rpms/libcgroup
5
0
Fork 0
Code Issues Pull Requests Releases Activity

new upstream release 0.42.1

Browse Source 
- resolves: #1792190
This commit is contained in:
Nikola Forró 2020-02-03 16:47:43 +01:00
parent a84814dd41
commit e2f70f3416
18 changed files with 66 additions and 787 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +1,2 @@
/libcgroup-0.41.tar.bz2 /libcgroup-0.41.tar.bz2
/libcgroup-v0.42.1.tar.gz

13
libcgroup-0.37-chmod.patch
View File

@ -1,7 +1,8 @@
diff -up libcgroup-0.41/src/api.c.chmod libcgroup-0.41/src/api.c diff --git a/src/api.c b/src/api.c
--- libcgroup-0.41/src/api.c.chmod 2014-01-13 15:05:56.000000000 +0100 index 24ae48d..54a6736 100644
+++ libcgroup-0.41/src/api.c 2014-01-13 20:41:55.255577622 +0100 --- a/src/api.c
@@ -153,6 +153,10 @@ static int cg_chown_file(FTS *fts, FTSEN +++ b/src/api.c
@@ -159,6 +159,10 @@ static int cg_chown_file(FTS *fts, FTSENT *ent, uid_t owner, gid_t group)
return ret; return ret;
} }
@ -12,7 +13,7 @@ diff -up libcgroup-0.41/src/api.c.chmod libcgroup-0.41/src/api.c
/* /*
* TODO: Need to decide a better place to put this function. * TODO: Need to decide a better place to put this function.
*/ */
@@ -160,6 +164,8 @@ static int cg_chown_recursive(char **pat @@ -166,6 +170,8 @@ static int cg_chown_recursive(char **path, uid_t owner, gid_t group)
{ {
int ret = 0; int ret = 0;
FTS *fts; FTS *fts;
@ -21,7 +22,7 @@ diff -up libcgroup-0.41/src/api.c.chmod libcgroup-0.41/src/api.c
cgroup_dbg("chown: path is %s\n", *path); cgroup_dbg("chown: path is %s\n", *path);
fts = fts_open(path, FTS_PHYSICAL | FTS_NOCHDIR | fts = fts_open(path, FTS_PHYSICAL | FTS_NOCHDIR |
@@ -177,6 +183,7 @@ static int cg_chown_recursive(char **pat @@ -183,6 +189,7 @@ static int cg_chown_recursive(char **path, uid_t owner, gid_t group)
cgroup_warn("Warning: fts_read failed\n"); cgroup_warn("Warning: fts_read failed\n");
break; break;
} }

56
libcgroup-0.40.rc1-coverity.patch
View File

@ -1,18 +1,8 @@
diff -up libcgroup-0.41/src/api.c.coverity libcgroup-0.41/src/api.c diff --git a/src/config.c b/src/config.c
--- libcgroup-0.41/src/api.c.coverity 2014-01-13 20:52:49.853838149 +0100 index 3ffa263..b5d51b3 100644
+++ libcgroup-0.41/src/api.c 2014-01-13 20:52:49.854838142 +0100 --- a/src/config.c
@@ -2791,7 +2791,6 @@ static int cgroup_create_template_group( +++ b/src/config.c
if (group_name == NULL) { @@ -326,7 +326,7 @@ int config_group_task_perm(char *perm_type, char *value, int flag)
ret = ECGOTHER;
last_errno = errno;
- free(template_name);
goto end;
}
diff -up libcgroup-0.41/src/config.c.coverity libcgroup-0.41/src/config.c
--- libcgroup-0.41/src/config.c.coverity 2014-01-13 15:05:56.000000000 +0100
+++ libcgroup-0.41/src/config.c 2014-01-13 20:52:49.854838142 +0100
@@ -323,7 +323,7 @@ int config_group_task_perm(char *perm_ty
long val = atoi(value); long val = atoi(value);
char buffer[CGROUP_BUFFER_LEN]; char buffer[CGROUP_BUFFER_LEN];
struct cgroup *config_cgroup; struct cgroup *config_cgroup;
@ -21,7 +11,7 @@ diff -up libcgroup-0.41/src/config.c.coverity libcgroup-0.41/src/config.c
switch (flag) { switch (flag) {
case CGROUP: case CGROUP:
@@ -367,10 +367,10 @@ int config_group_task_perm(char *perm_ty @@ -370,10 +370,10 @@ int config_group_task_perm(char *perm_type, char *value, int flag)
if (!group) if (!group)
goto group_task_error; goto group_task_error;
@ -34,7 +24,7 @@ diff -up libcgroup-0.41/src/config.c.coverity libcgroup-0.41/src/config.c
free(group); free(group);
goto group_task_error; goto group_task_error;
} }
@@ -436,7 +436,7 @@ int config_group_admin_perm(char *perm_t @@ -439,7 +439,7 @@ int config_group_admin_perm(char *perm_type, char *value, int flag)
struct cgroup *config_cgroup; struct cgroup *config_cgroup;
long val = atoi(value); long val = atoi(value);
char buffer[CGROUP_BUFFER_LEN]; char buffer[CGROUP_BUFFER_LEN];
@ -43,7 +33,7 @@ diff -up libcgroup-0.41/src/config.c.coverity libcgroup-0.41/src/config.c
switch (flag) { switch (flag) {
case CGROUP: case CGROUP:
@@ -479,10 +479,10 @@ int config_group_admin_perm(char *perm_t @@ -482,10 +482,10 @@ int config_group_admin_perm(char *perm_type, char *value, int flag)
if (!group) if (!group)
goto admin_error; goto admin_error;
@ -56,10 +46,11 @@ diff -up libcgroup-0.41/src/config.c.coverity libcgroup-0.41/src/config.c
free(group); free(group);
goto admin_error; goto admin_error;
} }
diff -up libcgroup-0.41/src/daemon/cgrulesengd.c.coverity libcgroup-0.41/src/daemon/cgrulesengd.c diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
--- libcgroup-0.41/src/daemon/cgrulesengd.c.coverity 2014-01-13 15:05:56.000000000 +0100 index 4cef53e..90920d1 100644
+++ libcgroup-0.41/src/daemon/cgrulesengd.c 2014-01-13 20:52:49.854838142 +0100 --- a/src/daemon/cgrulesengd.c
@@ -646,7 +646,7 @@ close: +++ b/src/daemon/cgrulesengd.c
@@ -654,7 +654,7 @@ close:
static int cgre_create_netlink_socket_process_msg(void) static int cgre_create_netlink_socket_process_msg(void)
{ {
@ -68,22 +59,11 @@ diff -up libcgroup-0.41/src/daemon/cgrulesengd.c.coverity libcgroup-0.41/src/dae
struct sockaddr_nl my_nla; struct sockaddr_nl my_nla;
char buff[BUFF_SIZE]; char buff[BUFF_SIZE];
int rc = -1; int rc = -1;
@@ -784,9 +784,9 @@ static int cgre_create_netlink_socket_pr diff --git a/src/tools/lscgroup.c b/src/tools/lscgroup.c
} index bfb1724..d15a0c2 100644
--- a/src/tools/lscgroup.c
close_and_exit: +++ b/src/tools/lscgroup.c
- if (sk_nl > 0) @@ -96,11 +96,11 @@ static int display_controller_data(char *input_path, char *controller, char *nam
+ if (sk_nl > -1)
close(sk_nl);
- if (sk_unix > 0)
+ if (sk_unix > -1)
close(sk_unix);
return rc;
}
diff -upr libcgroup-0.40.rc1.orig/src/tools/lscgroup.c libcgroup-0.40.rc1/src/tools/lscgroup.c
--- libcgroup-0.40.rc1.orig/src/tools/lscgroup.c 2013-05-21 15:36:04.000000000 +0200
+++ libcgroup-0.40.rc1/src/tools/lscgroup.c 2013-11-04 14:26:53.400473523 +0100
@@ -97,11 +97,11 @@ static int display_controller_data(char
if (ret != 0) if (ret != 0)
return ret; return ret;

