登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 42

gaohuatao / lxc

forked from src-openEuler / lxc 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
0033-build-add-secure-build-flags.patch 12.90 KB
一键复制 编辑 原始数据 按行查看 历史
lifeng_isula 提交于 2020-04-23 11:50 . lxc: update lxc to 4.0.1
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423
From 2b69f168a6847885233e88be02a1143a4c55b59f Mon Sep 17 00:00:00 2001

From: LiFeng <lifeng68@huawei.com>

Date: Wed, 15 Apr 2020 18:58:24 +0800

Subject: [PATCH 33/49] build: add secure build flags



Signed-off-by: LiFeng <lifeng68@huawei.com>

---

 configure.ac               |  14 +++++-

 src/lxc/Makefile.am        |   8 +++-

 src/lxc/cgroups/cgfsng.c   | 117 ++++++++++++++++++++++++---------------------

 src/lxc/confile.c          |   1 -

 src/lxc/terminal.c         |   6 ++-

 src/lxc/tools/lxc_attach.c |   2 -

 src/lxc/utils.c            |   7 +++

 7 files changed, 93 insertions(+), 62 deletions(-)



diff --git a/configure.ac b/configure.ac

index 56d0cb7..438d292 100644

--- a/configure.ac

+++ b/configure.ac

@@ -43,6 +43,7 @@ AM_INIT_AUTOMAKE([-Wall -Werror -Wno-portability subdir-objects])

 AC_CANONICAL_HOST

 AM_PROG_CC_C_O

 AC_USE_SYSTEM_EXTENSIONS

+CFLAGS=`echo "${CFLAGS#\-g}"`

 

 # Test if we have a new enough compiler.

 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[

@@ -190,6 +191,11 @@ AC_ARG_ENABLE([werror],

 	[AS_HELP_STRING([--disable-werror], [do not treat warnings as errors])],

 	[enable_werror=$enableval], [enable_werror=yes])

 

+AC_ARG_ENABLE([debug],

+	[AC_HELP_STRING([--enable-debug],

+	[set -g into cflags [default=no]])],

+	[], [enable_debug=no])

+

 # Allow disabling rpath

 AC_ARG_ENABLE([rpath],

 	[AS_HELP_STRING([--enable-rpath], [set rpath in executables [default=no]])],

@@ -732,7 +738,6 @@ AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing], [CFLAGS="$CFLAGS -fno-strict-alias

 AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [CFLAGS="$CFLAGS -fstack-clash-protection"],,[-Werror])

 AX_CHECK_LINK_FLAG([-fstack-protector-strong], [CFLAGS="$CFLAGS -fstack-protector-strong"],,[-Werror])

 AX_CHECK_LINK_FLAG([--param=ssp-buffer-size=4], [CFLAGS="$CFLAGS --param=ssp-buffer-size=4"],,[-Werror])

-AX_CHECK_COMPILE_FLAG([-g], [CFLAGS="$CFLAGS -g"],,[-Werror])

 AX_CHECK_COMPILE_FLAG([--mcet -fcf-protection], [CFLAGS="$CFLAGS --mcet -fcf-protection"],,[-Werror])

 AX_CHECK_COMPILE_FLAG([-Werror=implicit-function-declaration], [CFLAGS="$CFLAGS -Werror=implicit-function-declaration"],,[-Werror])

 AX_CHECK_COMPILE_FLAG([-Wlogical-op], [CFLAGS="$CFLAGS -Wlogical-op"],,[-Werror])

@@ -759,12 +764,17 @@ AX_CHECK_COMPILE_FLAG([-fexceptions], [CFLAGS="$CFLAGS -fexceptions"],,[-Werror]

 

 AX_CHECK_LINK_FLAG([-z relro], [LDFLAGS="$LDFLAGS -z relro"],,[])

 AX_CHECK_LINK_FLAG([-z now], [LDFLAGS="$LDFLAGS -z now"],,[])

+AX_CHECK_LINK_FLAG([-z noexecstack], [LDFLAGS="$LDFLAGS -z noexecstack"],,[])

 

-CFLAGS="$CFLAGS -Wvla -std=gnu11"

+CFLAGS="$CFLAGS -Wvla -std=gnu11 -D_FORTIFY_SOURCE=2 -Wall -fPIC -fPIE -pie"

 if test "x$enable_werror" = "xyes"; then

 	CFLAGS="$CFLAGS -Werror"

 fi

 

+if test "x$enable_debug" = "xyes"; then

+    CFLAGS="$CFLAGS -g"

