diff --git a/0141-lxc-decode-some-escape-charactors-of-lxc-config-file.patch b/0141-lxc-decode-some-escape-charactors-of-lxc-config-file.patch new file mode 100644 index 0000000000000000000000000000000000000000..c6f9340805d79f374723d2cdbb6a63025cd20913 --- /dev/null +++ b/0141-lxc-decode-some-escape-charactors-of-lxc-config-file.patch @@ -0,0 +1,97 @@ +From a6fd611c354ba62320661ad4eef4dd822423fcb6 Mon Sep 17 00:00:00 2001 +From: gaohuatao +Date: Wed, 1 Apr 2020 06:53:27 -0400 +Subject: [PATCH 141/142] lxc: decode some escape charactors of lxc config file + string + +Signed-off-by: gaohuatao +--- + src/lxc/confile.c | 55 +++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 53 insertions(+), 2 deletions(-) + +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index 3eaae4a9..747ccec7 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -2443,6 +2443,52 @@ struct parse_line_conf { + bool from_include; + }; + ++// escape_string_decode compress some escape characters ++static char *escape_string_decode(const char *src) ++{ ++ size_t src_end = 0; ++ size_t dst_end = 0; ++ size_t len = 0; ++ char *dst = NULL; ++ ++ if (src == NULL) { ++ return NULL; ++ } ++ ++ len = strlen(src); ++ if (len == 0) { ++ return NULL; ++ } ++ ++ dst = calloc(1, len + 1); ++ if (dst == NULL) { ++ ERROR("Out of memory"); ++ return NULL; ++ } ++ ++ while(src_end < len) { ++ if (src[src_end] == '\\') { ++ switch (src[++src_end]) ++ { ++ case 'r': dst[dst_end] = '\r'; break; ++ case 'n': dst[dst_end] = '\n'; break; ++ case 'f': dst[dst_end] = '\f'; break; ++ case 'b': dst[dst_end] = '\b'; break; ++ case 't': dst[dst_end] = '\t'; break; ++ case '\\': dst[dst_end] = '\\'; break; ++ // default do not decode ++ default: dst[dst_end++] = '\\'; dst[dst_end] = src[src_end]; break; ++ } ++ } else { ++ dst[dst_end] = src[src_end]; ++ } ++ dst_end++; ++ src_end++; ++ } ++ ++ return dst; ++} ++ + static int parse_line(char *buffer, void *data) + { + char *dot, *key, *line, *linep, *value; +@@ -2451,6 +2497,7 @@ static int parse_line(char *buffer, void *data) + int ret = 0; + char *dup = buffer; + struct parse_line_conf *plc = data; ++ char *value_decode = NULL; + + /* If there are newlines in the config file we should keep them. */ + empty_line = lxc_is_line_empty(dup); +@@ -2517,11 +2564,15 @@ static int parse_line(char *buffer, void *data) + goto on_error; + } + +- ret = config->set(key, value, plc->conf, NULL); ++ value_decode = escape_string_decode(value); ++ if (value_decode == NULL) { ++ ERROR("Value %s decode failed", value); ++ } ++ ret = config->set(key, value_decode ? value_decode: value, plc->conf, NULL); + + on_error: + free(linep); +- ++ free(value_decode); + return ret; + } + +-- +2.19.1 + diff --git a/0142-lxc-fix-non-root-user-cannot-write-dev-stdout.patch b/0142-lxc-fix-non-root-user-cannot-write-dev-stdout.patch new file mode 100644 index 0000000000000000000000000000000000000000..ce6371bb0591f09dbc9f02f2a6f64995912354c7 --- /dev/null +++ b/0142-lxc-fix-non-root-user-cannot-write-dev-stdout.patch @@ -0,0 +1,129 @@ +From 879e8e26506cda1650aed469781dd68d56f289b2 Mon Sep 17 00:00:00 2001 +From: gaohuatao +Date: Tue, 31 Mar 2020 04:41:58 -0400 +Subject: [PATCH 142/142] lxc: fix non-root user cannot write /dev/stdout + +Signed-off-by: gaohuatao +--- + src/lxc/attach.c | 2 ++ + src/lxc/conf.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ + src/lxc/conf.h | 1 + + src/lxc/start.c | 2 ++ + src/lxc/utils.c | 1 - + 5 files changed, 56 insertions(+), 1 deletion(-) + +diff --git a/src/lxc/attach.c b/src/lxc/attach.c +index 2061b960..b1bbaeba 100644 +--- a/src/lxc/attach.c ++++ b/src/lxc/attach.c +@@ -1031,6 +1031,8 @@ static int attach_child_main(struct attach_clone_payload *payload) + init_ctx->container->lxc_conf->init_groups)) + goto on_error; + ++ fix_stdio_permissions(new_uid); ++ + if (!lxc_switch_uid_gid(new_uid, new_gid)) + goto on_error; + +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 65b33ea5..b67e138d 