17
libcgroup-0.40.rc1-fread.patch
View File

@ -1,7 +1,8 @@
diff -up libcgroup-0.41/src/api.c.fread libcgroup-0.41/src/api.c diff --git a/src/api.c b/src/api.c
--- libcgroup-0.41/src/api.c.fread 2014-01-13 21:01:32.067067615 +0100 index 54a6736..1557393 100644
+++ libcgroup-0.41/src/api.c 2014-01-13 21:01:32.070067594 +0100 --- a/src/api.c
@@ -2232,29 +2232,29 @@ static int cg_rd_ctrl_file(const char *s +++ b/src/api.c
@@ -2482,29 +2482,29 @@ static int cg_rd_ctrl_file(const char *subsys, const char *cgroup,
const char *file, char **value) const char *file, char **value)
{ {
char path[FILENAME_MAX]; char path[FILENAME_MAX];
@ -20,7 +21,7 @@ diff -up libcgroup-0.41/src/api.c.fread libcgroup-0.41/src/api.c
+ if (ctrl_file < 0) + if (ctrl_file < 0)
return ECGROUPVALUENOTEXIST; return ECGROUPVALUENOTEXIST;
*value = calloc(CG_VALUE_MAX, 1); *value = calloc(CG_CONTROL_VALUE_MAX, 1);
if (!*value) { if (!*value) {
- fclose(ctrl_file); - fclose(ctrl_file);
+ close(ctrl_file); + close(ctrl_file);
@ -33,12 +34,12 @@ diff -up libcgroup-0.41/src/api.c.fread libcgroup-0.41/src/api.c
+ * using %as or fread crashes when we try to read from files like + * using %as or fread crashes when we try to read from files like
* memory.stat * memory.stat
*/ */
- ret = fread(*value, 1, CG_VALUE_MAX-1, ctrl_file); - ret = fread(*value, 1, CG_CONTROL_VALUE_MAX-1, ctrl_file);
+ ret = read(ctrl_file, *value, CG_VALUE_MAX-1); + ret = read(ctrl_file, *value, CG_CONTROL_VALUE_MAX-1);
if (ret < 0) { if (ret < 0) {
free(*value); free(*value);
*value = NULL; *value = NULL;
@@ -2264,7 +2264,7 @@ static int cg_rd_ctrl_file(const char *s @@ -2514,7 +2514,7 @@ static int cg_rd_ctrl_file(const char *subsys, const char *cgroup,
(*value)[ret-1] = '\0'; (*value)[ret-1] = '\0';
} }

