Merge pull request #4066 from brauner/2022-01-18.fixes.2

conf, lxccontainer, build: fixes
lxc · Jan 20, 2022 · 55d6e49 · 55d6e49
2 parents 73ff048 + 8c1c303
commit 55d6e49
Show file tree

Hide file tree

Showing 11 changed files with 228 additions and 118 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -30,6 +30,14 @@ jobs:
         run: |
           ${CC} --version
 
+      - name: Kernel version
+        run: |
+          uname -a
+
+      - name: Mount table
+        run: |
+          findmnt
+
       - name: Build
         env:
           CC: ${{ matrix.compiler }}

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -24,6 +24,20 @@ jobs:
           sudo apt-get install -qq gcc clang
           sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev docbook2x
 
+      - name: Compiler version
+        env:
+          CC: ${{ matrix.compiler }}
+        run: |
+          ${CC} --version
+
+      - name: Kernel version
+        run: |
+          uname -a
+
+      - name: Mount table
+        run: |
+          findmnt
+
       - name: Run coverity
         run: |
           # Configure

diff --git a/.github/workflows/sanitizers.sh b/.github/workflows/sanitizers.sh
@@ -18,9 +18,43 @@ apt-get install --yes --no-install-recommends \
     libpam0g-dev libseccomp-dev libselinux1-dev libtool linux-libc-dev \
     llvm lsb-release make openssl pkg-config python3-all-dev \
     python3-setuptools rsync squashfs-tools uidmap unzip uuid-runtime \
-    wget xz-utils
+    wget xz-utils systemd-coredump
+apt-get remove --yes lxc-utils liblxc-common liblxc1 liblxc-dev
+
+ARGS="--enable-sanitizers \
+	--prefix=/usr/ \
+	--disable-no-undefined \
+	--build=x86_64-linux-gnu \
+	--includedir=\${prefix}/include \
+	--mandir=\${prefix}/share/man \
+	--infodir=\${prefix}/share/info \
+	--sysconfdir=/etc \
+	--localstatedir=/var \
+	--disable-silent-rules \
+	--libdir=\${prefix}/lib/x86_64-linux-gnu \
+	--libexecdir=\${prefix}/lib/x86_64-linux-gnu \
+	--disable-maintainer-mode \
+	--disable-dependency-tracking \
+	--libdir=\${prefix}/lib/x86_64-linux-gnu \
+	--libexecdir=\${prefix}/lib/x86_64-linux-gnu \
+	--with-rootfs-path=\${prefix}/lib/x86_64-linux-gnu/lxc \
+	--enable-doc \
+	--disable-rpath \
+	--with-distro=ubuntu \
+	--enable-commands \
+	--enable-pam \
+	--enable-tests \
+	--enable-memfd-rexec \
+	--disable-static-binaries \
+	--enable-static \
+	--enable-silent-rules \
+	--enable-apparmor \
+	--enable-capabilities \
+	--enable-seccomp \
+	--enable-selinux \
+	--disable-liburing \
+	--enable-werror"
 
-ARGS="--enable-sanitizers --enable-tests --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --disable-no-undefined"
 case "$CC" in clang*)
 	ARGS="$ARGS --enable-fuzzers"
 esac

diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml
@@ -15,6 +15,20 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
 
+      - name: Compiler version
+        env:
+          CC: ${{ matrix.compiler }}
+        run: |
+          ${CC} --version
+
+      - name: Kernel version
+        run: |
+          uname -a
+
+      - name: Mount table
+        run: |
+          findmnt
+
       - name: Build
         run: |
           sudo CC=${{ matrix.compiler }} CXX=${{ matrix.compiler }}++ .github/workflows/sanitizers.sh
diff --git a/config/tls.m4 b/config/tls.m4
diff --git a/configure.ac b/configure.ac
@@ -500,7 +500,9 @@ if test "x$enable_fuzzers" = "xyes"; then
 		CC_CHECK_FLAGS_APPEND([AM_CFLAGS],[CFLAGS],[ \
 			-DRUN_ON_OSS_FUZZ=1])
 	fi
-else
+fi
+
+if test "x$enable_fuzzers" = "xno" -a "x$enable_sanitizers" = "xno"; then
 	CC_CHECK_FLAGS_APPEND([AM_CFLAGS],[CFLAGS],[-flto=thin])
 fi
 AC_SUBST(AM_CFLAGS)
@@ -775,9 +777,6 @@ AC_CHECK_TYPES([struct rtnl_link_stats64], [], [], [[#include <linux/if_link.h>]
 AX_PTHREAD
 AC_SEARCH_LIBS(clock_gettime, [rt])
 
-# See if we support thread-local storage.
-LXC_CHECK_TLS
-
 # Hardening flags
 CC_CHECK_FLAGS_APPEND([AM_CFLAGS],[CFLAGS],[ \
 	-fPIE \

diff --git a/src/lxc/compiler.h b/src/lxc/compiler.h
@@ -5,8 +5,14 @@
 
 #include "config.h"
 
-#include <stdbool.h>
+#include <assert.h>
+#include <errno.h>
+#include <inttypes.h>
 #include <linux/types.h>
+#include <stdbool.h>
+#include <sys/param.h>
+#include <sys/sysmacros.h>
+#include <sys/types.h>
 
 #ifndef thread_local
 #if __STDC_VERSION__ >= 201112L &&    \

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
@@ -5505,11 +5505,20 @@ int userns_exec_mapped_root(const char *path, int path_fd,
 
 		close_prot_errno_disarm(sock_fds[0]);
 
-		if (!lxc_switch_uid_gid(0, 0))
+		if (!lxc_drop_groups() && errno != EPERM)
 			_exit(EXIT_FAILURE);
 
-		if (!lxc_drop_groups())
+		ret = setresgid(0, 0, 0);
+		if (ret < 0) {
+			SYSERROR("Failed to setresgid(0, 0, 0)");
+			_exit(EXIT_FAILURE);
+		}
+
+		ret = setresuid(0, 0, 0);
+		if (ret < 0) {
+			SYSERROR("Failed to setresuid(0, 0, 0)");
 			_exit(EXIT_FAILURE);
+		}
 
 		ret = fchown(target_fd, 0, st.st_gid);
 		if (ret) {
@@ -5557,9 +5566,12 @@ int userns_exec_mapped_root(const char *path, int path_fd,
 
 	/* Wait for child to finish. */
 	if (pid < 0)
+		return log_error(-1, "Failed to create child process");
+
+	if (!wait_exited(pid))
 		return -1;
 
-	return wait_for_pid(pid);
+	return 0;
 }
 
 /* not thread-safe, do not use from api without first forking */