update to 7.0#55
Merged
Merged
Conversation
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
remove cgroup1 support
We agreed to set 6.12 as a Linux kernel requirement for LXC 7.x line, it was released in Nov 2024 [1]. Let's drop fallback code for cases when CLONE_PIDFD or clone3 are not supported. CLONE_PIDFD was added in 5.2 clone3 was added in 5.3 I decided to keep fallback logic for non-supported CLONE_INTO_CGROUP for now, while it was added in 5.7. Link: torvalds/linux@adc2186 [1] Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
fsopen and open_tree were added in 5.2 mount_setattr in 5.12 Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
assume CLONE_PIDFD, clone3, new mount api are supported
We need this for new versions of systemd, because it heavily uses MS_NOSYMFOLLOW these days. Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
apparmor: allow nosymfollow remounts
Signed-off-by: Fernando Picazo <fernando.picazo@outlook.com> [ alex: fully reworked to match logic in Incus ] Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
lsm/apparmor: allow binfmt_misc RW mounts
On riscv64 architectures, a single second sleep doesn't appear to be sufficient to work around the busybox pipe closure bug, and the test hangs forever. Increase to three seconds. Signed-off-by: Mathias Gibbens <gibmat@debian.org>
tests/lxc-test-lxc-attach: Increase sleep time
tp is __do_free. However, when we detect that it is not a thinpool, we set it to NULL, so that it can't get freed on exit. coverity id 1461741 Signed-off-by: Serge Hallyn <serge@hallyn.com>
The dfd_idmapped was being dup'd, but not freed. If we ever change it so that storage_put closes the dfd_idmapped fd, then we'll want to un-do this. For now, this is a kludgy way to avoid leaking the open fd, but should work. The new_rootfs->dfd_idmapped gets dup'd from c->lxc_conf->rootfs.dfd_idmapped. new_rootfs eventually gets assigned to new->rootfs (where new is a struct storage, usually called 'bdev'). From here there are error paths which free the bdev and return NULL, and a success path that returns bdev. But neither the error path nor the caller do anything really with the bdev, and storage_put() doesn't close that fd. So close the dfd_idmapped in both paths. Coverity id: 1641426 Signed-off-by: Serge Hallyn <serge@hallyn.com>
Don't leak an open fd
lvm.c: make sure tp gets freed
Some variable names were a bit confusing in find_line and cull_entries. Rename and document, and fix the flows using these. It's possible that a more maintainable approach, long term, would be to break these up differently: have one function create a neat in memory data structure representing the files, and have the paths currently using find_line and cull_entries peek into the data structures. But i think this is pretty clear. This fixes CVE-2026-39402 Signed-off-by: Serge E. Hallyn <serge@hallyn.com> Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Signed-off-by: Serge E. Hallyn <serge@hallyn.com> Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Fix security issue with lxc-user-nic and OpenVswitch networks
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
DreamConnected
merged commit 29b7a68
into
Container-On-Android:main
2 of 3 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixed #54
Close #54