9
libcgroup-0.40.rc1-templates-fix.patch
View File

@ -1,7 +1,8 @@
diff -up libcgroup-0.41/src/api.c.templates-fix libcgroup-0.41/src/api.c diff --git a/src/api.c b/src/api.c
--- libcgroup-0.41/src/api.c.templates-fix 2014-01-13 21:04:36.933747000 +0100 index 1557393..318a438 100644
+++ libcgroup-0.41/src/api.c 2014-01-13 21:16:44.478580105 +0100 --- a/src/api.c
@@ -2974,10 +2974,10 @@ int cgroup_change_cgroup_flags(uid_t uid +++ b/src/api.c
@@ -3457,10 +3457,10 @@ int cgroup_change_cgroup_flags(uid_t uid, gid_t gid,
available, "%d", pid); available, "%d", pid);
break; break;
case 'p': case 'p':

33
libcgroup-0.41-CVE-2018-14348.patch
View File

@ -1,33 +0,0 @@
From 94e9dcead2e8bce00deeef08ea364ec6dc7e1f45 Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@suse.com>
Date: Wed, 18 Jul 2018 11:24:29 +0200
Subject: [PATCH] cgrulesengd: remove umask(0)
One of our partners has noticed that cgred daemon is creating a log file
(/var/log/cgred) with too wide permissions (0666) and that is seen as
a security bug because an untrusted user can write to otherwise
restricted area. CVE-2018-14348 has been assigned to this issue.
Signed-off-by: Michal Hocko <mhocko@suse.com>
Acked-by: Balbir Singh <bsingharora@gmail.com>
---
src/daemon/cgrulesengd.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
index 170837a..41aadd4 100644
--- a/src/daemon/cgrulesengd.c
+++ b/src/daemon/cgrulesengd.c
@@ -885,9 +885,6 @@ int cgre_start_daemon(const char *logp, const int logf,
} else if (pid > 0) {
exit(EXIT_SUCCESS);
}
-
- /* Change the file mode mask. */
- umask(0);
} else {
flog(LOG_DEBUG, "Not using daemon mode\n");
pid = getpid();
--
2.17.1

66
libcgroup-0.41-api.c-fix-order-of-memory-subsystem-parameters.patch
View File

@ -1,66 +0,0 @@
From 72a9e0c3d4f8daca9f7dc389edbc1013d7c0d808 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Fri, 8 Apr 2016 17:00:19 +0200
Subject: [PATCH] api.c: fix order of memory subsystem parameters generated by
cgsnapshot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Order of parameters usually doesn't matter, but that's not the case with
memory.limit_in_bytes and memory.memsw.limit_in_bytes. When the latter
is first in the list of parameters, the resulting configuration is not
loadable with cgconfigparser.
This happens because when a cgroup is created, both memory.limit_in_bytes
and memory.memsw.limit_in_bytes parameters are initialized to highest
value possible (RESOURCE_MAX). And because memory.memsw.limit_in_bytes
must be always higher or equal to memory.limit_in_bytes, it's impossible
to change its value first.
Make sure that after constructing parameter list of memory subsystem,
the mentioned parameters are in correct order.
Signed-off-by: Nikola Forró <nforro@redhat.com>
---
src/api.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/api.c b/src/api.c
index 0bf0615..f5da553 100644
--- a/src/api.c
+++ b/src/api.c
@@ -2651,6 +2651,30 @@ int cgroup_get_cgroup(struct cgroup *cgroup)
}
}
closedir(dir);
+
+ if (! strcmp(cgc->name, "memory")) {
+ /*
+ * Make sure that memory.limit_in_bytes is placed before
+ * memory.memsw.limit_in_bytes in the list of values
+ */
+ int memsw_limit = -1;
+ int mem_limit = -1;
+
+ for (j = 0; j < cgc->index; j++) {
+ if (! strcmp(cgc->values[j]->name,
+ "memory.memsw.limit_in_bytes"))
+ memsw_limit = j;
+ else if (! strcmp(cgc->values[j]->name,
+ "memory.limit_in_bytes"))
+ mem_limit = j;
+ }
+
+ if (memsw_limit >= 0 && memsw_limit < mem_limit) {
+ struct control_value *val = cgc->values[memsw_limit];
+ cgc->values[memsw_limit] = cgc->values[mem_limit];
+ cgc->values[mem_limit] = val;
+ }
+ }
}
/* Check if the group really exists or not */
--
2.4.11

33
libcgroup-0.41-api.c-preserve-dirty-flag.patch
View File

@ -1,33 +0,0 @@
From ad27a46d8c0e180f71b4606d7b2a3bd3bebd7bbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Thu, 13 Oct 2016 13:42:30 +0200
Subject: [PATCH] api.c: preserve dirty flag when copying controller values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When setting cgroup parameters with cgset fails, no error is reported.
This is caused by the fact that cgroup_copy_controller_values is not
preserving dirty flags of the values, so it's making all errors
considered non-fatal.
Signed-off-by: Nikola Forró <nforro@redhat.com>
---
src/api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/api.c b/src/api.c
index 0bf0615..daf4ef0 100644
--- a/src/api.c
+++ b/src/api.c
@@ -1687,6 +1687,7 @@ static int cgroup_copy_controller_values(struct cgroup_controller *dst,
dst_val = dst->values[i];
strncpy(dst_val->value, src_val->value, CG_VALUE_MAX);
strncpy(dst_val->name, src_val->name, FILENAME_MAX);
+ dst_val->dirty = src_val->dirty;
}
err:
return ret;
--
2.7.4

