diff options
Diffstat (limited to 'recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch')
| -rw-r--r-- | recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch | 217 |
1 files changed, 0 insertions, 217 deletions
diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch deleted file mode 100644 index 34647c80..00000000 --- a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001 -From: Maximilian Blenk <Maximilian.Blenk@bmw.de> -Date: Thu, 30 Jan 2020 19:21:10 +0100 -Subject: [PATCH 3/3] container.conf: Add option to disable session keyring - creation - -lxc set's up a new session keyring for every container by default. -There might be valid use-cases where this is not wanted / needed -(e.g. systemd by default creates a new session keyring anyway). - -Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de> ---- - src/lxc/conf.c | 19 ++++++++++-------- - src/lxc/conf.h | 1 + - src/lxc/confile.c | 44 ++++++++++++++++++++++------------------- - src/lxc/confile_utils.c | 24 ++++++++++++++++++++++ - src/lxc/confile_utils.h | 2 ++ - 5 files changed, 62 insertions(+), 28 deletions(-) - -diff --git a/src/lxc/conf.c b/src/lxc/conf.c -index b06fbf047..be4761a54 100644 ---- a/src/lxc/conf.c -+++ b/src/lxc/conf.c -@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void) - lxc_list_init(&new->lsm_aa_raw); - new->lsm_se_context = NULL; - new->lsm_se_keyring_context = NULL; -+ new->keyring_disable_session = false; - new->tmp_umount_proc = false; - new->tmp_umount_proc = 0; - new->shmount.path_host = NULL; -@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler) - } - } - -- if (lxc_conf->lsm_se_keyring_context) { -- keyring_context = lxc_conf->lsm_se_keyring_context; -- } else if (lxc_conf->lsm_se_context) { -- keyring_context = lxc_conf->lsm_se_context; -- } -+ if (!lxc_conf->keyring_disable_session) { -+ if (lxc_conf->lsm_se_keyring_context) { -+ keyring_context = lxc_conf->lsm_se_keyring_context; -+ } else if (lxc_conf->lsm_se_context) { -+ keyring_context = lxc_conf->lsm_se_context; -+ } - -- ret = lxc_setup_keyring(keyring_context); -- if (ret < 0) -- return -1; -+ ret = lxc_setup_keyring(keyring_context); -+ if (ret < 0) -+ return -1; -+ } - - if (handler->ns_clone_flags & CLONE_NEWNET) { - ret = lxc_setup_network_in_child_namespaces(lxc_conf, -diff --git a/src/lxc/conf.h b/src/lxc/conf.h -index bb47b720e..b81786838 100644 ---- a/src/lxc/conf.h -+++ b/src/lxc/conf.h -@@ -296,6 +296,7 @@ struct lxc_conf { - struct lxc_list lsm_aa_raw; - char *lsm_se_context; - char *lsm_se_keyring_context; -+ bool keyring_disable_session; - bool tmp_umount_proc; - struct lxc_seccomp seccomp; - int maincmd_fd; -diff --git a/src/lxc/confile.c b/src/lxc/confile.c -index df184af73..fd8b3aaba 100644 ---- a/src/lxc/confile.c -+++ b/src/lxc/confile.c -@@ -110,6 +110,7 @@ lxc_config_define(init_cmd); - lxc_config_define(init_cwd); - lxc_config_define(init_gid); - lxc_config_define(init_uid); -+lxc_config_define(keyring_session); - lxc_config_define(log_file); - lxc_config_define(log_level); - lxc_config_define(log_syslog); -@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = { - { "lxc.init.gid", set_config_init_gid, get_config_init_gid, clr_config_init_gid, }, - { "lxc.init.uid", set_config_init_uid, get_config_init_uid, clr_config_init_uid, }, - { "lxc.init.cwd", set_config_init_cwd, get_config_init_cwd, clr_config_init_cwd, }, -+ { "lxc.keyring.session", set_config_keyring_session, get_config_keyring_session, clr_config_keyring_session }, - { "lxc.log.file", set_config_log_file, get_config_log_file, clr_config_log_file, }, - { "lxc.log.level", set_config_log_level, get_config_log_level, clr_config_log_level, }, - { "lxc.log.syslog", set_config_log_syslog, get_config_log_syslog, clr_config_log_syslog, }, -@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value - return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value); - } - -+static int set_config_keyring_session(const char *key, const char *value, -+ struct lxc_conf *lxc_conf, void *data) -+{ -+ return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false); -+} -+ - static int set_config_log_file(const char *key, const char *value, - struct lxc_conf *c, void *data) - { -@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value, - static int set_config_rootfs_managed(const char *key, const char *value, - struct lxc_conf *lxc_conf, void *data) - { -- unsigned int val = 0; -- -- if (lxc_config_value_empty(value)) { -- lxc_conf->rootfs.managed = true; -- return 0; -- } -- -- if (lxc_safe_uint(value, &val) < 0) -- return -EINVAL; -- -- switch (val) { -- case 0: -- lxc_conf->rootfs.managed = false; -- return 0; -- case 1: -- lxc_conf->rootfs.managed = true; -- return 0; -- } -- -- return -EINVAL; -+ return set_config_bool_item(&lxc_conf->rootfs.managed, value, true); - } - - static int set_config_rootfs_mount(const char *key, const char *value, -@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i - return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context); - } - -+static int get_config_keyring_session(const char *key, char *retv, int inlen, -+ struct lxc_conf *c, void *data) -+{ -+ return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session); -+} -+ - - /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then - * just the value(s) will be printed. Since there still could be more than one, -@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key, - return 0; - } - -+static inline int clr_config_keyring_session(const char *key, -+ struct lxc_conf *c, void *data) -+{ -+ c->keyring_disable_session = false; -+ return 0; -+} -+ - static inline int clr_config_cgroup_controller(const char *key, - struct lxc_conf *c, void *data) - { -@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv, - strprint(retv, inlen, "order\n"); - } else if (!strcmp(key, "lxc.monitor")) { - strprint(retv, inlen, "unshare\n"); -+ } else if (!strcmp(key, "lxc.keyring")) { -+ strprint(retv, inlen, "session\n"); - } else { - fulllen = -1; - } -diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c -index 6941f4026..02e48454b 100644 ---- a/src/lxc/confile_utils.c -+++ b/src/lxc/confile_utils.c -@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value) - return set_config_string_item_max(conf_item, value, PATH_MAX); - } - -+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action) -+{ -+ unsigned int val = 0; -+ -+ if (lxc_config_value_empty(value)) { -+ *conf_item = empty_conf_action; -+ return 0; -+ } -+ -+ if (lxc_safe_uint(value, &val) < 0) -+ return -EINVAL; -+ -+ switch (val) { -+ case 0: -+ *conf_item = false; -+ return 0; -+ case 1: -+ *conf_item = true; -+ return 0; -+ } -+ -+ return -EINVAL; -+} -+ - int config_ip_prefix(struct in_addr *addr) - { - if (IN_CLASSA(addr->s_addr)) -diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h -index f68f9604f..83d49bace 100644 ---- a/src/lxc/confile_utils.h -+++ b/src/lxc/confile_utils.h -@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value); - extern int set_config_string_item_max(char **conf_item, const char *value, - size_t max); - extern int set_config_path_item(char **conf_item, const char *value); -+extern int set_config_bool_item(bool *conf_item, const char *value, -+ bool empty_conf_action); - extern int config_ip_prefix(struct in_addr *addr); - extern int network_ifname(char *valuep, const char *value, size_t size); - extern void rand_complete_hwaddr(char *hwaddr); --- -2.24.1 - |