This is a followup to Eric's original proposal https://www.redhat.com/archives/libvir-list/2013-December/msg01242.html The first 5 patches fix non-security bugs in the LXC hotplug code. Then there's a couple of helper patches. Finally the last 6 fix the actual security issue previously publically reported. Eric originally had a huge cleanup of virFork, but I'd prefer that be done afterwards, to minimize the backporting pain for stable branches. Daniel P. Berrange (13): Don't block use of USB with containers Fix path used for USB device attach with LXC Record hotplugged USB device in LXC live guest config Fix reset of cgroup when detaching USB device from LXC guests Disks are always block devices, never character devices Move check for cgroup devices ACL upfront in LXC hotplug Add virFileMakeParentPath helper function Add helper for running code in separate namespaces Avoid unsafe use of /proc/$PID/root in LXC disk hotplug Avoid unsafe use of /proc/$PID/root in LXC USB hotplug Avoid unsafe use of /proc/$PID/root in LXC block hostdev hotplug Avoid unsafe use of /proc/$PID/root in LXC chardev hostdev hotplug Avoid unsafe use of /proc/$PID/root in LXC hotunplug code Eric Blake (1): Avoid unsafe use of /proc/$PID/root in LXC shutdown/reboot code src/conf/domain_conf.c | 1 + src/libvirt_private.syms | 2 + src/lxc/lxc_driver.c | 552 +++++++++++++++++++++++------------------------ src/util/virfile.c | 27 +++ src/util/virfile.h | 1 + src/util/virinitctl.c | 26 +-- src/util/virinitctl.h | 5 +- src/util/virprocess.c | 114 ++++++++++ src/util/virprocess.h | 11 + 9 files changed, 442 insertions(+), 297 deletions(-) -- 1.8.5.3 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list