Merge pull request #1 from xemul/master

Update from origin

.travis.yml

@@ -6,7 +6,7 @@ before_install:
     - sudo apt-get update -qq
 
 install:
-    - sudo apt-get install make gcc autoconf autoconf-doc libtool bison flex
+    - sudo apt-get install make gcc autoconf autoconf-doc libtool bison flex libselinux1-dev libapparmor-dev
 
 script:
     - git submodule update --init --recursive

Makefile

@@ -1,3 +1,5 @@
+include Makefile.config
+
 MAKEFLAGS 	:= -r -R --no-print-directory
 
 ifeq ($(strip $(V)),)
@@ -52,7 +54,15 @@ ifneq ($(ARCH),x86)
 $(error "The architecture $(ARCH) isn't supported"))
 endif
 
+ifneq ("$(wildcard /proc/vz)","")
+	VZ := 1
+endif
+
+
 cflags-y	+= -iquote src/include
+cflags-y	+= -iquote src/include/vz
+cflags-y	+= -iquote src/lsm
+cflags-y	+= -iquote src
 cflags-y	+= -fno-strict-aliasing
 cflags-y	+= -I/usr/include
 export cflags-y
@@ -86,6 +96,14 @@ else
 	CFLAGS	+= -O2
 endif
 
+ifdef CONFIG_APPARMOR
+	DEFINES += -DHAVE_APPARMOR
+endif
+
+ifdef CONFIG_SELINUX
+	DEFINES += -DHAVE_SELINUX
+endif
+
 CFLAGS		+= $(WARNINGS) $(DEFINES)
 
 export E Q CC ECHO MAKE CFLAGS LIBS ARCH DEFINES MAKEFLAGS
@@ -119,14 +137,16 @@ src: $(EARLY-GEN)
 
 .PHONY: src
 
-$(LIBCT).so: src/$(LIBCT).so
+$(LIBCT).a: src/$(LIBCT).a
 	$(E) "  LN      " $@
 	$(Q) $(LN) -sf $^ $@
 
-$(LIBCT).a: src/$(LIBCT).a
+$(LIBCT).so: src/$(LIBCT).so
 	$(E) "  LN      " $@
 	$(Q) $(LN) -sf $^ $@
 
+src/$(LIBCT).so: src/$(LIBCT).a
+
 all: $(LIBCT).so $(LIBCT).a
 	@true
 
@@ -143,7 +163,7 @@ tags:
 
 clean:
 	$(Q) $(MAKE) $(build)=src clean
-	$(Q) $(MAKE) $(build)=test clean
+	$(Q) $(MAKE) -C test clean
 	$(Q) $(MAKE) -s -C Documentation clean
 	$(Q) $(RM) $(LIBCT)
 	$(Q) $(RM) $(CONFIG)

Makefile.config

@@ -0,0 +1,2 @@
+export CONFIG_SELINUX=y
+export CONFIG_APPARMOR=y

scripts/Makefile.build

@@ -217,8 +217,8 @@ $(obj)/$(lib-a).a: $(all-objs) $(libs-e)
 	$(E) "  LINK    " $@
 	$(Q) ar -cru -o $@ $^
 
-_all += $(obj)/$(lib-so).so
-cleanup-y += $(obj)/$(lib-so).so
+_all += $(obj)/$(lib-a).a
+cleanup-y += $(obj)/$(lib-a).a
 endif
 
 ##

src/Makefile

@@ -16,6 +16,14 @@ obj-y			+= util.o
 obj-y			+= devnodes.o
 obj-y			+= route.o
 obj-y			+= process.o
+obj-y			+= net_util.o
+obj-y			+= vz/vz.o
+obj-y			+= vz/vz_net.o
+obj-y			+= vz/readelf.o
+obj-y			+= lsm/lsm.o
+obj-$(CONFIG_APPARMOR)	+= lsm/apparmor.o
+obj-$(CONFIG_SELINUX)	+= lsm/selinux.o
+obj-y			+= lsm/nop.o
 
 cflags-y		+= -fPIC -Wa,--noexecstack -fno-stack-protector
 cflags-so		+= -rdynamic

src/cgroups.c

@@ -170,7 +170,7 @@ static struct cg_config *cg_config_alloc(enum ct_controller ctype, char *param,
 	return cg;
 }
 
