Update to 1.1.3.

- Remove patches applied upstream.

.gitignore

@@ -11,3 +11,4 @@ lxc-0.7.2.tar.gz
 /lxc-1.1.0.tar.gz
 /lxc-1.1.1.tar.gz
 /lxc-1.1.2.tar.gz
+/lxc-1.1.3.tar.gz

lxc-1.1.2-fix-CVE-2015-1331.patch

@@ -1,113 +0,0 @@
-From f50da74a71f2c33f869e6da15f131bf5c9174c12 Mon Sep 17 00:00:00 2001
-From: Serge Hallyn <serge.hallyn@ubuntu.com>
-Date: Fri, 3 Jul 2015 09:26:17 -0500
-Subject: [PATCH 1/2] CVE-2015-1331: lxclock: use /run/lxc/lock rather than
- /run/lock/lxc
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This prevents an unprivileged user to use LXC to create arbitrary file
-on the filesystem.
-
-Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
-Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
-Acked-by: Stéphane Graber <stgraber@ubuntu.com>
----
- src/lxc/lxclock.c     | 47 ++++++++++-------------------------------------
- src/tests/locktests.c |  2 +-
- 2 files changed, 11 insertions(+), 38 deletions(-)
-
-diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
-index fe13898..e9e95f7 100644
---- a/src/lxc/lxclock.c
-+++ b/src/lxc/lxclock.c
-@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n)
- 	char *rundir;
- 
- 	/* lockfile will be:
--	 * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root
-+	 * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root
- 	 * or
--	 * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root
-+	 * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root
- 	 */
- 
--	/* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */
--	len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3;
-+	/* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */
-+	len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3;
- 	rundir = get_rundir();
- 	if (!rundir)
- 		return NULL;
-@@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n)
- 		return NULL;
- 	}
- 
--	ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p);
-+	ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p);
- 	if (ret < 0 || ret >= len) {
- 		free(dest);
- 		free(rundir);
-@@ -128,40 +128,13 @@ static char *lxclock_name(const char *p, const char *n)
- 	}
- 	ret = mkdir_p(dest, 0755);
- 	if (ret < 0) {
--		/* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0'
--		 * * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1)
--		 * * lxcpath always starts with '/'
--		 */
--		int l2 = 22 + strlen(n) + strlen(p);
--		if (l2 > len) {
--			char *d;
--			d = realloc(dest, l2);
--			if (!d) {
--				free(dest);
--				free(rundir);
--				return NULL;
--			}
--			len = l2;
--			dest = d;
--		}
--		ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p);
--		if (ret < 0 || ret >= len) {
--			free(dest);
--			free(rundir);
--			return NULL;
--		}
--		ret = mkdir_p(dest, 0755);
--		if (ret < 0) {
--			free(dest);
--			free(rundir);
--			return NULL;
--		}
--		ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n);
--	} else
--		ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n);
-+		free(dest);
-+		free(rundir);
-+		return NULL;
-+	}
- 
-+	ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n);
- 	free(rundir);
--
- 	if (ret < 0 || ret >= len) {
- 		free(dest);
- 		return NULL;
-diff --git a/src/tests/locktests.c b/src/tests/locktests.c
-index dd3393a..233ca12 100644
---- a/src/tests/locktests.c
-+++ b/src/tests/locktests.c
-@@ -122,7 +122,7 @@ int main(int argc, char *argv[])
- 		exit(1);
- 	}
- 	struct stat sb;
--	char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/";
-+	char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/";
- 	ret = stat(pathname, &sb);
- 	if (ret != 0) {
- 		fprintf(stderr, "%d: filename %s not created\n", __LINE__,
--- 
-2.4.3
-

