{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":81840826,"defaultBranch":"kirkstone","name":"cml","ownerLogin":"gyroidos","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2017-02-13T15:37:33.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/67098293?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1719410657.0","currentOid":""},"activityList":{"items":[{"before":"ff37bc1efc55c477a723462135e646a8274c7e66","after":"aa20643ae0e55045bb091b8996088672f3fcc46a","ref":"refs/heads/kirkstone","pushedAt":"2024-09-20T10:53:38.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"daemon/download: Increase file_copy() block size\n\nThis commit increases the block size for copying GuestOS images in\nfile_copy() from 512 to 4096 byte.\n\nSigned-off-by: Felix Wruck ","shortMessageHtmlLink":"daemon/download: Increase file_copy() block size"}},{"before":"48ecc317266476fc6f5ea60241d8fe4eb36efab5","after":"ff37bc1efc55c477a723462135e646a8274c7e66","ref":"refs/heads/kirkstone","pushedAt":"2024-09-18T15:34:41.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"daemon/c_net: Rename physical interfaces during container cleanup\n\nTo avoid name clashes on container tear down, we have to rename the\nphysical interfaces which where moved to the container. Otherwise,\nsituations occur where the interfaces was renamed inside the\ncontainer clashes with an interface inside the rootns. This may lead\nto dangling network namespace, which keeps the corresponding physical\ninterface forever.\n\nAfter container init has died we now rename physical interfaces in\nthe corresponding cleanup() hook. We fork and join the container\nnetns by the corresponding path in the file system and use a\ncollision free name utilizing the container_uid() plus a local index\nas naming scheme on all physical network interfaces inside the\ncontainer.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/c_net: Rename physical interfaces during container cleanup"}},{"before":"8bde4ed421e4f2d0e9211de91d87070e881a79d7","after":"48ecc317266476fc6f5ea60241d8fe4eb36efab5","ref":"refs/heads/kirkstone","pushedAt":"2024-09-17T09:27:54.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"daemon/guestos: Fix use-after-free on download errors\n\nIn case download errors occure, the guestos_delete() function is\ncalled by the guestos_mgr module. To avoid following asan error, we\nnow set the os->downloding variable in 'guestos.c' before we trigger\nthe corresponding externly regsiterd callbacks of guestos_mgr().\n\n=================================================================\n==214==ERROR: AddressSanitizer: heap-use-after-free on address \\\n 0x5060000df0cc at pc 0x5597a07aa5b4 bp 0x7ffee4146050 sp 0x7ffee4146040\nWRITE of size 1 at 0x5060000df0cc thread T0\n #0 0x5597a07aa5b3 in iterate_images_cb_download_hash_complete daemon/guestos.c:749\n #1 0x5597a07b14aa in download_sigchld_cb daemon/download.c:93\n #2 0x5597a081f7c9 in event_signal_handler common/event.c:780\n #3 0x5597a081f7c9 in event_loop common/event.c:851\n #4 0x5597a075d08c in main daemon/main.c:146\n #5 0x7fa267fee863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #6 0x7fa267fee90a in __libc_start_main_impl ../csu/libc-start.c:389\n #7 0x5597a075f284 in _start (/usr/sbin/cmld+0x138284)\n\n0x5060000df0cc is located 44 bytes inside of 64-byte region [0x5060000df0a0,0x5060000df0e0)\nfreed by thread T0 here:\n #0 0x7fa26826c726 in __interceptor_free [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:127\n #1 0x5597a07ad3dd in guestos_mgr_delete daemon/guestos_mgr.c:230\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/guestos: Fix use-after-free on download errors"}},{"before":"d0dbed25c922aa0978164059a5679acbd488146e","after":"8bde4ed421e4f2d0e9211de91d87070e881a79d7","ref":"refs/heads/kirkstone","pushedAt":"2024-09-16T10:21:42.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"daemon: added missing include linux/seccomp.h\n\nBuilding the 'cmld' in buildroot results in the following compiler error:\n c_seccomp/seccomp.c:418:31: error: 'SECCOMP_USER_NOTIF_FLAG_CONTINUE' undeclared.\nJust include the missing header 'linux/seccomp.h' to fix this issue.\n\nFixes: 84b9064405fe (\"dameon/c_seccomp: Moved c_seccomp.c to c_seccomp/seccomp.c\")\nSigned-off-by: Simon Ott \n[ michael.weiss ] added commit description and fixes tag\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon: added missing include linux/seccomp.h"}},{"before":"8db06b308fd4a265fec9d550242b2e4ce8b4ae65","after":"d0dbed25c922aa0978164059a5679acbd488146e","ref":"refs/heads/kirkstone","pushedAt":"2024-09-13T19:33:52.