ * NOTE: not to be called from inside the container namespace!
+  */
+ int mount_proc_if_needed(const char *rootfs)
+ {
+@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
+        return 0;
+ 
+ domount:
+-       if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
+       if (!strcmp(rootfs,"")) /* rootfs is NULL */
+               ret = mount("proc", path, "proc", 0, NULL);
+       else
+               ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
+
+       if (ret < 0)
+                return -1;
+
+        INFO("Mounted /proc in container for security transition");
+        return 1;
+ }
+-- 
+1.9.1
diff --git a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
new file mode 100644
index 00000000..28f9889b
--- /dev/null
+++ b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
@@ -0,0 +1,37 @@
+From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Date: Fri, 8 Jan 2016 15:38:35 +0000
+Subject: [PATCH] open_without_symlink: Account when prefix is empty string
+In the current implementation, the open_without_symlink function
+will default to opening the root mount only if the passed rootfs
+prefix is null. It doesn't account for the case where this prefix
+is passed as an empty string.
+Properly handle this second case as well.
+Upstream-Status: Accepted
+[https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639]
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ src/lxc/utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index ed8c4c4..4e96a50 100644
+--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
+@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char *target, const char *prefix_skip)
+        fulllen = strlen(target);
+ 
+        /* make sure prefix-skip makes sense */
+-       if (prefix_skip) {
+       if (prefix_skip && strlen(prefix_skip) > 0) {
+                curlen = strlen(prefix_skip);
+                if (!is_subdir(target, prefix_skip, curlen)) {
+                        ERROR("WHOA there - target '%s' didn't start with prefix '%s'",
+-- 
+1.9.1
diff --git a/recipes-containers/lxc/lxc_1.1.4.bb b/recipes-containers/lxc/lxc_1.1.4.bb
index 4006debd..e017dcf4 100644
--- a/recipes-containers/lxc/lxc_1.1.4.bb
+++ b/recipes-containers/lxc/lxc_1.1.4.bb
@@ -34,6 +34,9 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
        file://make-some-OpenSSH-tools-optional.patch \
        file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
        file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
+        file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
+        file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
+        file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
        "
 SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"

diff --git a/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch new file mode 100644 index 00000000..751a7ac6 --- /dev/null +++ b/recipes-containers/lxc/files/lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch
@@ -0,0 +1,39 @@
		1	From 81e3c9cf8b2f230d761738da28e9dc69fb90ec46 Mon Sep 17 00:00:00 2001
		2	From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
		3	Date: Fri, 8 Jan 2016 15:38:44 +0000
		4	Subject: [PATCH] lxc_setup_fs: Create /dev/shm folder if it doesn't exist
		5
		6	When running application containers with lxc-execute, /dev is
		7	populated only with device entries. Since /dev is a tmpfs mount in
		8	the container environment, the /dev/shm folder not being present is not
		9	a sufficient reason for the /dev/shm mount to fail.
		10
		11	Create the /dev/shm directory if not present.
		12
		13	Upstream-status: Accepted
		14	[https://github.com/lxc/lxc/commit/81e3c9cf8b2f230d761738da28e9dc69fb90ec46]
		15
		16	Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
		17	Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
		18	---
		19	src/lxc/initutils.c \| 4 ++++
		20	1 file changed, 4 insertions(+)
		21
		22	diff --git a/src/lxc/initutils.c b/src/lxc/initutils.c
		23	index 45df60f..8d9016c 100644
		24	--- a/src/lxc/initutils.c
		25	+++ b/src/lxc/initutils.c
		26	@@ -47,6 +47,10 @@ extern void lxc_setup_fs(void)
		27	if (mount_fs("proc", "/proc", "proc"))
		28	INFO("failed to remount proc");
		29
		30	+ /* if /dev has been populated by us, /dev/shm does not exist */
		31	+ if (access("/dev/shm", F_OK) && mkdir("/dev/shm", 0777))
		32	+ INFO("failed to create /dev/shm");
		33	+
		34	/* if we can't mount /dev/shm, continue anyway */
		35	if (mount_fs("shmfs", "/dev/shm", "tmpfs"))
		36	INFO("failed to mount /dev/shm");
		37	--
		38	1.9.1
		39