lxc-1.1.2-fix-CVE-2015-1334.patch

@@ -1,184 +0,0 @@
-From ef62305193a5bb7ec00ccf00451be4ff0efac3ca Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>
-Date: Thu, 16 Jul 2015 16:37:51 -0400
-Subject: [PATCH 2/2] CVE-2015-1334: Don't use the container's /proc during
- attach
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-A user could otherwise over-mount /proc and prevent the apparmor profile
-or selinux label from being written which combined with a modified
-/bin/sh or other commonly used binary would lead to unconfined code
-execution.
-
-Reported-by: Roman Fiedler
-Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
----
- src/lxc/attach.c | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
- 1 file changed, 93 insertions(+), 5 deletions(-)
-
-diff --git a/src/lxc/attach.c b/src/lxc/attach.c
-index 69dafd4..436ae7a 100644
---- a/src/lxc/attach.c
-+++ b/src/lxc/attach.c
-@@ -76,6 +76,82 @@
- 
- lxc_log_define(lxc_attach, lxc);
- 
-+int lsm_set_label_at(int procfd, int on_exec, char* lsm_label) {
-+	int labelfd = -1;
-+	int ret = 0;
-+	const char* name;
-+	char* command = NULL;
-+
-+	name = lsm_name();
-+
-+	if (strcmp(name, "nop") == 0)
-+		goto out;
-+
-+	if (strcmp(name, "none") == 0)
-+		goto out;
-+
-+	/* We don't support on-exec with AppArmor */
-+	if (strcmp(name, "AppArmor") == 0)
-+		on_exec = 0;
-+
-+	if (on_exec) {
-+		labelfd = openat(procfd, "self/attr/exec", O_RDWR);
-+	}
-+	else {
-+		labelfd = openat(procfd, "self/attr/current", O_RDWR);
-+	}
-+
-+	if (labelfd < 0) {
-+		SYSERROR("Unable to open LSM label");
-+		ret = -1;
-+		goto out;
-+	}
-+
-+	if (strcmp(name, "AppArmor") == 0) {
-+		int size;
-+
-+		command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1);
-+		if (!command) {
-+			SYSERROR("Failed to write apparmor profile");
-+			ret = -1;
-+			goto out;
-+		}
-+
-+		size = sprintf(command, "changeprofile %s", lsm_label);
-+		if (size < 0) {
-+			SYSERROR("Failed to write apparmor profile");
-+			ret = -1;
-+			goto out;
-+		}
-+
-+		if (write(labelfd, command, size + 1) < 0) {
-+			SYSERROR("Unable to set LSM label");
-+			ret = -1;
-+			goto out;
-+		}
-+	}
-+	else if (strcmp(name, "SELinux") == 0) {
-+		if (write(labelfd, lsm_label, strlen(lsm_label) + 1) < 0) {
-+			SYSERROR("Unable to set LSM label");
-+			ret = -1;
-+			goto out;
-+		}
-+	}
-+	else {
-+		ERROR("Unable to restore label for unknown LSM: %s", name);
-+		ret = -1;
-+		goto out;
-+	}
-+
-+out:
-+	free(command);
-+
-+	if (labelfd != -1)
-+		close(labelfd);
-+
-+	return ret;
-+}
-+
- static struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid)
- {
- 	struct lxc_proc_context_info *info = calloc(1, sizeof(*info));
-@@ -570,6 +646,7 @@ struct attach_clone_payload {
- 	struct lxc_proc_context_info* init_ctx;
- 	lxc_attach_exec_t exec_function;
- 	void* exec_payload;
-+	int procfd;
- };
- 
- static int attach_child_main(void* data);
-@@ -622,6 +699,7 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
- 	char* cwd;
- 	char* new_cwd;
- 	int ipc_sockets[2];
-+	int procfd;
- 	signed long personality;
- 
- 	if (!options)
-@@ -833,6 +911,13 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
- 		rexit(-1);
- 	}
- 
-+	procfd = open("/proc", O_DIRECTORY | O_RDONLY);
-+	if (procfd < 0) {
-+		SYSERROR("Unable to open /proc");
-+		shutdown(ipc_sockets[1], SHUT_RDWR);
-+		rexit(-1);
-+	}
-+
- 	/* attach now, create another subprocess later, since pid namespaces
- 	 * only really affect the children of the current process
- 	 */
-@@ -860,7 +945,8 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
- 			.options = options,
- 			.init_ctx = init_ctx,
- 			.exec_function = exec_function,
--			.exec_payload = exec_payload
-+			.exec_payload = exec_payload,
-+			.procfd = procfd
- 		};
- 		/* We use clone_parent here to make this subprocess a direct child of
- 		 * the initial process. Then this intermediate process can exit and
-@@ -898,6 +984,7 @@ static int attach_child_main(void* data)
- {
- 	struct attach_clone_payload* payload = (struct attach_clone_payload*)data;
- 	int ipc_socket = payload->ipc_socket;
-+	int procfd = payload->procfd;
- 	lxc_attach_options_t* options = payload->options;
- 	struct lxc_proc_context_info* init_ctx = payload->init_ctx;
- #if HAVE_SYS_PERSONALITY_H
-@@ -1038,13 +1125,11 @@ static int attach_child_main(void* data)
- 	close(ipc_socket);
- 
- 	/* set new apparmor profile/selinux context */
--	if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM)) {
-+	if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) {
- 		int on_exec;
- 
- 		on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0;
--		ret = lsm_process_label_set(init_ctx->lsm_label,
--				init_ctx->container->lxc_conf, 0, on_exec);
--		if (ret < 0) {
-+		if (lsm_set_label_at(procfd, on_exec, init_ctx->lsm_label) < 0) {
- 			rexit(-1);
- 		}
- 	}
-@@ -1095,6 +1180,9 @@ static int attach_child_main(void* data)
- 		}
- 	}
- 
-+	/* we don't need proc anymore */
-+	close(procfd);
-+
- 	/* we're done, so we can now do whatever the user intended us to do */
- 	rexit(payload->exec_function(payload->exec_payload));
- }
--- 
-2.4.3
-