+fi

+

 AC_ARG_ENABLE([thread-safety],

 	[AS_HELP_STRING([--enable-thread-safety], [enforce thread-safety otherwise fail the build [default=yes]])],

 	[enable_thread_safety=$enableval], [enable_thread_safety=yes])

diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am

index c288c51..0e1ba8d 100644

--- a/src/lxc/Makefile.am

+++ b/src/lxc/Makefile.am

@@ -276,6 +276,10 @@ liblxc_la_CFLAGS += -fsanitize=address \

 		    -fno-omit-frame-pointer

 endif

 

+if HAVE_ISULAD

+liblxc_la_CFLAGS += -D_FORTIFY_SOURCE=2 -Wall

+endif

+

 if ENABLE_UBSAN

 liblxc_la_CFLAGS += -fsanitize=undefined

 endif

@@ -286,7 +290,9 @@ liblxc_la_LDFLAGS = -pthread \

 		    -version-info @LXC_ABI_MAJOR@

 

 if HAVE_ISULAD

-liblxc_la_LDFLAGS += @YAJL_LIBS@

+liblxc_la_LDFLAGS += @YAJL_LIBS@ -Wl,-z,relro \

+		    -Wl,-z,now \

+		    -Wl,-z,noexecstack

 endif

 

 liblxc_la_LIBADD = $(CAP_LIBS) \

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c

index b6aef12..1047c08 100644

--- a/src/lxc/cgroups/cgfsng.c

+++ b/src/lxc/cgroups/cgfsng.c

@@ -214,6 +214,7 @@ static char *read_file(const char *fnam)

 	return move_ptr(buf);

 }

 

+#ifndef HAVE_ISULAD

 /* Taken over modified from the kernel sources. */

 #define NBITS 32 /* bits in uint32_t */

 #define DIV_ROUND_UP(n, d) (((n) + (d)-1) / (d))

@@ -476,12 +477,14 @@ static bool copy_parent_file(const char *parent_cgroup,

 				       value, child_cgroup, file);

 	return true;

 }

+#endif

 

 static inline bool is_unified_hierarchy(const struct hierarchy *h)

 {

 	return h->version == CGROUP2_SUPER_MAGIC;

 }

 

+#ifndef HAVE_ISULAD

 /*

  * Initialize the cpuset hierarchy in first directory of @cgroup_leaf and set

  * cgroup.clone_children so that children inherit settings. Since the

@@ -561,6 +564,7 @@ static int cg_legacy_handle_cpuset_hierarchy(struct hierarchy *h,

 

 	return fret;

 }

+#endif

 

 /* Given two null-terminated lists of strings, return true if any string is in

  * both.

@@ -946,29 +950,6 @@ static void lxc_cgfsng_print_basecg_debuginfo(char *basecginfo, char **klist,

 		TRACE("named subsystem %d: %s", k, *it);

 }

 

-static int cgroup_tree_remove(struct hierarchy **hierarchies,

-			const char *container_cgroup)

-{

-	if (!container_cgroup || !hierarchies)

-		return 0;

-

-	for (int i = 0; hierarchies[i]; i++) {

-		struct hierarchy *h = hierarchies[i];

-		int ret;

-

-		if (!h->container_full_path)

-			continue;

-

-		ret = lxc_rm_rf(h->container_full_path);

-		if (ret < 0)

-			WARN("Failed to destroy \"%s\"", h->container_full_path);

-

-		free_disarm(h->container_full_path);

-	}

-

-	return 0;

-}

-

 struct generic_userns_exec_data {

 	struct hierarchy **hierarchies;

 	const char *container_cgroup;

@@ -977,29 +958,6 @@ struct generic_userns_exec_data {

 	char *path;

 };

 

-static int cgroup_tree_remove_wrapper(void *data)

-{

-	struct generic_userns_exec_data *arg = data;

-	uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid;

-	gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid;

-	int ret;

-

-	if (!lxc_setgroups(0, NULL) && errno != EPERM)

-		return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)");

-

-	ret = setresgid(nsgid, nsgid, nsgid);

-	if (ret < 0)

-		return log_error_errno(-1, errno, "Failed to setresgid(%d, %d, %d)",

-				       (int)nsgid, (int)nsgid, (int)nsgid);

-

-	ret = setresuid(nsuid, nsuid, nsuid);

-	if (ret < 0)

-		return log_error_errno(-1, errno, "Failed to setresuid(%d, %d, %d)",

-				       (int)nsuid, (int)nsuid, (int)nsuid);

-

-	return cgroup_tree_remove(arg->hierarchies, arg->container_cgroup);