-static int config_controller(struct container *ct, enum ct_controller ctype,
+int config_controller(struct container *ct, enum ct_controller ctype,
 		char *param, char *value)
 {
 	char path[PATH_MAX], *t;
@@ -228,7 +228,7 @@ int local_config_controller(ct_handler_t h, enum ct_controller ctype,
 	return config_controller(ct, ctype, param, value) ? -LCTERR_CGCONFIG : 0;
 }
 
-static int cgroup_create_one(struct container *ct, struct controller *ctl)
+int cgroup_create_one(struct container *ct, struct controller *ctl)
 {
 	char path[PATH_MAX], *t;
 

src/ct.c

@@ -25,9 +25,11 @@
 #include "security.h"
 #include "list.h"
 #include "util.h"
+#include "lsm.h"
 #include "net.h"
 #include "ct.h"
 #include "fs.h"
+#include "vz.h"
 
 static enum ct_state local_get_state(ct_handler_t h)
 {
@@ -272,6 +274,12 @@ static int ct_clone(void *arg)
 	if (ret < 0)
 		goto err_um;
 
+	if (p->lsm_label)
+		ret = lsm_process_label_set(p->lsm_label, false, p->lsm_on_exec);
+	p->lsm_on_exec = 0;
+	if (ret < 0)
+		goto err;
+
 	spawn_wake(ca->parent_wait_pipe, 0);
 
 	return ca->cb(ca->arg);
@@ -399,13 +407,6 @@ static int local_spawn_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *
 	return ret;
 }
 
-struct execv_args {
-	char *path;
-	char **argv;
-	char **env;
-	int *fds;
-};
-
 static int ct_execv(void *a)
 {
 	struct execv_args *ea = a;
@@ -423,7 +424,8 @@ static int ct_execv(void *a)
 			goto err;
 		}
 		for (i = 0; i < 3; i++)
-			close(ea->fds[i]);
+			if (ea->fds[i] != i)
+				close(ea->fds[i]);
 	}
 
 	sigfillset(&mask);
@@ -441,12 +443,15 @@ static int ct_execv(void *a)
 static int local_spawn_execve(ct_handler_t ct, ct_process_desc_t pr, char *path, char **argv, char **env, int *fds)
 {
 	struct execv_args ea;
+	struct process_desc *p = prh2pr(pr);
 
 	ea.path = path;
 	ea.argv = argv;
 	ea.env = env;
 	ea.fds = fds;
 
+	p->lsm_on_exec = true;
+
 	return local_spawn_cb(ct, pr, ct_execv, &ea);
 }
 
@@ -508,16 +513,19 @@ static int local_enter_cb(ct_handler_t h, ct_process_desc_t ph, int (*cb)(void *
 	return pid;
 }
 
-static int local_enter_execve(ct_handler_t h, ct_process_desc_t p, char *path, char **argv, char **env, int *fds)
+static int local_enter_execve(ct_handler_t h, ct_process_desc_t pr, char *path, char **argv, char **env, int *fds)
 {
 	struct execv_args ea = {};
+	struct process_desc *p = prh2pr(pr);
 
 	ea.path	= path;
 	ea.argv	= argv;
 	ea.env	= env;
 	ea.fds = fds;
 
-	return local_enter_cb(h, p, ct_execv, &ea);
+	p->lsm_on_exec = true;
+
+	return local_enter_cb(h, pr, ct_execv, &ea);
 }
 
 static int local_ct_kill(ct_handler_t h)
@@ -714,3 +722,30 @@ ct_handler_t ct_create(char *name)
 
 	return NULL;
 }
+
+ct_handler_t vz_ct_create(char *name)
+{
+	struct container *ct;
+
+	ct = xzalloc(sizeof(*ct));
+	if (ct) {
+		ct_handler_init(&ct->h);
+		ct->h.ops = get_vz_ct_ops();
+		ct->state = CT_STOPPED;
+		ct->name = xstrdup(name);
+		ct->tty_fd = -1;
+		INIT_LIST_HEAD(&ct->cgroups);
+		INIT_LIST_HEAD(&ct->cg_configs);
+		INIT_LIST_HEAD(&ct->ct_nets);
+		INIT_LIST_HEAD(&ct->ct_net_routes);
+		INIT_LIST_HEAD(&ct->fs_mnts);
+		INIT_LIST_HEAD(&ct->fs_devnodes);
+		INIT_LIST_HEAD(&ct->uid_map);
+		INIT_LIST_HEAD(&ct->gid_map);
+
+		return &ct->h;
+	}
+
+	return NULL;
+
+}