Package: lxc / 1:1.0.6-6+deb8u2~bpo70+1
Metadata
Package | Version | Patches format |
---|---|---|
lxc | 1:1.0.6-6+deb8u2~bpo70+1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
0001 lxcinitdir.patch | (download) |
configure.ac |
2 1 + 1 - 0 ! |
correcting wrong default directory for lxc-init, see https://github.com/lxc/lxc/issues/306. |
0002 sysvinit directory.patch | (download) |
config/init/sysvinit/Makefile.am |
8 4 + 4 - 0 ! |
correcting wrong default directory for sysvinit scripts, see https://github.com/lxc/lxc/issues/307. |
0003 sysvinit lsb headers.patch | (download) |
config/init/sysvinit/lxc.in |
9 8 + 1 - 0 ! |
correcting wrong lsb headers in sysvinit script, see https://github.com/lxc/lxc/issues/308. |
0004 sysvinit lsb functions.patch | (download) |
config/init/sysvinit/lxc.in |
10 6 + 4 - 0 ! |
correcting wrong lsb functions in sysvinit script (closes: #740066), see https://github.com/lxc/lxc/issues/309, https://github.com/lxc/lxc/issues/310, and https://github.com/lxc/lxc/issues/311. |
0005 sysvinit lsb lock.patch | (download) |
config/init/sysvinit/lxc.in |
2 2 + 0 - 0 ! |
creating missing lock directory in sysvinit script (closes: #740216), see https://github.com/lxc/lxc/issues/312. |
0006 lxc attach sigint.patch | (download) |
src/lxc/lxc_attach.c |
2 2 + 0 - 0 ! |
lxc-attach should ignore sigint (closes: #740264). lxc-attach terminates on SIGINT, which is extremely annoying. Pressing Ctrl-C should kill the running process, not the whole session, see https://github.com/lxc/lxc/issues/313. |
0007 lxc patch shebang.patch | (download) |
config/yum/lxc-patch.py |
2 2 + 0 - 0 ! |
adding missing python shebang, see https://github.com/lxc/lxc/issues/314. |
0008 lxc debian fuse.patch | (download) |
config/templates/debian.common.conf.in |
1 0 + 1 - 0 ! |
don't mount fuse into the container, will fail if fuse isn't installed, see https://github.com/lxc/lxc/issues/304. |
0009 apparmor.patch | (download) |
config/apparmor/abstractions/container-base |
6 3 + 3 - 0 ! |
Disable dbus, signal, and ptrace in the apparmor profiles until Debian has a recent enough apparmor version (#746764), thanks to Intrigeri <intrigeri@debian.org> (Closes: #750107). |
0010 lxc debian openssh server.patch | (download) |
templates/lxc-debian.in |
3 3 + 0 - 0 ! |
change permitrootlogin yes to permitrootlogin without-password in default sshd_config, see https://github.com/lxc/lxc/issues/303. |
0011 lxc debian root password.patch | (download) |
templates/lxc-debian.in |
6 4 + 2 - 0 ! |
setting random root password (closes: #758643), see https://github.com/lxc/lxc/issues/302. |
0012 lxc debian systemd.patch | (download) |
config/templates/debian.common.conf.in |
3 3 + 0 - 0 ! |
setting options for systemd (closes: #761196, #761197), see https://github.com/lxc/lxc/issues/335. |
0013 lxc create manpage.patch | (download) |
doc/lxc-create.sgml.in |
2 1 + 1 - 0 ! |
marking -t option in lxc-create manpage as required (closes: #768778), see https://github.com/lxc/lxc/issues/355. |
0014 lxc debian sysfs.patch | (download) |
config/templates/debian.common.conf.in |
2 1 + 1 - 0 ! |
mount /sys read-only in lxc-debian to prevent (one way of) escaping containers (closes: #770901). |
0015 lxc debian systemd.patch | (download) |
templates/lxc-debian.in |
34 34 + 0 - 0 ! |
lxc-debian: support systemd as pid 1 Containers with systemd need a somewhat special setup, which I borrowed and adapted from lxc-fedora. These changes are required so that Debian 8 (jessie) containers work properly, and are a no-op for previous Debian versions. |
0016 lxc debian init.patch | (download) |
templates/lxc-debian.in |
35 21 + 14 - 0 ! |
lxc-debian: adjust init system configurations Do as much as possible to allow containers switching from non-systemd to systemd to work as intended (but nothing that will cause side effects). Use update-rc.d disable instead of remove so the init scripts are not re-enabled when the package is updated |
0017 lxc debian mirror.patch | (download) |
templates/lxc-debian.in |
2 1 + 1 - 0 ! |
use http.debian.net instead of cdn.debian.net (closes: #774204, #774472). |
0018 CVE 2015 1331 lxclock use run lxc lock rather than r.patch | (download) |
src/lxc/lxclock.c |
38 10 + 28 - 0 ! |
[patch] cve-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> |
0019 CVE 2015 1334 Don t use the container s proc during .patch | (download) |
src/lxc/attach.c |
97 93 + 4 - 0 ! |
[patch] cve-2015-1334: don't use the container's /proc during attach MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by: Stphane Graber <stgraber@ubuntu.com> |
0020 CVE 2015 1335.patch | (download) |
doc/lxc.container.conf.sgml.in |
12 12 + 0 - 0 ! |
[patch 1/1] protect container mounts against symlinks When a container starts up, lxc sets up the container's inital fstree by doing a bunch of mounting, guided by the container configuration file. The container config is owned by the admin or user on the host, so we do not try to guard against bad entries. However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container. To prevent this, 1. do not allow mounts to paths containing symbolic links 2. do not allow bind mounts from relative paths containing symbolic links. Details: This patch causes lxc to check /proc/self/mountinfo after each mount into a container rootfs (that is, where we are not chrooted into the container), making sure that the mount target wasn't a symlink. Use safe_mount() in mount_entry(), when mounting container proc, and when needed. In particular, safe_mount() need not be used in any case where: 1. the mount is done in the container's namespace 2. the mount is for the container's rootfs 3. the mount is relative to a tmpfs or proc/sysfs which we have just safe_mount()ed ourselves Since we were using proc/net as a temporary placeholder for /proc/sys/net during container startup, and proc/net is a symbolic link, use proc/tty instead. Update the lxc.container.conf manpage with details about the new restrictions. Finally, add a testcase to test some symbolic link possibilities. lxc-test-symlink: background lxc-start CVE-2015-1335 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> |
0021 CVE 2015 1335 2.patch | (download) |
src/lxc/utils.c |
20 17 + 3 - 0 ! |
fix mount target mismatches due to multiple slashes The patch to fix symlink tocttou's in mount entries at container start notices that target and actual mount point don't match. We introduce a // when the user specifies an absolute mount target, but rather than fix that, check for all '//' since user may have them in their container configuration, and we don't want to break configs which worked before. |
0022 CVE 2015 1335 3.patch | (download) |
src/lxc/utils.c |
21 18 + 3 - 0 ! |
also avoid /./ |
bpo 0001 fix FTBFS ia64.patch | (download) |
src/tests/reboot.c |
7 6 + 1 - 0 ! |
fix ftbfs on ia64 (clone vs. __clone2) |