diff --git a/0036-support-ima-ns.patch b/0036-support-ima-ns.patch new file mode 100644 index 0000000000000000000000000000000000000000..2f25baf94ae57763267e0aaddf1086526b62b4b6 --- /dev/null +++ b/0036-support-ima-ns.patch @@ -0,0 +1,611 @@ +From 1938540b271e373e6d0a69c2b981469ddc689ee0 Mon Sep 17 00:00:00 2001 +From: y00299017 +Date: Wed, 2 Feb 2022 20:18:52 +0800 +Subject: [PATCH] support ima namespace + +--- + src/lxc/attach.h | 2 +- + src/lxc/attach_options.h | 2 +- + src/lxc/commands.c | 6 +- + src/lxc/commands.h | 2 +- + src/lxc/conf.c | 117 ++++++++++++++++++++++++++++++++++++ + src/lxc/conf.h | 9 ++- + src/lxc/confile.c | 70 ++++++++++++++++++++- + src/lxc/macro.h | 1 + + src/lxc/namespace.c | 9 +-- + src/lxc/namespace.h | 14 ++++- + src/lxc/start.c | 71 +++++++++++++++++++++- + src/lxc/start.h | 4 +- + src/lxc/tools/lxc_attach.c | 2 +- + src/lxc/tools/lxc_unshare.c | 2 +- + 14 files changed, 288 insertions(+), 23 deletions(-) + +diff --git a/src/lxc/attach.h b/src/lxc/attach.h +index 8316344..12a349d 100644 +--- a/src/lxc/attach.h ++++ b/src/lxc/attach.h +@@ -16,7 +16,7 @@ struct lxc_proc_context_info { + struct lxc_container *container; + signed long personality; + unsigned long long capability_mask; +- int ns_inherited; ++ unsigned long ns_inherited; + int ns_fd[LXC_NS_MAX]; + }; + +diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h +index 5767560..b4d903b 100644 +--- a/src/lxc/attach_options.h ++++ b/src/lxc/attach_options.h +@@ -63,7 +63,7 @@ typedef struct lxc_attach_options_t { + int attach_flags; + + /*! The namespaces to attach to (CLONE_NEW... flags) */ +- int namespaces; ++ unsigned long namespaces; + + /*! Initial personality (\c -1 to autodetect). + * \warning This may be ignored if lxc is compiled without personality +diff --git a/src/lxc/commands.c b/src/lxc/commands.c +index b954453..f514b14 100644 +--- a/src/lxc/commands.c ++++ b/src/lxc/commands.c +@@ -463,7 +463,7 @@ static int lxc_cmd_get_init_pidfd_callback(int fd, struct lxc_cmd_req *req, + * + * Returns the clone flags on success, < 0 on failure + */ +-int lxc_cmd_get_clone_flags(const char *name, const char *lxcpath) ++unsigned long lxc_cmd_get_clone_flags(const char *name, const char *lxcpath) + { + int ret, stopped; + struct lxc_cmd_rr cmd = { +@@ -476,7 +476,7 @@ int lxc_cmd_get_clone_flags(const char *name, const char *lxcpath) + if (ret < 0) + return ret; + +- return PTR_TO_INT(cmd.rsp.data); ++ return PTR_TO_UINT64(cmd.rsp.data); + } + + static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, +@@ -485,7 +485,7 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, + { + int ret; + struct lxc_cmd_rsp rsp = { +- .data = INT_TO_PTR(handler->ns_clone_flags), ++ .data = UINT64_TO_PTR(handler->ns_clone_flags), + }; + + ret = lxc_cmd_rsp_send(fd, &rsp); +diff --git a/src/lxc/commands.h b/src/lxc/commands.h +index aa8289d..93a2897 100644 +--- a/src/lxc/commands.h ++++ b/src/lxc/commands.h +@@ -84,7 +84,7 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd, + */ + extern char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, + const char *subsystem); +-extern int lxc_cmd_get_clone_flags(const char *name, const char *lxcpath); ++extern unsigned long lxc_cmd_get_clone_flags(const char *name, const char *lxcpath); + extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath); + extern char *lxc_cmd_get_name(const