150
libcgroup-0.41-api.c-support-for-setting-multiline-values-in-contro.patch
View File

@ -1,150 +0,0 @@
From 691430206f1104b752b0e52386f317e639137788 Mon Sep 17 00:00:00 2001
From: Jan Chaloupka <jchaloup@redhat.com>
Date: Mon, 15 Sep 2014 13:29:39 +0200
Subject: [PATCH] api.c: support for setting multiline values in control files
As of now, libcgroup does not support multiline values setting from configuration files. i.e. values in a form:
net_prio.ifpriomap="lo 7
eth0 66
eth1 5
eth2 4
eth3 3";
Thus, setting of more network interfaces can not be done from configuration file. Or
devices.allow="a *:* w
c 8:* r";
thus setting list of allow devices can not be set as well. The only way is to set it from userspace, e.g.:
# echo "lo 7" > /sys/fs/cgroup/net_prio/testGroup/net_prio.ifpriomap
# echo "eth 0" > /sys/fs/cgroup/net_prio/testGroup/net_prio.ifpriomap
# echo "eth 1" > /sys/fs/cgroup/net_prio/testGroup/net_prio.ifpriomap
# echo "eth 2" > /sys/fs/cgroup/net_prio/testGroup/net_prio.ifpriomap
# echo "eth 3" > /sys/fs/cgroup/net_prio/testGroup/net_prio.ifpriomap
This patch allows setting of multiline variables.
How this support works:
Multiline value is broken in lines and each line is set by write (man 2 write) syscall (without bufferring).
This implies change of fopen with open, fclose with close.
There is no control on multiline value, thus "eth0\n \t\n" can be set. However, setting
of " \t" will fail as write command returns -1. Thus administrator has to set correct
multiline values.
Tested on virtual machine with fedora and rhel with network interface lo, eth0-eth3. Configuration file:
# cat /etc/cgconfig.conf
group testGroup {
net_prio {
net_prio.ifpriomap="lo 7
eth0 66
eth1 5
eth2 4
eth3 3";
}
}
net_prio has to be created before:
# modprobe netprio_cgroup
# mkdir /sys/fs/cgroup/net_prio
# mount -t cgroup -onet_prio none /sys/fs/cgroup/net_prio
Changelog:
test of success of strdup call
free str_val before return (str_val is changing in while cycle,
thus str_start_val points to the start of str_val before while)
Signed-off-by: Jan Chaloupka <jchaloup@redhat.com>
---
src/api.c | 50 ++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 44 insertions(+), 6 deletions(-)
diff --git a/src/api.c b/src/api.c
index 5751b8f..d6c9d3a 100644
--- a/src/api.c
+++ b/src/api.c
@@ -1495,13 +1495,18 @@ static int cg_create_control_group(const char *path)
*/
static int cg_set_control_value(char *path, const char *val)
{
- FILE *control_file = NULL;
+ int ctl_file;
+ char *str_val;
+ char *str_val_start;
+ char *pos;
+ size_t len;
+
if (!cg_test_mounted_fs())
return ECGROUPNOTMOUNTED;
- control_file = fopen(path, "r+e");
+ ctl_file = open(path, O_RDWR | O_CLOEXEC);
- if (!control_file) {
+ if (ctl_file == -1) {
if (errno == EPERM) {
/*
* We need to set the correct error value, does the
@@ -1512,6 +1517,7 @@ static int cg_set_control_value(char *path, const char *val)
*/
char *path_dir_end;
char *tasks_path;
+ FILE *control_file;
path_dir_end = strrchr(path, '/');
if (path_dir_end == NULL)
@@ -1543,15 +1549,47 @@ static int cg_set_control_value(char *path, const char *val)
return ECGROUPVALUENOTEXIST;
}
- if (fprintf(control_file, "%s", val) < 0) {
+ /* Split the multiline value into lines. */
+ /* One line is a special case of multiline value. */
+ str_val = strdup(val);
+ if (str_val == NULL) {
last_errno = errno;
- fclose(control_file);
+ close(ctl_file);
return ECGOTHER;
}
- if (fclose(control_file) < 0) {
+
+ str_val_start = str_val;
+ pos = str_val;
+
+ do {
+ str_val = pos;
+ pos = strchr(str_val, '\n');
+
+ if (pos) {
+ *pos = '\0';
+ ++pos;
+ }
+
+ len = strlen(str_val);
+ if (len > 0) {
+ if (write(ctl_file, str_val, len) == -1) {
+ last_errno = errno;
+ free(str_val_start);
+ close(ctl_file);
+ return ECGOTHER;
+ }
+ } else
+ cgroup_warn("Warning: skipping empty line for %s\n",
+ path);
+ } while(pos);
+
+ if (close(ctl_file)) {
last_errno = errno;
+ free(str_val_start);
return ECGOTHER;
}
+
+ free(str_val_start);
return 0;
}
--
1.9.3