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -5262,6 +5262,57 @@ int lxc_clear_namespace(struct lxc_conf *c) + return 0; + } + ++void fix_stdio_permissions(uid_t uid) ++{ ++ int std_fds[3] = {STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO}; ++ int devnull_fd = -1; ++ int ret = 0; ++ int i = 0; ++ struct stat st; ++ struct stat null_st; ++ ++ devnull_fd = open_devnull(); ++ if (devnull_fd < 0) { ++ WARN("Using /dev/null from the host for container " ++ "init's standard file descriptors. Migration will " ++ "not work"); ++ goto out; ++ } ++ ++ ret = fstat(devnull_fd, &null_st); ++ if (ret != 0) { ++ ERROR("Failed to get /dev/null stat"); ++ goto out; ++ } ++ ++ for (; i < 3; i++) { ++ ret = fstat(std_fds[i], &st); ++ if (ret != 0) { ++ ERROR("Failed to get fd %d stat", std_fds[i]); ++ continue; ++ } ++ ++ if (st.st_rdev == null_st.st_rdev) { ++ continue; ++ } ++ ++ ret = fchown(std_fds[i], uid, st.st_gid); ++ if (ret != 0) { ++ ERROR("Failed to change fd %d owner", std_fds[i]); ++ } ++ ++ ret = fchmod(std_fds[i], 0700); ++ if (ret != 0) { ++ ERROR("Failed to change fd %d mode", std_fds[i]); ++ } ++ } ++ ++out: ++ if (devnull_fd >= 0) { ++ close(devnull_fd); ++ } ++} ++ + int lxc_clear_groups(struct lxc_conf *c) + { + struct lxc_list *it, *next; +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index e4bfc48f..d67ca31b 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -500,6 +500,7 @@ extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key); + extern int setup_proc_filesystem(struct lxc_list *procs, pid_t pid); + extern int lxc_clear_procs(struct lxc_conf *c, const char *key); + extern int lxc_clear_namespace(struct lxc_conf *c); ++extern void fix_stdio_permissions(uid_t uid); + + /* isulad add begin */ + int lxc_clear_init_args(struct lxc_conf *lxc_conf); +diff --git a/src/lxc/start.c b/src/lxc/start.c +index 0af2e926..1977ccd2 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -1679,6 +1679,8 @@ static int do_start(void *data) + if (lxc_setup_env_home(new_uid) < 0) + goto out_warn_father; + ++ fix_stdio_permissions(new_uid); ++ + /* If we are in a new user namespace we already dropped all groups when + * we switched to root in the new user namespace further above. Only + * drop groups if we can, so ensure that we have necessary privilege. +diff --git a/src/lxc/utils.c b/src/lxc/utils.c +index 31bcac71..f2b3a4f9 100644 +--- a/src/lxc/utils.c ++++ b/src/lxc/utils.c +@@ -1909,7 +1909,6 @@ set_env: + return 0; + } + +- + /* isulad: read file to buffer */ + int lxc_file2str(const char *filename, char ret[], int cap) + { +-- +2.19.1 + diff --git a/lxc.spec b/lxc.spec index b7beed37f43ae5facbd302ba267bedb82fcf240a..ff24b5d846cc4594a0bad250349edaf1e7b7f358 100644 --- a/lxc.spec +++ b/lxc.spec @@ -1,4 +1,4 @@ -%global _release 2020031002 +%global _release 2020040201 %global debug_package %{nil} Name: lxc @@ -149,6 +149,8 @@ Patch9139: 0137-lxc-fix-bug-in-read-proc.patch Patch9140: 0138-resize-implement-resize-function-in-exec-start.patch Patch9141: 0139-lxc-fix-get-cgroup-path-by-config-instead-of-cmd.patch Patch9142: 0140-lxc-remove-umask-when-populate-devices.patch +Patch9143: 0141-lxc-decode-some-escape-charactors-of-lxc-config-file.patch +Patch9144: 0142-lxc-fix-non-root-user-cannot-write-dev-stdout.patch BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath BuildRequires: pkgconfig(libseccomp) diff --git a/series.conf b/series.conf index f3901a6f1774d4e5e9fc5d17df8cfd3834b4be45..e2b3891100b5b862851287f951523baaac0bc572 100644 --- a/series.conf +++ b/series.conf @@ -138,3 +138,6 @@ lxc-CVE-2019-5736-runC-rexec-callers-as-memfd.patch 0137-lxc-fix-bug-in-read-proc.patch 0138-resize-implement-resize-function-in-exec-start.patch 0139-lxc-fix-get-cgroup-path-by-config-instead-of-cmd.patch +0140-lxc-remove-umask-when-populate-devices.patch +0141-lxc-decode-some-escape-charactors-of-lxc-config-file.patch +0142-lxc-fix-non-root-user-cannot-write-dev-stdout.patch