char *hashed_sock); + extern char *lxc_cmd_get_lxcpath(const char *hashed_sock); +diff --git a/src/lxc/conf.c b/src/lxc/conf.c +index 7464e4a..03d6210 100644 +--- a/src/lxc/conf.c ++++ b/src/lxc/conf.c +@@ -6622,3 +6622,120 @@ void lxc_close_error_pipe(int *errpipe) + } + } + #endif ++ ++int lxc_write_file(const char * filename, const char* value, size_t len) ++{ ++ int fd = -1; ++ int ret = -1; ++ ++ fd = open(filename, O_WRONLY | O_CLOEXEC); ++ if (fd < 0) { ++ return log_error_errno(-1, errno, "Failed to open \"%s\"", filename); ++ } ++ ++ ret = lxc_write_nointr(fd, value, len); ++ if (ret != len) { ++ close(fd); ++ return log_error_errno(-1, errno, "Failed to write to \"%s\"", filename); ++ } ++ ++ close(fd); ++ return 0; ++ ++} ++ ++int lxc_write_ima_data_to_file(struct lxc_conf *c) ++{ ++ char* x509_file_path = "/sys/kernel/security/ima/x509_for_children"; ++ char* kcmd_path = "/sys/kernel/security/ima/kcmd_for_children"; ++ ++ if (lxc_write_file(x509_file_path, c->ima_x509_path, strlen(c->ima_x509_path)) != 0) { ++ return log_error_errno(-1, errno, "Failed to open \"%s\"", x509_file_path); ++ } ++ ++ if (lxc_write_file(kcmd_path, c->ima_kcmd, strlen(c->ima_kcmd)) != 0) { ++ return log_error_errno(-1, errno, "Failed to open \"%s\"", kcmd_path); ++ } ++ ++ return 0; ++} ++ ++static int lxc_write_digest_lists(const char *digest_list_path, const char *dirname) ++{ ++ DIR *dir = NULL; ++ struct dirent *direntp; ++ char pathname[PATH_MAX]; ++ int rc; ++ ++ if (!dir_exists(dirname)) { ++ return ENOENT; ++ } ++ ++ dir = opendir(dirname); ++ if (!dir) ++ return log_error(-1, "Failed to open \"%s\"", dirname); ++ ++ while ((direntp = readdir(dir))) { ++ if (!strcmp(direntp->d_name, ".") || ++ !strcmp(direntp->d_name, "..")) ++ continue; ++ ++ rc = snprintf(pathname, PATH_MAX, "%s/%s", dirname, direntp->d_name); ++ if (rc < 0 || rc >= PATH_MAX) { ++ ERROR("IMA digest list pathname is too long"); ++ continue; ++ } ++ ++ if (is_dir(pathname)) ++ continue; ++ ++ INFO("Writing digest list \"%s\" to \"%s\"", pathname, digest_list_path); ++ lxc_write_file(digest_list_path, pathname, rc); ++ } ++ closedir(dir); ++ return 0; ++} ++ ++static bool lxc_get_ima_mount_entry(struct lxc_conf *c, struct mntent *mntent, char *buf, int buflen) ++{ ++ FILE *file; ++ ++ file = make_anonymous_mount_file(&c->mount_list, c->lsm_aa_allow_nesting); ++ if (!file) ++ return false; ++ ++ while (getmntent_r(file, mntent, buf, buflen)) { ++ if (!strcmp(mntent->mnt_fsname, "/sys/kernel/security/ima")) { ++ fclose(file); ++ return true; ++ } ++ } ++ fclose(file); ++ return false; ++} ++ ++int lxc_write_ima_digest_lists(struct lxc_conf *c, char *dl_fname) ++{ ++ int rc; ++ char buf[4096]; ++ struct mntent mntent; ++ char digest_list_path[PATH_MAX]; ++ ++ if (lxc_get_ima_mount_entry(c, &mntent, buf, sizeof(buf))) { ++ rc = snprintf(digest_list_path, PATH_MAX, "/%s/%s", mntent.mnt_dir, dl_fname); ++ if (rc < 0 || rc > PATH_MAX) { ++ return log_error_errno(-1, errno, "IMA mount point path too long"); ++ } ++ return lxc_write_digest_lists(digest_list_path, "/etc/ima/digest_lists"); ++ } ++ return log_error_errno(-1, errno, "Failed to find /sys/kernel/security/ima mount entry"); ++} ++ ++/* ++ * Loading digest lists is done here. Unloading/cleanup is done by the kernel ++ * when IMA namespace is destroyed. ++ */ ++int lxc_load_ima_digest_lists(struct