diff --git a/SOURCES/cgconfig.service b/SOURCES/cgconfig.service index d9a491f..cc6a19f 100644 --- a/SOURCES/cgconfig.service +++ b/SOURCES/cgconfig.service @@ -10,6 +10,7 @@ Before=basic.target shutdown.target [Service] Type=oneshot RemainAfterExit=yes +Delegate=yes ExecStart=/usr/sbin/cgconfigparser -l /etc/cgconfig.conf -L /etc/cgconfig.d -s 1664 ExecStop=/usr/sbin/cgclear -l /etc/cgconfig.conf -L /etc/cgconfig.d -e diff --git a/SOURCES/libcgroup-0.41-api.c-fix-order-of-memory-subsystem-parameters.patch b/SOURCES/libcgroup-0.41-api.c-fix-order-of-memory-subsystem-parameters.patch new file mode 100644 index 0000000..9700530 --- /dev/null +++ b/SOURCES/libcgroup-0.41-api.c-fix-order-of-memory-subsystem-parameters.patch @@ -0,0 +1,66 @@ +From 72a9e0c3d4f8daca9f7dc389edbc1013d7c0d808 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Fri, 8 Apr 2016 17:00:19 +0200 +Subject: [PATCH] api.c: fix order of memory subsystem parameters generated by + cgsnapshot +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Order of parameters usually doesn't matter, but that's not the case with +memory.limit_in_bytes and memory.memsw.limit_in_bytes. When the latter +is first in the list of parameters, the resulting configuration is not +loadable with cgconfigparser. + +This happens because when a cgroup is created, both memory.limit_in_bytes +and memory.memsw.limit_in_bytes parameters are initialized to highest +value possible (RESOURCE_MAX). And because memory.memsw.limit_in_bytes +must be always higher or equal to memory.limit_in_bytes, it's impossible +to change its value first. + +Make sure that after constructing parameter list of memory subsystem, +the mentioned parameters are in correct order. + +Signed-off-by: Nikola Forró +--- + src/api.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/api.c b/src/api.c +index 0bf0615..f5da553 100644 +--- a/src/api.c ++++ b/src/api.c +@@ -2651,6 +2651,30 @@ int cgroup_get_cgroup(struct cgroup *cgroup) + } + } + closedir(dir); ++ ++ if (! strcmp(cgc->name, "memory")) { ++ /* ++ * Make sure that memory.limit_in_bytes is placed before ++ * memory.memsw.limit_in_bytes in the list of values ++ */ ++ int memsw_limit = -1; ++ int mem_limit = -1; ++ ++ for (j = 0; j < cgc->index; j++) { ++ if (! strcmp(cgc->values[j]->name, ++ "memory.memsw.limit_in_bytes")) ++ memsw_limit = j; ++ else if (! strcmp(cgc->values[j]->name, ++ "memory.limit_in_bytes")) ++ mem_limit = j; ++ } ++ ++ if (memsw_limit >= 0 && memsw_limit < mem_limit) { ++ struct control_value *val = cgc->values[memsw_limit]; ++ cgc->values[memsw_limit] = cgc->values[mem_limit]; ++ cgc->values[mem_limit] = val; ++ } ++ } + } + + /* Check if the group really exists or not */ +-- +2.4.11 + diff --git a/SOURCES/libcgroup-0.41-api.c-fix-potential-buffer-overflow.patch b/SOURCES/libcgroup-0.41-api.c-fix-potential-buffer-overflow.patch new file mode 100644 index 0000000..5c92b96 --- /dev/null +++ b/SOURCES/libcgroup-0.41-api.c-fix-potential-buffer-overflow.patch @@ -0,0 +1,46 @@ +From 1b4b4b7f8d4443c3e630838c9b33c9a69fdb6193 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nikola=20Forr=C3=B3?= +Date: Sun, 19 Jun 2016 17:12:01 +0200 +Subject: [PATCH] api.c: fix potential buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It is assumed that arguments read from /proc//cmdline don't exceed +buf_pname buffer size, which is FILENAME_MAX - 1 characters, but that's +not always the case. + +Add check to prevent buffer overflow and discard the excessive part of +an argument. + +Signed-off-by: Nikola Forró +--- + src/api.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/api.c b/src/api.c +index b40364c..18ce21f 100644 +--- a/src/api.c ++++ b/src/api.c +@@ -4055,13 +4055,17 @@ static int cg_get_procname_from_proc_cmdline(pid_t pid, + + while (c != EOF) { + c = fgetc(f); +- if ((c != EOF) && (c != '\0')) { ++ if ((c != EOF) && (c != '\0') && (len < FILENAME_MAX - 1)) { + buf_pname[len] = c; + len++; + continue; + } + buf_pname[len] = '\0'; + ++ if (len == FILENAME_MAX - 1) ++ while ((c != EOF) && (c != '\0')) ++ c = fgetc(f); ++ + /* + * The taken process name from /proc//status is + * shortened to 15 characters if it is over. So the +-- +2.7.4 + diff --git a/SPECS/libcgroup.spec b/SPECS/libcgroup.spec index f2df25a..d2f4bf5 100644 --- a/SPECS/libcgroup.spec +++ b/SPECS/libcgroup.spec @@ -5,7 +5,7 @@ Summary: Library to control and monitor control groups Name: libcgroup Version: 0.41 -Release: 8%{?dist} +Release: 11%{?dist} License: LGPLv2+ Group: Development/Libraries URL: http://libcg.sourceforge.net/ @@ -28,6 +28,11 @@ Patch10: libcgroup-0.41-add-examples-to-man-pages.patch Patch11: libcgroup-0.41-extending-cgroup-names-with-default.patch Patch12: libcgroup-0.41-api.c-support-for-setting-multiline-values-in-contro.patch +# resolves #1348864 +Patch13: libcgroup-0.41-api.c-fix-order-of-memory-subsystem-parameters.patch +# resolves #1347765 +Patch14: libcgroup-0.41-api.c-fix-potential-buffer-overflow.patch + BuildRequires: byacc, coreutils, flex, pam-devel, systemd Requires(pre): shadow-utils Requires(post): systemd @@ -42,6 +47,8 @@ administrate and monitor control groups and the associated controllers. Summary: Command-line utility programs, services and daemons for libcgroup Group: System Environment/Base Requires: %{name}%{?_isa} = %{version}-%{release} +# needed for Delegate property in cgconfig.service +Requires: systemd >= 217-0.2 %description tools This package contains command-line programs, services and a daemon for @@ -81,6 +88,8 @@ provide scripts to manage that configuration. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build %configure --enable-pam-module-dir=%{_libdir}/security \ @@ -201,6 +210,18 @@ fi %{_libdir}/pkgconfig/libcgroup.pc %changelog +* Thu Jun 23 2016 Nikola Forró - 0.41-11 +- resolves: #1347765 + fix potential buffer overflow + +* Thu Jun 23 2016 Nikola Forró - 0.41-10 +- resolves: #1348864 + fix order of memory subsystem parameters generated by cgsnapshot + +* Wed Apr 06 2016 Nikola Forró - 0.41-9 +- resolves: #1322571 + set Delegate property for cgconfig service + * Sat Sep 20 2014 jchaloup - 0.41-8 - resolves: #885174 loading configuration files from /etc/cgconfig.d/ directory