lxc-1.1.2-fix-lua-compat.patch

@@ -1,15 +0,0 @@
-diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c
-index 630a3e4..34180a7 100644
---- a/src/lua-lxc/core.c
-+++ b/src/lua-lxc/core.c
-@@ -39,8 +39,10 @@
- #endif
- 
- #if LUA_VERSION_NUM >= 503
-+#ifndef luaL_checkunsigned
- #define luaL_checkunsigned(L,n) ((lua_Unsigned)luaL_checkinteger(L,n))
- #endif
-+#endif
- 
- #ifdef NO_CHECK_UDATA
- #define checkudata(L,i,tname)	lua_touserdata(L, i)

lxc.spec

@@ -30,8 +30,8 @@
 %global shortcommit %(c=%{commit}; echo ${c:0:7})
 
 Name:           lxc
-Version:        1.1.2
-Release:        %{?prerel:0.}2%{?prerel:.%{prerel}}%{?dist}
+Version:        1.1.3
+Release:        %{?prerel:0.}1%{?prerel:.%{prerel}}%{?dist}
 Summary:        Linux Resource Containers
 Group:          Applications/System
 License:        LGPLv2+ and GPLv2
@@ -42,11 +42,6 @@ Source0:        https://github.com/lxc/lxc/archive/%{commit}/%{name}-%{commit}.t
 Source0:        http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz
 %endif
 Patch0:         lxc-1.1.0-fix-init.patch
-Patch1:         lxc-1.1.2-fix-lua-compat.patch
-# upstream commit 61ecf69
-Patch2:         lxc-1.1.2-fix-CVE-2015-1331.patch
-# based on upstream commit 659e807
-Patch3:         lxc-1.1.2-fix-CVE-2015-1334.patch
 BuildRequires:  docbook-utils
 BuildRequires:  docbook2X
 BuildRequires:  doxygen
@@ -186,9 +181,6 @@ This package contains documentation for %{name}.
 %prep
 %setup -q -n %{name}-%{?!prerel:%{version}}%{?prerel:%{commit}}
 %patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
 
 
 %build
@@ -309,8 +301,6 @@ fi
 %{_datadir}/%{name}/hooks
 %{_datadir}/%{name}/%{name}-patch.py*
 %{_datadir}/%{name}/selinux
-# fixme: should be in libexecdir?
-%{_datadir}/%{name}/%{name}-restore-net
 %{_libdir}/liblxc.so.*
 %{_libdir}/%{name}
 %{_libexecdir}/%{name}
@@ -389,6 +379,10 @@ fi
 
 
 %changelog
+* Sat Aug 15 2015 Thomas Moschny <thomas.moschny@gmx.de> - 1.1.3-1
+- Update to 1.1.3.
+- Remove patches applied upstream.
+
 * Sun Aug  2 2015 Thomas Moschny <thomas.moschny@gmx.de> - 1.1.2-2
 - Add security fixes, see rhbz#1245939 and rhbz#1245941.
 

sources

@@ -1 +1 @@
-3ebadacf5fe8bfe689fd7a09812b682c  lxc-1.1.2.tar.gz
+197abb5a28ab0b689c737eb1951023fb  lxc-1.1.3.tar.gz