lxc_conf *c) ++{ ++ return lxc_write_ima_digest_lists(c, "digest_list_data"); ++} +diff --git a/src/lxc/conf.h b/src/lxc/conf.h +index c9265b6..c85f939 100644 +--- a/src/lxc/conf.h ++++ b/src/lxc/conf.h +@@ -417,8 +417,8 @@ struct lxc_conf { + struct lxc_cgroup cgroup_meta; + + struct { +- int ns_clone; +- int ns_keep; ++ unsigned long ns_clone; ++ unsigned long ns_keep; + char *ns_share[LXC_NS_MAX]; + }; + +@@ -474,6 +474,8 @@ struct lxc_conf { + char *lsm_se_mount_context; + #endif + ++ char *ima_x509_path; ++ char *ima_kcmd; + }; + + extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, +@@ -568,4 +570,7 @@ int lxc_drop_caps(struct lxc_conf *conf); + int run_oci_hooks(const char *name, const char *hookname, struct lxc_conf *conf, const char *lxcpath); + void lxc_close_error_pipe(int *errpipe); + #endif ++int lxc_write_file(const char * filename, const char* value, size_t len); ++int lxc_write_ima_data_to_file(struct lxc_conf *c); ++int lxc_load_ima_digest_lists(struct lxc_conf *c); + #endif /* __LXC_CONF_H */ +diff --git a/src/lxc/confile.c b/src/lxc/confile.c +index e298ce9..64dcb98 100644 +--- a/src/lxc/confile.c ++++ b/src/lxc/confile.c +@@ -160,7 +160,7 @@ lxc_config_define(console_syslog_tag); + lxc_config_define(console_syslog_facility); + lxc_config_define(selinux_mount_context); + #endif +- ++lxc_config_define(ima); + /* + * Important Note: + * If a new config option is added to this table, be aware that +@@ -285,6 +285,8 @@ static struct lxc_config_t config_jump_table[] = { + { "lxc.console.syslog_facility", set_config_console_syslog_facility, get_config_console_syslog_facility, clr_config_console_syslog_facility, }, + { "lxc.selinux.mount_context", set_config_selinux_mount_context, get_config_selinux_mount_context, clr_config_selinux_mount_context, }, + #endif ++ { "lxc.ima.x509path", set_config_ima, get_config_ima, clr_config_ima, }, ++ { "lxc.ima.kcmd", set_config_ima, get_config_ima, clr_config_ima, }, + }; + + static const size_t config_jump_table_size = sizeof(config_jump_table) / sizeof(struct lxc_config_t); +@@ -2678,7 +2680,7 @@ static int set_config_namespace_clone(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) + { + char *ns, *token; +- int cloneflag = 0; ++ unsigned long cloneflag = 0; + + if (lxc_config_value_empty(value)) + return clr_config_namespace_clone(key, lxc_conf, data); +@@ -2713,7 +2715,7 @@ static int set_config_namespace_keep(const char *key, const char *value, + struct lxc_conf *lxc_conf, void *data) + { + char *ns, *token; +- int cloneflag = 0; ++ unsigned long cloneflag = 0; + + if (lxc_config_value_empty(value)) + return clr_config_namespace_keep(key, lxc_conf, data); +@@ -6755,3 +6757,65 @@ static inline int clr_config_selinux_mount_context(const char *key, + return 0; + } + #endif ++ ++int lxc_clear_imas(struct lxc_conf *c, const char *key) ++{ ++ const char *k = NULL; ++ ++ if (strncmp(key, "lxc.ima.", STRLITERALLEN("lxc.ima.")) == 0) { ++ k = key + STRLITERALLEN("lxc.ima."); ++ } else { ++ return -1; ++ } ++ ++ if (strcmp(k, "x509path") == 0) { ++ free(c->ima_x509_path); ++ c->ima_x509_path = NULL; ++ } else if (strcmp(k, "kcmd") == 0) { ++ free(c->ima_kcmd); ++ c->ima_kcmd = NULL; ++ } ++ ++ return 0; ++} ++ ++/* set config for ima namespace path */ ++static int set_config_ima(const char *key, const char *value, ++ struct lxc_conf *lxc_conf, void *data) ++{ ++ const char *k = NULL; ++ ++ if (lxc_config_value_empty(value)) { ++ return lxc_clear_imas(lxc_conf,key); ++ } ++ ++ k = key + STRLITERALLEN("lxc.ima."); ++ ++ if (strcmp(k, "x509path") == 0) { ++ set_config_path_item(&lxc_conf->ima_x509_path, value); ++ } else if (strcmp(k, "kcmd") == 0) { ++ set_config_path_item(&lxc_conf->ima_kcmd, value); ++ } ++ ++ return 0; ++} ++ ++static inline int clr_config_ima(const char *key, struct lxc_conf *c, ++ void *data) ++{ ++ return lxc_clear_imas(c,key); ++} ++ ++static int get_config_ima(const char *key, char *retv, int inlen, ++ struct lxc_conf *c, void *data) ++{ ++ const char* k = key + STRLITERALLEN("lxc.ima."); ++ ++ if (strcmp(k, "x509path") == 0) { ++ return lxc_get_conf_str(retv, inlen, c->ima_x509_path); ++ } else if (strcmp(k, "kcmd") == 0) { ++ return lxc_get_conf_str(retv, inlen, c->ima_kcmd); ++ } ++ ++ return -1; ++} +diff --git a/src/lxc/macro.h b/src/lxc/macro.h +index 3df19d6..d89279c 100644 +--- a/src/lxc/macro.h ++++ b/src/lxc/macro.h +@@ -413,6 +413,7 @@ enum { + /* pointer conversion macros */ + #define PTR_TO_INT(p) ((int)((intptr_t)(p))) + #define INT_TO_PTR(u) ((void *)((intptr_t)(u))) ++#define UINT64_TO_PTR(u) ((void *)((uint_least64_t)(u))) + + #define PTR_TO_PID(p) ((pid_t)((intptr_t)(p))) + #define PID_TO_PTR(u) ((void *)((intptr_t)(u))) +diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c +index 38d2ae5..fdf8dde 100644 +--- a/src/lxc/namespace.c ++++ b/src/lxc/namespace.c +@@ -71,10 +71,11 @@ const struct ns_info ns_info[LXC_NS_MAX] = { + [LXC_NS_UTS] = { "uts", CLONE_NEWUTS, "CLONE_NEWUTS", "LXC_UTS_NS" }, + [LXC_NS_IPC] = { "ipc", CLONE_NEWIPC, "CLONE_NEWIPC", "LXC_IPC_NS" }, + [LXC_NS_NET] = { "net", CLONE_NEWNET, "CLONE_NEWNET", "LXC_NET_NS" }, +- [LXC_NS_CGROUP] = { "cgroup", CLONE_NEWCGROUP, "CLONE_NEWCGROUP", "LXC_CGROUP_NS" } ++ [LXC_NS_CGROUP] = { "cgroup", CLONE_NEWCGROUP, "CLONE_NEWCGROUP", "LXC_CGROUP_NS" }, ++ [LXC_NS_IMA] = { "ima", CLONE_NEWIMA, "CLONE_NEWIMA", "LXC_IMA_NS" } + }; + +-int lxc_namespace_2_cloneflag(const char *namespace) ++unsigned long lxc_namespace_2_cloneflag(const char *namespace) + { + int i; + +@@ -132,10 +133,10 @@ extern int lxc_namespace_2_std_identifiers(char *namespaces) + return 0; + } + +-int lxc_fill_namespace_flags(char *flaglist, int *flags) ++unsigned long lxc_fill_namespace_flags(char *flaglist, unsigned long *flags) + { + char *token; +- int aflag; ++ unsigned long aflag; + + if (!flaglist) { + ERROR("At least one namespace is needed."); +diff --git a/src/lxc/namespace.h b/src/lxc/namespace.h +index a8fda78..7c1b966 100644 +--- a/src/lxc/namespace.h ++++ b/src/lxc/namespace.h +@@ -64,6 +64,13 @@ + # define CLONE_NEWNET 0x40000000 + #endif + ++/* ++ * Clone flag for creating IMA Namespace. ++ */ ++#ifndef CLONE_NEWIMA ++# define CLONE_NEWIMA 0x400000000 ++#endif ++ + enum { + LXC_NS_USER, + LXC_NS_MNT, +@@ -72,12 +79,13 @@ enum { + LXC_NS_IPC, + LXC_NS_NET, + LXC_NS_CGROUP, ++ LXC_NS_IMA, + LXC_NS_MAX + }; + + extern const struct ns_info { + const char *proc_name; +- int clone_flag; ++ unsigned long clone_flag; + const char *flag_name; + const char *env_name; + } ns_info[LXC_NS_MAX]; +@@ -115,9 +123,9 @@ int clone(int (*fn)(void *), void *child_stack, + */ + extern pid_t lxc_clone(int (*fn)(void *), void *arg, int flags, int *pidfd); + +-extern int