63
libcgroup-0.41-change-cgroup-of-threads.patch
View File

@ -1,63 +0,0 @@
From 647274d80d18686a3129a2b50605869ac5178ccf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Tue, 8 Dec 2015 17:09:08 +0100
Subject: [PATCH 1/6] api.c: change cgroup of every thread of a process
When changing cgroup of multi-threaded process, only the main threads
cgroup actually changed. Now all threads of a process are enumerated
and cgroup is changed for each of them.
---
src/api.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/api.c b/src/api.c
index 0cc15c6..df90a6f 100644
--- a/src/api.c
+++ b/src/api.c
@@ -3177,10 +3177,13 @@ int cgroup_change_all_cgroups(void)
return -ECGOTHER;
while ((pid_dir = readdir(dir)) != NULL) {
- int err, pid;
+ int err, pid, tid;
uid_t euid;
gid_t egid;
char *procname = NULL;
+ DIR *tdir;
+ struct dirent *tid_dir = NULL;
+ char tpath[FILENAME_MAX] = { '\0' };
err = sscanf(pid_dir->d_name, "%i", &pid);
if (err < 1)
@@ -3194,11 +3197,24 @@ int cgroup_change_all_cgroups(void)
if (err)
continue;
- err = cgroup_change_cgroup_flags(euid,
- egid, procname, pid, CGFLAG_USECACHE);
- if (err)
- cgroup_dbg("cgroup change pid %i failed\n", pid);
+ snprintf(tpath, FILENAME_MAX, "%s%d/task/", path, pid);
+
+ tdir = opendir(tpath);
+ if (!tdir)
+ continue;
+
+ while ((tid_dir = readdir(tdir)) != NULL) {
+ err = sscanf(tid_dir->d_name, "%i", &tid);
+ if (err < 1)
+ continue;
+
+ err = cgroup_change_cgroup_flags(euid,
+ egid, procname, tid, CGFLAG_USECACHE);
+ if (err)
+ cgroup_dbg("cgroup change tid %i failed\n", tid);
+ }
+ closedir(tdir);
free(procname);
}
--
2.17.0

40
libcgroup-0.41-fix-infinite-loop.patch
View File

@ -1,40 +0,0 @@
From 62bab9d121d4fb416205f5ac53ad342184ae42b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Tue, 8 Dec 2015 16:53:41 +0100
Subject: [PATCH 2/6] api.c: fix infinite loop
If getgrnam or getpwuid functions failed, the program entered
an infinite loop, because the rule pointer was never advanced.
This is now fixed by updating the pointer before continuing
to the next iteration.
---
src/api.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/api.c b/src/api.c
index df90a6f..217d6c9 100644
--- a/src/api.c
+++ b/src/api.c
@@ -2664,13 +2664,17 @@ static struct cgroup_rule *cgroup_find_matching_rule_uid_gid(uid_t uid,
/* Get the group data. */
sp = &(rule->username[1]);
grp = getgrnam(sp);
- if (!grp)
+ if (!grp) {
+ rule = rule->next;
continue;
+ }
/* Get the data for UID. */
usr = getpwuid(uid);
- if (!usr)
+ if (!usr) {
+ rule = rule->next;
continue;
+ }
/* If UID is a member of group, we matched. */
for (i = 0; grp->gr_mem[i]; i++) {
--
2.17.0

38
libcgroup-0.41-fix-log-level.patch
View File

@ -1,38 +0,0 @@
From 7c99c167f41d3f8810808436d2ac58afc3a7d6c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Tue, 17 Apr 2018 13:33:03 +0200
Subject: [PATCH 5/6] api.c: Fix level of failed user/group lookup warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Nikola Forró <nforro@redhat.com>
---
src/api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/api.c b/src/api.c
index 51081b4..efde2d1 100644
--- a/src/api.c
+++ b/src/api.c
@@ -639,7 +639,7 @@ static int cgroup_parse_rules(bool cache, uid_t muid,
uid = CGRULE_INVALID;
gid = grp->gr_gid;
} else {
- cgroup_dbg("Warning: Entry for %s not"
+ cgroup_warn("Warning: Entry for %s not"
"found. Skipping rule on line"
" %d.\n", itr, linenum);
skipped = true;
@@ -656,7 +656,7 @@ static int cgroup_parse_rules(bool cache, uid_t muid,
uid = pwd->pw_uid;
gid = CGRULE_INVALID;
} else {
- cgroup_dbg("Warning: Entry for %s not"
+ cgroup_warn("Warning: Entry for %s not"
"found. Skipping rule on line"
" %d.\n", user, linenum);
skipped = true;
--
2.17.0

25
libcgroup-0.41-lex.patch
View File

@ -1,25 +0,0 @@
From a8c2e967e74d280cd3b8554af0c95d823647d1c0 Mon Sep 17 00:00:00 2001
From: Jan Chaloupka <jchaloup@redhat.com>
Date: Thu, 6 Feb 2014 11:43:18 +0100
Subject: [PATCH] lex updated, additional '\' char for ID token
---
libcgroup-0.41/src/lex.l | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libcgroup-0.41/src/lex.l b/libcgroup-0.41/src/lex.l
index 1b357db..d7bf575 100644
--- a/libcgroup-0.41/src/lex.l
+++ b/libcgroup-0.41/src/lex.l
@@ -43,7 +43,7 @@ jmp_buf parser_error_env;
"namespace" {return NAMESPACE;}
"template" {return TEMPLATE;}
"default" {return DEFAULT;}
-[a-zA-Z0-9_\-\/\.\,\%\@]+ {yylval.name = strdup(yytext); return ID;}
+[a-zA-Z0-9_\-\/\.\,\%\@\\]+ {yylval.name = strdup(yytext); return ID;}
\"[^"]*\" {yylval.name = strdup(yytext+1); yylval.name[strlen(yylval.name)-1] = '\0'; return ID; }
. {return yytext[0];}
%%
--
1.8.5.3