diff --git a/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch new file mode 100644 index 00000000..c3afd858 --- /dev/null +++ b/recipes-containers/lxc/files/mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch
@@ -0,0 +1,69 @@
		1	From f267d6668e3a95cb2247accb169cf1bc7f8ffcab Mon Sep 17 00:00:00 2001
		2	From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
		3	Date: Wed, 20 Jan 2016 10:53:57 +0000
		4	Subject: [PATCH] mount_proc_if_needed: only safe mount when rootfs is defined
		5
		6	The safe_mount function was introduced in order to address CVE-2015-1335,
		7	one of the vulnerabilities being a mount with a symlink for the
		8	destination path. In scenarios such as lxc-execute with no rootfs, the
		9	destination path is the host /proc, which is previously mounted by the
		10	host, and is unmounted and mounted again in a new set of namespaces,
		11	therefore eliminating the need to check for it being a symlink.
		12
		13	Mount the rootfs normally if the rootfs is NULL, keep the safe mount
		14	only for scenarios where a different rootfs is defined.
		15
		16	Upstream-status: Accepted
		17	[https://github.com/lxc/lxc/commit/f267d6668e3a95cb2247accb169cf1bc7f8ffcab]
		18
		19	Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
		20	Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
		21	---
		22	src/lxc/conf.c \| 1 +
		23	src/lxc/utils.c \| 10 +++++++++-
		24	2 files changed, 10 insertions(+), 1 deletion(-)
		25
		26	diff --git a/src/lxc/conf.c b/src/lxc/conf.c
		27	index 632dde3..1e30c0c 100644
		28	--- a/src/lxc/conf.c
		29	+++ b/src/lxc/conf.c
		30	@@ -3509,6 +3509,7 @@ int ttys_shift_ids(struct lxc_conf *c)
		31	return 0;
		32	}
		33
		34	+/* NOTE: not to be called from inside the container namespace! */
		35	int tmp_proc_mount(struct lxc_conf *lxc_conf)
		36	{
		37	int mounted;
		38	diff --git a/src/lxc/utils.c b/src/lxc/utils.c
		39	index 4e96a50..0bc7a20 100644
		40	--- a/src/lxc/utils.c
		41	+++ b/src/lxc/utils.c
		42	@@ -1704,6 +1704,8 @@ int safe_mount(const char src, const char dest, const char *fstype,
		43	*
		44	* Returns < 0 on failure, 0 if the correct proc was already mounted
		45	* and 1 if a new proc was mounted.
		46	+ *
		47	+ * NOTE: not to be called from inside the container namespace!
		48	*/
		49	int mount_proc_if_needed(const char *rootfs)
		50	{
		51	@@ -1737,8 +1739,14 @@ int mount_proc_if_needed(const char *rootfs)
		52	return 0;
		53
		54	domount:
		55	- if (safe_mount("proc", path, "proc", 0, NULL, rootfs) < 0)
		56	+ if (!strcmp(rootfs,"")) /* rootfs is NULL */
		57	+ ret = mount("proc", path, "proc", 0, NULL);
		58	+ else
		59	+ ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
		60	+
		61	+ if (ret < 0)
		62	return -1;
		63	+
		64	INFO("Mounted /proc in container for security transition");
		65	return 1;
		66	}
		67	--
		68	1.9.1
		69


diff --git a/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch new file mode 100644 index 00000000..28f9889b --- /dev/null +++ b/recipes-containers/lxc/files/open_without_symlink-Account-when-prefix-is-empty-st.patch
@@ -0,0 +1,37 @@
		1	From 01074e5b34719537cef474c6b81d4f55e6427639 Mon Sep 17 00:00:00 2001
		2	From: Bogdan Purcareata <bogdan.purcareata@nxp.com>
		3	Date: Fri, 8 Jan 2016 15:38:35 +0000
		4	Subject: [PATCH] open_without_symlink: Account when prefix is empty string
		5
		6	In the current implementation, the open_without_symlink function
		7	will default to opening the root mount only if the passed rootfs
		8	prefix is null. It doesn't account for the case where this prefix
		9	is passed as an empty string.
		10
		11	Properly handle this second case as well.
		12
		13	Upstream-Status: Accepted
		14	[https://github.com/lxc/lxc/commit/01074e5b34719537cef474c6b81d4f55e6427639]
		15
		16	Signed-off-by: Bogdan Purcareata <bogdan.purcareata@nxp.com>
		17	Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
		18	---
		19	src/lxc/utils.c \| 2 +-
		20	1 file changed, 1 insertion(+), 1 deletion(-)
		21
		22	diff --git a/src/lxc/utils.c b/src/lxc/utils.c
		23	index ed8c4c4..4e96a50 100644
		24	--- a/src/lxc/utils.c
		25	+++ b/src/lxc/utils.c
		26	@@ -1575,7 +1575,7 @@ static int open_without_symlink(const char target, const char prefix_skip)
		27	fulllen = strlen(target);
		28
		29	/* make sure prefix-skip makes sense */
		30	- if (prefix_skip) {
		31	+ if (prefix_skip && strlen(prefix_skip) > 0) {
		32	curlen = strlen(prefix_skip);
		33	if (!is_subdir(target, prefix_skip, curlen)) {
		34	ERROR("WHOA there - target '%s' didn't start with prefix '%s'",
		35	--
		36	1.9.1
		37


diff --git a/recipes-containers/lxc/lxc_1.1.4.bb b/recipes-containers/lxc/lxc_1.1.4.bb index 4006debd..e017dcf4 100644 --- a/recipes-containers/lxc/lxc_1.1.4.bb +++ b/recipes-containers/lxc/lxc_1.1.4.bb
@@ -34,6 +34,9 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
34	file://make-some-OpenSSH-tools-optional.patch \	34	file://make-some-OpenSSH-tools-optional.patch \
35	file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \	35	file://lxc-doc-upgrade-to-use-docbook-3.1-DTD.patch \
36	file://logs-optionally-use-base-filenames-to-report-src-fil.patch \	36	file://logs-optionally-use-base-filenames-to-report-src-fil.patch \
		37	file://open_without_symlink-Account-when-prefix-is-empty-st.patch \
		38	file://lxc_setup_fs-Create-dev-shm-folder-if-it-doesn-t-exi.patch \
		39	file://mount_proc_if_needed-only-safe-mount-when-rootfs-is-.patch \
37	"	40	"
38		41
39	SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"	42	SRC_URI[md5sum] = "d33c4bd9c57755c0e2b0e2acbc3f171d"