configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 correcting wrong default directory for lxc-init,
 see https://github.com/lxc/lxc/issues/306.

config/init/sysvinit/Makefile.am | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 correcting wrong default directory for sysvinit scripts,
 see https://github.com/lxc/lxc/issues/307.

config/init/sysvinit/lxc.in | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 correcting wrong lsb headers in sysvinit script,
 see https://github.com/lxc/lxc/issues/308.

config/init/sysvinit/lxc.in | 10 6 + 4 - 0 !
1 file changed, 6 insertions(+), 4 deletions(-)

 correcting wrong lsb functions in sysvinit script (closes: #740066),
 see https://github.com/lxc/lxc/issues/309,
 https://github.com/lxc/lxc/issues/310,
 and https://github.com/lxc/lxc/issues/311.

config/init/sysvinit/lxc.in | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 creating missing lock directory in sysvinit script (closes: #740216),
 see https://github.com/lxc/lxc/issues/312.

src/lxc/lxc_attach.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 lxc-attach should ignore sigint (closes: #740264).
 lxc-attach terminates on SIGINT, which is extremely annoying.
 Pressing Ctrl-C should kill the running process, not the whole session,
 see https://github.com/lxc/lxc/issues/313.

config/yum/lxc-patch.py | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 adding missing python shebang,
 see https://github.com/lxc/lxc/issues/314.

config/templates/debian.common.conf.in | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 don't mount fuse into the container, will fail if fuse isn't installed,
 see https://github.com/lxc/lxc/issues/304.

config/apparmor/abstractions/container-base | 6 3 + 3 - 0 !
config/apparmor/abstractions/container-base.in | 6 3 + 3 - 0 !
config/apparmor/abstractions/start-container | 6 3 + 3 - 0 !
3 files changed, 9 insertions(+), 9 deletions(-)

 Disable dbus, signal, and ptrace in the apparmor profiles until Debian has a
 recent enough apparmor version (#746764), thanks to Intrigeri
 <intrigeri@debian.org> (Closes: #750107).

templates/lxc-debian.in | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 change permitrootlogin yes to permitrootlogin without-password in
 default sshd_config, see https://github.com/lxc/lxc/issues/303.

templates/lxc-debian.in | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 setting random root password (closes: #758643),
 see https://github.com/lxc/lxc/issues/302.

config/templates/debian.common.conf.in | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 setting options for systemd (closes: #761196, #761197),
 see https://github.com/lxc/lxc/issues/335.

doc/lxc-create.sgml.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 marking -t option in lxc-create manpage as required (closes: #768778),
 see https://github.com/lxc/lxc/issues/355.

config/templates/debian.common.conf.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 mount /sys read-only in lxc-debian to prevent (one way of) escaping containers (closes: #770901).

templates/lxc-debian.in | 34 34 + 0 - 0 !
1 file changed, 34 insertions(+)

 lxc-debian: support systemd as pid 1
 Containers with systemd need a somewhat special setup, which I borrowed
 and adapted from lxc-fedora. These changes are required so that Debian 8
 (jessie) containers work properly, and are a no-op for previous Debian
 versions.

templates/lxc-debian.in | 35 21 + 14 - 0 !
1 file changed, 21 insertions(+), 14 deletions(-)

 lxc-debian: adjust init system configurations
 Do as much as possible to allow containers switching from non-systemd to
 systemd to work as intended (but nothing that will cause side effects).
 Use update-rc.d disable instead of remove so the init scripts are not
 re-enabled when the package is updated

templates/lxc-debian.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use http.debian.net instead of cdn.debian.net (closes: #774204, #774472).

src/lxc/lxclock.c | 38 10 + 28 - 0 !
src/tests/locktests.c | 2 1 + 1 - 0 !
2 files changed, 11 insertions(+), 29 deletions(-)

 [patch] cve-2015-1331: lxclock: use /run/lxc/lock rather than
 /run/lock/lxc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This prevents an unprivileged user to use LXC to create arbitrary file
on the filesystem.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

src/lxc/attach.c | 97 93 + 4 - 0 !
1 file changed, 93 insertions(+), 4 deletions(-)

 [patch] cve-2015-1334: don't use the container's /proc during attach
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A user could otherwise over-mount /proc and prevent the apparmor profile
or selinux label from being written which combined with a modified
/bin/sh or other commonly used binary would lead to unconfined code
execution.

Reported-by: Roman Fiedler
Signed-off-by: Stphane Graber <stgraber@ubuntu.com>

doc/lxc.container.conf.sgml.in | 12 12 + 0 - 0 !
src/lxc/cgfs.c | 5 4 + 1 - 0 !
src/lxc/cgmanager.c | 4 2 + 2 - 0 !
src/lxc/conf.c | 30 16 + 14 - 0 !
src/lxc/utils.c | 90 90 + 0 - 0 !
src/lxc/utils.h | 2 2 + 0 - 0 !
src/tests/Makefile.am | 3 2 + 1 - 0 !
src/tests/lxc-test-symlink | 88 88 + 0 - 0 !
8 files changed, 216 insertions(+), 18 deletions(-)

 [patch 1/1] protect container mounts against symlinks

When a container starts up, lxc sets up the container's inital fstree
by doing a bunch of mounting, guided by the container configuration
file.  The container config is owned by the admin or user on the host,
so we do not try to guard against bad entries.  However, since the
mount target is in the container, it's possible that the container admin
could divert the mount with symbolic links.  This could bypass proper
container startup (i.e. confinement of a root-owned container by the
restrictive apparmor policy, by diverting the required write to
/proc/self/attr/current), or bypass the (path-based) apparmor policy
by diverting, say, /proc to /mnt in the container.

To prevent this,

1. do not allow mounts to paths containing symbolic links

2. do not allow bind mounts from relative paths containing symbolic
links.

Details:

This patch causes lxc to check /proc/self/mountinfo after each
mount into a container rootfs (that is, where we are not chrooted
into the container), making sure that the mount target wasn't a
symlink.

Use safe_mount() in mount_entry(), when mounting container proc,
and when needed.  In particular, safe_mount() need not be used in
any case where:

1. the mount is done in the container's namespace
2. the mount is for the container's rootfs
3. the mount is relative to a tmpfs or proc/sysfs which we have
   just safe_mount()ed ourselves

Since we were using proc/net as a temporary placeholder for /proc/sys/net
during container startup, and proc/net is a symbolic link, use proc/tty
instead.

Update the lxc.container.conf manpage with details about the new
restrictions.

Finally, add a testcase to test some symbolic link possibilities.

lxc-test-symlink: background lxc-start

CVE-2015-1335

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

src/lxc/utils.c | 20 17 + 3 - 0 !
1 file changed, 17 insertions(+), 3 deletions(-)

 fix mount target mismatches due to multiple slashes
 The patch to fix symlink tocttou's in mount entries at container start
 notices that target and actual mount point don't match.
 We introduce a // when the user specifies an absolute mount target, but
 rather than fix that, check for all '//' since user may have them in
 their container configuration, and we don't want to break configs which
 worked before.

src/lxc/utils.c | 21 18 + 3 - 0 !
src/tests/lxc-test-symlink | 3 3 + 0 - 0 !
2 files changed, 21 insertions(+), 3 deletions(-)

 also avoid /./

src/tests/reboot.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 fix ftbfs on ia64 (clone vs. __clone2)