46
libcgroup-0.41-prevent-buffer-overflow.patch
View File

@ -1,46 +0,0 @@
From 9c80e2cb4bca26993a12027c46a274bb43645630 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Wed, 22 Jun 2016 14:12:46 +0200
Subject: [PATCH 3/6] api.c: fix potential buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It is assumed that arguments read from /proc/<pid>/cmdline don't exceed
buf_pname buffer size, which is FILENAME_MAX - 1 characters, but that's
not always the case.
Add check to prevent buffer overflow and discard the excessive part of
an argument.
Signed-off-by: Nikola Forró <nforro@redhat.com>
---
src/api.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/api.c b/src/api.c
index 217d6c9..4d98081 100644
--- a/src/api.c
+++ b/src/api.c
@@ -4065,13 +4065,17 @@ static int cg_get_procname_from_proc_cmdline(pid_t pid,
while (c != EOF) {
c = fgetc(f);
- if ((c != EOF) && (c != '\0')) {
+ if ((c != EOF) && (c != '\0') && (len < FILENAME_MAX - 1)) {
buf_pname[len] = c;
len++;
continue;
}
buf_pname[len] = '\0';
+ if (len == FILENAME_MAX - 1)
+ while ((c != EOF) && (c != '\0'))
+ c = fgetc(f);
+
/*
* The taken process name from /proc/<pid>/status is
* shortened to 15 characters if it is over. So the
--
2.17.0

142
libcgroup-0.41-size-of-controller-values.patch
View File

@ -1,142 +0,0 @@
From 5a64a79144e58a62426a34ef51b14e891f042fa2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Tue, 17 Apr 2018 13:54:38 +0200
Subject: [PATCH 6/6] Increase maximal size of controller values
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Maximal length of a controller value is determined by CG_VALUE_MAX,
which is equal to 100. That is not sufficient in some cases.
Add new constant CG_CONTROL_VALUE_MAX (to prevent breaking current API)
and set it to 4096, which is usually equal to the amount of bytes that
can be written to a sysctl file directly.
Add warning message about exceeding the limit while parsing
configuration file.
Signed-off-by: Nikola Forró <nforro@redhat.com>
---
src/api.c | 6 +++---
src/libcgroup-internal.h | 5 ++++-
src/tools/cgset.c | 4 ++--
src/wrapper.c | 17 ++++++++++++-----
4 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/src/api.c b/src/api.c
index efde2d1..1cd30df 100644
--- a/src/api.c
+++ b/src/api.c
@@ -1561,7 +1561,7 @@ static int cgroup_copy_controller_values(struct cgroup_controller *dst,
}
dst_val = dst->values[i];
- strncpy(dst_val->value, src_val->value, CG_VALUE_MAX);
+ strncpy(dst_val->value, src_val->value, CG_CONTROL_VALUE_MAX);
strncpy(dst_val->name, src_val->name, FILENAME_MAX);
dst_val->dirty = src_val->dirty;
}
@@ -2286,7 +2286,7 @@ static int cg_rd_ctrl_file(const char *subsys, const char *cgroup,
if (ctrl_file < 0)
return ECGROUPVALUENOTEXIST;
- *value = calloc(CG_VALUE_MAX, 1);
+ *value = calloc(CG_CONTROL_VALUE_MAX, 1);
if (!*value) {
close(ctrl_file);
last_errno = errno;
@@ -2297,7 +2297,7 @@ static int cg_rd_ctrl_file(const char *subsys, const char *cgroup,
* using %as or fread crashes when we try to read from files like
* memory.stat
*/
- ret = read(ctrl_file, *value, CG_VALUE_MAX-1);
+ ret = read(ctrl_file, *value, CG_CONTROL_VALUE_MAX-1);
if (ret < 0) {
free(*value);
*value = NULL;
diff --git a/src/libcgroup-internal.h b/src/libcgroup-internal.h
index 4c0f46c..3a8e336 100644
--- a/src/libcgroup-internal.h
+++ b/src/libcgroup-internal.h
@@ -32,6 +32,9 @@ __BEGIN_DECLS
/* Estimated number of groups created */
#define MAX_GROUP_ELEMENTS 128
+/* Maximum length of a value */
+#define CG_CONTROL_VALUE_MAX 4096
+
#define CG_NV_MAX 100
#define CG_CONTROLLER_MAX 100
/* Max number of mounted hierarchies. Event if one controller is mounted per
@@ -73,7 +76,7 @@ __BEGIN_DECLS
struct control_value {
char name[FILENAME_MAX];
- char value[CG_VALUE_MAX];
+ char value[CG_CONTROL_VALUE_MAX];
bool dirty;
};
diff --git a/src/tools/cgset.c b/src/tools/cgset.c
index ea9f90d..3d3c8cc 100644
--- a/src/tools/cgset.c
+++ b/src/tools/cgset.c
@@ -151,8 +151,8 @@ int main(int argc, char *argv[])
goto err;
}
- strncpy(name_value[nv_number].value, buf, CG_VALUE_MAX);
- name_value[nv_number].value[CG_VALUE_MAX-1] = '\0';
+ strncpy(name_value[nv_number].value, buf, CG_CONTROL_VALUE_MAX);
+ name_value[nv_number].value[CG_CONTROL_VALUE_MAX-1] = '\0';
nv_number++;
break;
diff --git a/src/wrapper.c b/src/wrapper.c
index c03472a..0952823 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -132,10 +132,10 @@ int cgroup_add_value_string(struct cgroup_controller *controller,
if (!controller)
return ECGINVAL;
- if (controller->index >= CG_VALUE_MAX)
+ if (controller->index >= CG_NV_MAX)
return ECGMAXVALUESEXCEEDED;
- for (i = 0; i < controller->index && i < CG_VALUE_MAX; i++) {
+ for (i = 0; i < controller->index && i < CG_NV_MAX; i++) {
if (!strcmp(controller->values[i]->name, name))
return ECGVALUEEXISTS;
}
@@ -145,8 +145,15 @@ int cgroup_add_value_string(struct cgroup_controller *controller,
if (!cntl_value)
return ECGCONTROLLERCREATEFAILED;
- strncpy(cntl_value->name, name, sizeof(cntl_value->name));
- strncpy(cntl_value->value, value, sizeof(cntl_value->value));
+ if (strlen(value) >= sizeof(cntl_value->value)) {
+ fprintf(stderr, "value exceeds the maximum of %d characters\n",
+ sizeof(cntl_value->value));
+ free(cntl_value);
+ return ECGCONFIGPARSEFAIL;
+ }
+
+ strncpy(cntl_value->name, name, sizeof(cntl_value->name) - 1);
+ strncpy(cntl_value->value, value, sizeof(cntl_value->value) - 1);
cntl_value->dirty = true;
controller->values[controller->index] = cntl_value;
controller->index++;
@@ -356,7 +363,7 @@ int cgroup_set_value_string(struct cgroup_controller *controller,
for (i = 0; i < controller->index; i++) {
struct control_value *val = controller->values[i];
if (!strcmp(val->name, name)) {
- strncpy(val->value, value, CG_VALUE_MAX);
+ strncpy(val->value, value, CG_CONTROL_VALUE_MAX - 1);
val->dirty = true;
return 0;
}
--
2.17.0