-}

-

 #ifdef HAVE_ISULAD

 

 static int isulad_cgroup_tree_remove(struct hierarchy **hierarchies,

@@ -1100,6 +1058,52 @@ __cgfsng_ops static bool isulad_cgfsng_payload_destroy(struct cgroup_ops *ops,

 	return true;

 }

 #else

+static int cgroup_tree_remove(struct hierarchy **hierarchies,

+			const char *container_cgroup)

+{

+	if (!container_cgroup || !hierarchies)

+		return 0;

+

+	for (int i = 0; hierarchies[i]; i++) {

+		struct hierarchy *h = hierarchies[i];

+		int ret;

+

+		if (!h->container_full_path)

+			continue;

+

+		ret = lxc_rm_rf(h->container_full_path);

+		if (ret < 0)

+			WARN("Failed to destroy \"%s\"", h->container_full_path);

+

+		free_disarm(h->container_full_path);

+	}

+

+	return 0;

+}

+

+static int cgroup_tree_remove_wrapper(void *data)

+{

+	struct generic_userns_exec_data *arg = data;

+	uid_t nsuid = (arg->conf->root_nsuid_map != NULL) ? 0 : arg->conf->init_uid;

+	gid_t nsgid = (arg->conf->root_nsgid_map != NULL) ? 0 : arg->conf->init_gid;

+	int ret;

+

+	if (!lxc_setgroups(0, NULL) && errno != EPERM)

+		return log_error_errno(-1, errno, "Failed to setgroups(0, NULL)");

+

+	ret = setresgid(nsgid, nsgid, nsgid);

+	if (ret < 0)

+		return log_error_errno(-1, errno, "Failed to setresgid(%d, %d, %d)",

+				       (int)nsgid, (int)nsgid, (int)nsgid);

+

+	ret = setresuid(nsuid, nsuid, nsuid);

+	if (ret < 0)

+		return log_error_errno(-1, errno, "Failed to setresuid(%d, %d, %d)",

+				       (int)nsuid, (int)nsuid, (int)nsuid);

+

+	return cgroup_tree_remove(arg->hierarchies, arg->container_cgroup);

+}

+

 __cgfsng_ops static void cgfsng_payload_destroy(struct cgroup_ops *ops,

 						struct lxc_handler *handler)

 {

@@ -1227,6 +1231,14 @@ try_lxc_rm_rf:

 }

 #endif

 

+#ifdef HAVE_ISULAD

+__cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops,

+						      struct lxc_handler *handler)

+{

+	return true;

+}

+#else

+

 static int mkdir_eexist_on_last(const char *dir, mode_t mode)

 {

 	const char *tmp = dir;

@@ -1311,13 +1323,6 @@ static void cgroup_tree_leaf_remove(struct hierarchy *h, bool payload)

 		SYSWARN("Failed to rmdir(\"%s\") cgroup", full_path);

 }

 

-#ifdef HAVE_ISULAD

-__cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops,

-						      struct lxc_handler *handler)

-{

-	return true;

-}

-#else

 __cgfsng_ops static inline bool cgfsng_monitor_create(struct cgroup_ops *ops,

 						      struct lxc_handler *handler)

 {

@@ -3038,6 +3043,7 @@ static int device_cgroup_parse_access(struct device_item *device, const char *va

 	return 0;

 }

 

+#ifndef HAVE_ISULAD

 static int device_cgroup_rule_parse(struct device_item *device, const char *key,

 				    const char *val)

 {

@@ -3124,6 +3130,7 @@ static int device_cgroup_rule_parse(struct device_item *device, const char *key,

 

 	return device_cgroup_parse_access(device, ++val);

 }

+#endif

 

 #ifdef HAVE_ISULAD

 __cgfsng_ops static int cgfsng_set(struct cgroup_ops *ops,

@@ -3307,6 +3314,7 @@ static int convert_devpath(const char *invalue, char *dest)

 	return 0;

 }

 

+#ifndef HAVE_ISULAD

 /* Called from setup_limits - here we have the container's cgroup_data because

  * we created the cgroups.

