[lxc/lxc] 694944: commands: Fix indent

[Serge Hallyn]

Branch: refs/heads/main
Home: https://github.com/lxc/lxc
Commit: 694944a7e598692004326d7888cee765da445719
https://github.com/lxc/lxc/commit/694944a7e598692004326d7888cee765da445719
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2025-08-31 (Sun, 31 Aug 2025)

Changed paths:
M src/lxc/commands.c

Log Message:
-----------
commands: Fix indent

Mix of tab and spaces was making things a bit hard to read.

Signed-off-by: Stéphane Graber <stgr...@stgraber.org>


Commit: bfacedd4cd5006409d14b60c651a8588451376c1
https://github.com/lxc/lxc/commit/bfacedd4cd5006409d14b60c651a8588451376c1
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2025-08-31 (Sun, 31 Aug 2025)

Changed paths:
M meson.build
M meson_options.txt

Log Message:
-----------
meson: Add optional landlock protection for monitor

This introduces a new optional security feature to the LXC monitor process.

With this enabled, the monitor API used for communication between the
CLI (or other clients) and the container monitor will now run in a
dedicated thread and have a Landlock policy applied to that thread.

The thread trick is required as the monitor process is also responsible
for running post-stop tasks (hooks) which need full privileges as well
as also handling full container reboots which similarly require full
privileges.

The policy is pretty simple at this point. It allows access to /dev/pts,
/dev/ptmx and /sys/fs/cgroup as those are the few paths that the monior
actually needs to open (as opposed to just handing out existing
filedescriptors).

Signed-off-by: Stéphane Graber <stgr...@stgraber.org>


Commit: 8ef1ac50487f63ac1d3f27ada34ed5e853417be0
https://github.com/lxc/lxc/commit/8ef1ac50487f63ac1d3f27ada34ed5e853417be0
Author: Alexander Mikhalitsyn <aleksandr....@canonical.com>
Date: 2025-08-31 (Sun, 31 Aug 2025)

Changed paths:
M src/lxc/start.c

Log Message:
-----------
start: Make lxc_handler mainloop to run in thread

This allows applying Landlock restrictions just to the monitor handler.

Signed-off-by: Alexander Mikhalitsyn <aleksandr....@canonical.com>


Commit: 226bbf62fe0a0fa5bff8cd73772a0e7d2ad3322b
https://github.com/lxc/lxc/commit/226bbf62fe0a0fa5bff8cd73772a0e7d2ad3322b
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2025-08-31 (Sun, 31 Aug 2025)

Changed paths:
M src/lxc/start.c

Log Message:
-----------
start: Add Landlock restrictions to monitor

Signed-off-by: Stéphane Graber <stgr...@stgraber.org>


Commit: 3f16585267bb9e22cb1936d1d8852d5cf74f44de
https://github.com/lxc/lxc/commit/3f16585267bb9e22cb1936d1d8852d5cf74f44de
Author: Stéphane Graber <stgr...@stgraber.org>
Date: 2025-08-31 (Sun, 31 Aug 2025)

Changed paths:
M .github/workflows/tests.yml

Log Message:
-----------
github: Enable landlock in tests

Signed-off-by: Stéphane Graber <stgr...@stgraber.org>


Commit: c3dd13dd5ad5e2d9b0365cdbc6bb45aba013f26e
https://github.com/lxc/lxc/commit/c3dd13dd5ad5e2d9b0365cdbc6bb45aba013f26e
Author: Serge Hallyn <se...@hallyn.com>
Date: 2025-09-07 (Sun, 07 Sep 2025)

Changed paths:
M .github/workflows/tests.yml
M meson.build
M meson_options.txt
M src/lxc/commands.c
M src/lxc/start.c

Log Message:
-----------
Merge pull request #4579 from stgraber/main

Implement initial protection of LXC monitor using Landlock


Compare: https://github.com/lxc/lxc/compare/c8fd40f6e54a...c3dd13dd5ad5

To unsubscribe from these emails, change your notification settings at https://github.com/lxc/lxc/settings/notifications