49
libcgroup-0.41-tasks-file-warning.patch
View File

@ -1,49 +0,0 @@
From 437b68f34c459d136c806e61dafb5825d2f97170 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>
Date: Tue, 17 Apr 2018 13:32:28 +0200
Subject: [PATCH 4/6] api.c: Show warning when tasks file can not be opened
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Nikola Forró <nforro@redhat.com>
---
src/api.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/api.c b/src/api.c
index 4d98081..51081b4 100644
--- a/src/api.c
+++ b/src/api.c
@@ -1190,12 +1190,15 @@ static int __cgroup_attach_task_pid(char *path, pid_t tid)
if (!tasks) {
switch (errno) {
case EPERM:
- return ECGROUPNOTOWNER;
+ ret = ECGROUPNOTOWNER;
+ break;
case ENOENT:
- return ECGROUPNOTEXIST;
+ ret = ECGROUPNOTEXIST;
+ break;
default:
- return ECGROUPNOTALLOWED;
+ ret = ECGROUPNOTALLOWED;
}
+ goto err;
}
ret = fprintf(tasks, "%d", tid);
if (ret < 0) {
@@ -1214,7 +1217,8 @@ static int __cgroup_attach_task_pid(char *path, pid_t tid)
err:
cgroup_warn("Warning: cannot write tid %d to %s:%s\n",
tid, path, strerror(errno));
- fclose(tasks);
+ if (tasks)
+ fclose(tasks);
return ret;
}
--
2.17.0

