For our work on adding dynamic device support to Docker we needed to be
able to call this to update the list of allowed devices. This works for
both systemd and fs based cgroups implementations.
Co-Authored-By: Chris Alfonso <calfonso@redhat.com> (github: calfonso)
Docker-DCO-1.1-Signed-off-by: Ian Main <imain@redhat.com> (github: imain)
The set of the apparmor profile for the setns codepath was missing.
Selinux was being called but apparmor was forgotten. This was causing
no profiles to be applied to the extra process spawn inside an existing
container.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
docker exec changes the mount namespace which fools selinux bindings
into thinking SELinux is disabled. Bindings should just check if
a label is passed in and attempt to use it. Docker will not call these
functions with a label if SELinux is disabled.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This is needed for the libvirt exec driver.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
- Add Llistxattr() support
- Additionally cleanup Lgetxattr() and implement it properly
in accordance with getxattr() syscall behavior.
Signed-off-by: Harshavardhana <fharshav@redhat.com>
You can now create VLAN and MAC VLAN devices using netlink.
I've also added tests for both VLAN and MAC VLAN stuff.
Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com> (github: milosgajdos83)
I've refactored NetworkSetNsPid and NetworkSetNsFd following
what we already have in place for Add/Del Ip and Add/Del Link.
I've reimplemented NetworkChangeName function which is now
using netlink for changing the interface name. I added tests too.
I've moved the original syscall implementation at the bottom
to keep it together with the other non-netlink functions.
Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com> (github: milosgajdos83)
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>
Since currently the container.json file does not include the pathname
to a container's root filesystem, we need to parse /proc/mounts which
is slow and error-prone. This patch addresses this issue by adding a
new RootFs field.
Signed-off-by: Saied Kazemi <saied@google.com>
I've added more tests. We now have almost 55% coverage.
I've also reorganized netlink_linux codebase and moved
the non-RTNETLINK functions at the bottom. I've also
added some comments to some functions.
Docker-DCO-1.1-Signed-off-by: Milos Gajdos <milosgajdos83@gmail.com> (github: milosgajdos83)
Victor Marmol
Mrunal Patel
Michael Crosby
Ian Main
Harshavardhana
Michael Crosby
Dan Walsh
Ye Yin
Alexander Larsson
Tianon Gravi
Malte Janduda
Milos Gajdos
Hugo Duncan
Vishnu Kannan
Saied Kazemi
Lewis Marshall
Jonathan Rudenberg