lxc_namespace_2_cloneflag(const char *namespace); ++extern unsigned long lxc_namespace_2_cloneflag(const char *namespace); + extern int lxc_namespace_2_ns_idx(const char *namespace); + extern int lxc_namespace_2_std_identifiers(char *namespaces); +-extern int lxc_fill_namespace_flags(char *flaglist, int *flags); ++extern unsigned long lxc_fill_namespace_flags(char *flaglist, unsigned long *flags); + + #endif +diff --git a/src/lxc/start.c b/src/lxc/start.c +index c1563e0..a5d835a 100644 +--- a/src/lxc/start.c ++++ b/src/lxc/start.c +@@ -71,6 +71,15 @@ static bool do_destroy_container(struct lxc_handler *handler); + static int lxc_rmdir_onedev_wrapper(void *data); + static void lxc_destroy_container_on_signal(struct lxc_handler *handler, + const char *name); ++static inline int __unshare(unsigned long flags) ++{ ++ return syscall(__NR_unshare, flags); ++} ++ ++static inline int __setns(int fd, unsigned long flags) ++{ ++ return syscall(__NR_setns, fd, flags); ++} + + static void print_top_failing_dir(const char *path) + { +@@ -135,7 +144,7 @@ static int lxc_try_preserve_ns(const int pid, const char *ns) + * Return true on success, false on failure. + */ + static bool lxc_try_preserve_namespaces(struct lxc_handler *handler, +- int ns_clone_flags, pid_t pid) ++ unsigned long ns_clone_flags, pid_t pid) + { + int i; + +@@ -1407,6 +1416,36 @@ static int do_start(void *data) + } + } + ++ if ((handler->ns_clone_flags & CLONE_NEWIMA) && ++ handler->conf->ima_kcmd && handler->conf->ima_x509_path) { ++ __do_close int imans_fd = -EBADF; ++ /* IMA: Unshare and config IMA namespace */ ++ ret = __unshare(CLONE_NEWIMA); ++ if (ret < 0) { ++ ERROR("Failed to unshare CLONE_NEWIMA"); ++ goto out_warn_father; ++ } ++ INFO("Unshared IMA NS"); ++ ++ if (lxc_write_ima_data_to_file(handler->conf) < 0) { ++ ERROR("Failed lxc_write_ima_data_to_file"); ++ goto out_warn_father; ++ } ++ INFO("Written IMA NS Config"); ++ imans_fd = open("/proc/self/ns/ima_for_children", O_RDONLY| O_CLOEXEC); ++ if (imans_fd < 0) { ++ ERROR("Failed to open \"/proc/self/ns/ima_for_children\""); ++ goto out_warn_father; ++ } ++ ret = __setns(imans_fd, CLONE_NEWIMA); ++ if (ret) { ++ ERROR("Failed to setns(%d(\"/proc/self/ns/ima_for_children\"))", imans_fd); ++ goto out_warn_father; ++ } ++ close(imans_fd); ++ INFO("Moved (setns) pid %d to IMA NS", handler->pid); ++ } ++ + ret = access(handler->lxcpath, X_OK); + if (ret != 0) { + print_top_failing_dir(handler->lxcpath); +@@ -1608,6 +1647,17 @@ static int do_start(void *data) + goto out_warn_father; + } + ++ /* Load IMA digest list */ ++ if ((handler->ns_clone_flags & CLONE_NEWIMA) && ++ ((strstr((const char *)handler->conf->ima_kcmd, "ima_appraise_digest_list") != NULL) || ++ (strstr((const char *)handler->conf->ima_kcmd, "ima_measure_digest_list") != NULL))) { ++ ret = lxc_load_ima_digest_lists(handler->conf); ++ if (ret == 0) { ++ INFO("Loaded IMA digest lists"); ++ } else { ++ INFO("Failed to load IMA digest lists"); ++ } ++ } + ret = run_lxc_hooks(handler->name, "start", handler->conf, NULL); + if (ret < 0) { + ERROR("Failed to run lxc.hook.start for container \"%s\"", +@@ -1868,6 +1918,9 @@ int resolve_clone_flags(struct lxc_handler *handler) + if (i == LXC_NS_CGROUP && !cgns_supported()) + continue; + ++ if (i == LXC_NS_IMA && (handler->conf->ima_kcmd == NULL || handler->conf->ima_x509_path == NULL)) ++ continue; ++ + handler->ns_clone_flags |= ns_info[i].clone_flag; + } + +@@ -2104,6 +2157,9 @@ static int lxc_spawn(struct lxc_handler *handler) + /* The cgroup namespace gets unshare()ed not clone()ed. */ + handler->ns_on_clone_flags &= ~CLONE_NEWCGROUP; + ++ /* The ima namespace gets unshare()ed not clone()ed. */ ++ handler->ns_on_clone_flags &= ~CLONE_NEWIMA; ++ + if (share_ns) { + pid_t attacher_pid; + +@@ -2332,6 +2388,19 @@ static int lxc_spawn(struct lxc_handler *handler) + cgroup_ops->payload_finalize(cgroup_ops); + TRACE("Finished setting up cgroups"); + ++ if (handler->ns_clone_flags & CLONE_NEWIMA) { ++ ret = lxc_try_preserve_ns(handler->pid, "ima"); ++ if (ret < 0) { ++ if (ret != -EOPNOTSUPP) { ++ SYSERROR("Failed to preserve ima namespace"); ++ goto out_delete_net; ++ } ++ } else { ++ handler->nsfd[LXC_NS_IMA] = ret; ++ DEBUG("Preserved ima namespace via fd %d", ret); ++ } ++ } ++ + /* Run any host-side start hooks */ + ret = run_lxc_hooks(name, "start-host", conf, NULL); + if (ret < 0) { +diff --git a/src/lxc/start.h b/src/lxc/start.h +index 98de103..61d20b5 100644 +--- a/src/lxc/start.h ++++ b/src/lxc/start.h +@@ -37,8 +37,8 @@ struct lxc_handler { + * but are present in the container's config. + */ + struct /* lxc_ns */ { +- int ns_clone_flags; +- int ns_on_clone_flags; ++ unsigned long ns_clone_flags; ++ unsigned long ns_on_clone_flags; + }; + + /* File descriptor to pin the rootfs for privileged containers. */ +diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c +index 9931b39..f23b238 100644 +--- a/src/lxc/tools/lxc_attach.c ++++ b/src/lxc/tools/lxc_attach.c +@@ -52,7 +52,7 @@ static int lxc_attach_create_log_file(const char *log_file); + + static int elevated_privileges; + static signed long new_personality = -1; +-static int namespace_flags = -1; ++static unsigned long namespace_flags = -1; + static int remount_sys_proc; + static lxc_attach_env_policy_t env_policy = LXC_ATTACH_KEEP_ENV; + static char **extra_env; +diff --git a/src/lxc/tools/lxc_unshare.c b/src/lxc/tools/lxc_unshare.c +index b4b073a..292ee86 100644 +--- a/src/lxc/tools/lxc_unshare.c ++++ b/src/lxc/tools/lxc_unshare.c +@@ -132,7 +132,7 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg) + + static int get_namespace_flags(char *namespaces) + { +- int flags = 0; ++ unsigned long flags = 0; + + if (lxc_namespace_2_std_identifiers(namespaces) < 0) + return -1; +-- +2.27.0 + diff --git a/lxc.spec b/lxc.spec index 37a3012108c280bc73d8915b80bd6f2b792d2304..b782f55fe4cc8b61c283463ec4efc19639ab86ea 100644 --- a/lxc.spec +++ b/lxc.spec @@ -43,6 +43,7 @@ Patch0032: 0032-disable-lxc_keep-with-oci-image.patch Patch0033: 0033-conf-ensure-that-the-idmap-pointer-itself-is-freed.patch Patch0034: 0034-cgfsng-fix-cgroup-attach-cgroup-creation.patch Patch0035: 0035-adapt-upstream-compiler-settings.patch +Patch0036: 0036-support-ima-ns.patch BuildRequires: systemd-units git libtool graphviz docbook2X doxygen chrpath BuildRequires: pkgconfig(libseccomp) diff --git a/series.conf b/series.conf index 86c71d57acace74555377b08063dba3c7b26719c..f04fad5a532a5c2fe7314a855f7fff1f665db1f7 100644 --- a/series.conf +++ b/series.conf @@ -33,3 +33,4 @@ 0033-conf-ensure-that-the-idmap-pointer-itself-is-freed.patch 0034-cgfsng-fix-cgroup-attach-cgroup-creation.patch 0035-adapt-upstream-compiler-settings.patch +0036-support-ima-ns.patch