70
libcgroup.spec
View File

@ -1,14 +1,10 @@
%global soversion_major 1
%global soversion 1.0.41
%global _hardened_build 1
Summary: Library to control and monitor control groups Summary: Library to control and monitor control groups
Name: libcgroup Name: libcgroup
Version: 0.41 Version: 0.42.1
Release: 23%{?dist} Release: 1%{?dist}
License: LGPLv2+ License: LGPLv2+
URL: http://libcg.sourceforge.net/ URL: http://libcg.sourceforge.net/
Source0: http://downloads.sourceforge.net/libcg/%{name}-%{version}.tar.bz2 Source0: https://github.com/%{name}/%{name}/archive/v%{version}/%{name}-v%{version}.tar.gz
Source1: cgconfig.service Source1: cgconfig.service
Patch0: fedora-config.patch Patch0: fedora-config.patch
@ -16,20 +12,8 @@ Patch1: libcgroup-0.37-chmod.patch
Patch2: libcgroup-0.40.rc1-coverity.patch Patch2: libcgroup-0.40.rc1-coverity.patch
Patch3: libcgroup-0.40.rc1-fread.patch Patch3: libcgroup-0.40.rc1-fread.patch
Patch4: libcgroup-0.40.rc1-templates-fix.patch Patch4: libcgroup-0.40.rc1-templates-fix.patch
Patch5: libcgroup-0.41-lex.patch
Patch6: libcgroup-0.41-api.c-support-for-setting-multiline-values-in-contro.patch
# resolves #1348874
Patch7: libcgroup-0.41-api.c-fix-order-of-memory-subsystem-parameters.patch
# resolves #1384504
Patch8: libcgroup-0.41-api.c-preserve-dirty-flag.patch
Patch9: libcgroup-0.41-change-cgroup-of-threads.patch
Patch10: libcgroup-0.41-fix-infinite-loop.patch
Patch11: libcgroup-0.41-prevent-buffer-overflow.patch
Patch12: libcgroup-0.41-tasks-file-warning.patch
Patch13: libcgroup-0.41-fix-log-level.patch
Patch14: libcgroup-0.41-size-of-controller-values.patch
Patch15: libcgroup-0.41-CVE-2018-14348.patch
BuildRequires: autoconf, automake, libtool
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: byacc, coreutils, flex, pam-devel, systemd-units BuildRequires: byacc, coreutils, flex, pam-devel, systemd-units
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -75,19 +59,9 @@ provide scripts to manage that configuration.
%patch2 -p1 -b .coverity %patch2 -p1 -b .coverity
%patch3 -p1 -b .fread %patch3 -p1 -b .fread
%patch4 -p1 -b .templates-fix %patch4 -p1 -b .templates-fix
%patch5 -p2 -b .lex
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%build %build
autoreconf -vif
%configure --enable-pam-module-dir=%{_libdir}/security \ %configure --enable-pam-module-dir=%{_libdir}/security \
--enable-opaque-hierarchy="name=systemd" \ --enable-opaque-hierarchy="name=systemd" \
--disable-daemon --disable-daemon
@ -103,9 +77,11 @@ install -m 644 samples/cgsnapshot_blacklist.conf $RPM_BUILD_ROOT/%{_sysconfdir}/
# sanitize pam module, we need only pam_cgroup.so # sanitize pam module, we need only pam_cgroup.so
mv -f $RPM_BUILD_ROOT%{_libdir}/security/pam_cgroup.so.*.*.* $RPM_BUILD_ROOT%{_libdir}/security/pam_cgroup.so mv -f $RPM_BUILD_ROOT%{_libdir}/security/pam_cgroup.so.*.*.* $RPM_BUILD_ROOT%{_libdir}/security/pam_cgroup.so
rm -f $RPM_BUILD_ROOT%{_libdir}/security/pam_cgroup.la $RPM_BUILD_ROOT/%{_libdir}/security/pam_cgroup.so.* rm -f $RPM_BUILD_ROOT%{_libdir}/security/pam_cgroup.{,l}a $RPM_BUILD_ROOT/%{_libdir}/security/pam_cgroup.so.*
rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la rm -f $RPM_BUILD_ROOT/%{_libdir}/*.{,l}a
rm -f $RPM_BUILD_ROOT/%{_libdir}/libcgroupfortesting.*
rm -f $RPM_BUILD_ROOT/%{_mandir}/man5/cgred.conf.5* rm -f $RPM_BUILD_ROOT/%{_mandir}/man5/cgred.conf.5*
rm -f $RPM_BUILD_ROOT/%{_mandir}/man5/cgrules.conf.5* rm -f $RPM_BUILD_ROOT/%{_mandir}/man5/cgrules.conf.5*
@ -142,7 +118,7 @@ getent group cgred >/dev/null || groupadd -r cgred
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
%license COPYING %license COPYING
%doc README %doc README
%{_libdir}/libcgroup.so.* %{_libdir}/libcgroup.so.1*
%files tools %files tools
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
@ -150,17 +126,17 @@ getent group cgred >/dev/null || groupadd -r cgred
%doc README README_systemd %doc README README_systemd
%config(noreplace) %{_sysconfdir}/cgconfig.conf %config(noreplace) %{_sysconfdir}/cgconfig.conf
%config(noreplace) %{_sysconfdir}/cgsnapshot_blacklist.conf %config(noreplace) %{_sysconfdir}/cgsnapshot_blacklist.conf
/usr/bin/cgcreate %{_bindir}/cgcreate
/usr/bin/cgget %{_bindir}/cgget
/usr/bin/cgset %{_bindir}/cgset
/usr/bin/cgdelete %{_bindir}/cgdelete
/usr/bin/lscgroup %{_bindir}/lscgroup
/usr/bin/lssubsys %{_bindir}/lssubsys
/usr/sbin/cgconfigparser %{_sbindir}/cgconfigparser
/usr/sbin/cgclear %{_sbindir}/cgclear
/usr/bin/cgsnapshot %{_bindir}/cgsnapshot
%attr(2755, root, cgred) /usr/bin/cgexec %attr(2755, root, cgred) %{_bindir}/cgexec
%attr(2755, root, cgred) /usr/bin/cgclassify %attr(2755, root, cgred) %{_bindir}/cgclassify
%attr(0644, root, root) %{_mandir}/man1/* %attr(0644, root, root) %{_mandir}/man1/*
%attr(0644, root, root) %{_mandir}/man5/* %attr(0644, root, root) %{_mandir}/man5/*
%attr(0644, root, root) %{_mandir}/man8/* %attr(0644, root, root) %{_mandir}/man8/*
@ -182,6 +158,10 @@ getent group cgred >/dev/null || groupadd -r cgred
%{_libdir}/pkgconfig/libcgroup.pc %{_libdir}/pkgconfig/libcgroup.pc
%changelog %changelog
* Mon Feb 03 2020 Nikola Forró <nforro@redhat.com> - 0.42.1-1
- resolves: #1792190
new upstream release 0.42.1
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.41-23 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.41-23
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
3dea9d50b8a5b73ff0bf1cdcb210f63f libcgroup-0.41.tar.bz2 SHA512 (libcgroup-v0.42.1.tar.gz) = 9abf1cc5845bfc7ced0fc86728625a6b506323b57d7a9a182fdb7a8500ea8f73786e097137eac08cf42e5a6a9e9266ae2f34424cdb93e57f79cff5d2bd9e49cf