  */

@@ -3339,6 +3347,7 @@ static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename,

 

 	return lxc_write_openat(h->container_full_path, filename, value, strlen(value));

 }

+#endif

 

 #ifdef HAVE_ISULAD

 /* Called from setup_limits - here we have the container's cgroup_data because

@@ -3923,7 +3932,6 @@ static int cg_hybrid_init(struct cgroup_ops *ops, bool relative, bool unprivileg

 		__do_free char *base_cgroup = NULL, *mountpoint = NULL;

 		__do_free_string_list char **controller_list = NULL;

 		int type;

-		bool writeable;

 		struct hierarchy *new;

 

 		type = get_cgroup_version(line);

@@ -3989,6 +3997,7 @@ static int cg_hybrid_init(struct cgroup_ops *ops, bool relative, bool unprivileg

 			base_cgroup[1] = '\0';

 		}

 #else

+		bool writeable;

 		if (type == CGROUP2_SUPER_MAGIC)

 			writeable = test_writeable_v2(mountpoint, base_cgroup);

 		else

diff --git a/src/lxc/confile.c b/src/lxc/confile.c

index 55cba6d..f00afe9 100644

--- a/src/lxc/confile.c

+++ b/src/lxc/confile.c

@@ -6228,7 +6228,6 @@ static int get_config_init_args(const char *key, char *retv, int inlen,

 				  struct lxc_conf *c, void *data)

 {

 	int i, len, fulllen = 0;

-	struct lxc_list *it;

 

 	if (!retv)

 		inlen = 0;

diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c

index 14686fc..c0a4d1a 100644

--- a/src/lxc/terminal.c

+++ b/src/lxc/terminal.c

@@ -287,6 +287,7 @@ static int lxc_terminal_rotate_log_file(struct lxc_terminal *terminal)

 	return lxc_terminal_create_log_file(terminal);

 }

 

+#ifndef HAVE_ISULAD

 static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf,

 				       int bytes_read)

 {

@@ -392,6 +393,7 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf,

 	bytes_read -= ret;

 	return bytes_read;

 }

+#endif

 

 #ifdef HAVE_ISULAD

 /* get time buffer */

@@ -1240,8 +1242,8 @@ void lxc_terminal_free(struct lxc_conf *conf, int fd)

 

 static int lxc_terminal_peer_default(struct lxc_terminal *terminal)

 {

-	struct lxc_terminal_state *ts;

-	const char *path;

+	struct lxc_terminal_state *ts = NULL;

+	const char *path = NULL;

 	int ret = 0;

 

 	if (terminal->path)

diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c

index b068c9a..48e18bb 100644

--- a/src/lxc/tools/lxc_attach.c

+++ b/src/lxc/tools/lxc_attach.c

@@ -507,11 +507,9 @@ out:

 

 int main(int argc, char *argv[])

 {

-	int ret = -1;

 	int wexit = 0;

 	struct lxc_log log;

 	char *errmsg = NULL;

-	pid_t pid;

 	lxc_attach_options_t attach_options = LXC_ATTACH_OPTIONS_DEFAULT;

 	lxc_attach_command_t command = (lxc_attach_command_t){.program = NULL};

 

diff --git a/src/lxc/utils.c b/src/lxc/utils.c

index 39413ee..ba69995 100644

--- a/src/lxc/utils.c

+++ b/src/lxc/utils.c

@@ -1427,9 +1427,11 @@ static int lxc_get_unused_loop_dev(char *name_loop)

 {

 	int loop_nr, ret;

 	int fd_ctl = -1, fd_tmp = -1;

+#if HAVE_ISULAD

 	// isulad: retry and try mknod

 	int max_retry = 200;

 	bool try_mknod = true;

+#endif

 

 	fd_ctl = open("/dev/loop-control", O_RDWR | O_CLOEXEC);

 	if (fd_ctl < 0) {

@@ -1446,7 +1448,10 @@ static int lxc_get_unused_loop_dev(char *name_loop)

 	ret = snprintf(name_loop, LO_NAME_SIZE, "/dev/loop%d", loop_nr);

 	if (ret < 0 || ret >= LO_NAME_SIZE)

 		goto on_error;

+

+#if HAVE_ISULAD

 retry:

+#endif

 	fd_tmp = open(name_loop, O_RDWR | O_CLOEXEC);

 	if (fd_tmp < 0) {

 #if HAVE_ISULAD

@@ -1693,6 +1698,7 @@ uint64_t lxc_find_next_power2(uint64_t n)

 	return n;

 }

 

+#ifndef HAVE_ISULAD

 static int process_dead(/* takes */ int status_fd)

 {

 	__do_close int dupfd = -EBADF;

@@ -1730,6 +1736,7 @@ static int process_dead(/* takes */ int status_fd)

 

 	return ret;

 }

+#endif

 

 int lxc_set_death_signal(int signal, pid_t parent, int parent_status_fd)

 {

-- 

1.8.3.1
1
https://gitee.com/gaohuatao/lxc.git
git@gitee.com:gaohuatao/lxc.git
gaohuatao
lxc
lxc
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
53164aa7 5694891 3bd8fe86 5694891