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"common/ssl_util: Fix null terminator in ssl_get_uid_from_cert_new()\n\nThis commit fixes length of the returned UUID buffer to container 36\nbytes for UUID + null terminator.\n\nFixes: 2744ee01ad55 (\"common/ssl_util: added helper to get uuid from a certificate/csr\")\nSigned-off-by: Felix Wruck ","shortMessageHtmlLink":"common/ssl_util: Fix null terminator in ssl_get_uid_from_cert_new()"}},{"before":"1dd99f4b3968bf2eb2c5554e84c2544ca492ab8d","after":"8db06b308fd4a265fec9d550242b2e4ce8b4ae65","ref":"refs/heads/kirkstone","pushedAt":"2024-09-13T14:36:19.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"c_seccomp/seccomp: Fix use-after-free on notify fd exception\n\nIf the client gets terminated, e.g, by compartment_kill(), the notify\nhandler will receive an exception in the main process and seccomp->event\nwill get removed and freed. Afterwards when the seccomp_cleanup()\nmethod is cleaning up the module, it also wants to remove the io event\nfrom event loop and free seccomp->event. This is currently a double free.\nThus, in the handler we just have to set seccomp->event to NULL. This is\nchecked in compartment_cleanup() and the removal and free is not done\nanymore.\n\nThis fixes ASAN error:\n=================================================================\n==464==ERROR: AddressSanitizer: heap-use-after-free on address \\\n 0x50300001dea0 at pc 0x556f3a0ce5a6 bp 0x7ffea48362c0 sp 0x7ffea48362b0\nREAD of size 4 at 0x50300001dea0 thread T0\n #0 0x556f3a0ce5a5 in event_remove_io common/event.c:394\n #1 0x556f3a0b80c4 in c_seccomp_cleanup daemon/c_seccomp/seccomp.c:578\n #2 0x556f3a02a854 in compartment_cleanup daemon/compartment.c:656\n #3 0x556f3a02cf4b in compartment_sigchld_cb daemon/compartment.c:746\n #4 0x556f3a0d09d9 in event_signal_handler common/event.c:780\n #5 0x556f3a0d09d9 in event_loop common/event.c:851\n #6 0x556f3a00b12c in main daemon/main.c:146\n #7 0x7f3dee8f5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n #8 0x7f3dee8f590a in __libc_start_main_impl ../csu/libc-start.c:389\n #9 0x556f3a00d3b4 in _start (/usr/sbin/cmld+0x1393b4)\n\nFixes: 3353cdea2fbf (\"daemon/compartment: Introduce c_seccomp module\")\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"c_seccomp/seccomp: Fix use-after-free on notify fd exception"}},{"before":"5c0d685fd809b5fb3a6fa29a8f5e26eae1882a3e","after":"1dd99f4b3968bf2eb2c5554e84c2544ca492ab8d","ref":"refs/heads/kirkstone","pushedAt":"2024-09-09T09:56:33.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"daemon/c_hotplug: Deny access to USB tokens\n\nUsing the new explicit deny list approach of the c_cgroups_dev\nmodule, access to USB devices which are used as TOKENs by other\ncontainers are now denied during hotplug events. We maintain a\nglobal list of such tokens, which are is maintained during\ncompartment_new() and compartment_free().\n\nAfter a plug event occurs it is check if the USB device is in the\nglobal list of tokens. Remember the serial since the minor number of\na USB device is incremented during plug/unplug. If it is, it is\nfurther checked if the container object also is allowed to access the\ncorresponding low level device. If so, the USB dev is placed in a\nlist of devices which should be re-allowed after unplug of the token.\n\nSigned-off-by: Michael Weiß \n[felix.wruck@aisec.fraunhofer.de: fixed typo in conditional, skip mknod\nfor ignored token devices, added TRACE message]\nSigned-off-by: Felix Wruck ","shortMessageHtmlLink":"daemon/c_hotplug: Deny access to USB tokens"}},{"before":"56b2cd6e6ef4b9eb7d7c9b129532706236b5eb08","after":"5c0d685fd809b5fb3a6fa29a8f5e26eae1882a3e","ref":"refs/heads/kirkstone","pushedAt":"2024-08-27T12:18:50.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"scd/usbtoken: change APDU for is_card_present\n\nThe current approach for monitoring token presence interferes with secure\nmessaging channels. Therefore, this commit introduces the APDU \"MANAGE\nCHANNEL\" in is_card_present() which does not impact secure messaging.\n\nSigned-off-by: David Sonntag ","shortMessageHtmlLink":"scd/usbtoken: change APDU for is_card_present"}},{"before":"019fb2ccb36c77ebf8a2b90e8fcdaf1cb75e5a52","after":"56b2cd6e6ef4b9eb7d7c9b129532706236b5eb08","ref":"refs/heads/kirkstone","pushedAt":"2024-08-23T07:15:34.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"Jenkinsfile: Build and test x86 and arm64 in parallel\n\nTo increase quality control for arm64 boards, test each PR against the\narm64 target as well as x86.\n\nSigned-off-by: Johannes Wiesböck ","shortMessageHtmlLink":"Jenkinsfile: Build and test x86 and arm64 in parallel"}},{"before":"fab5e8c5787e15767ec35fe69d618ae565e6d9ac","after":"019fb2ccb36c77ebf8a2b90e8fcdaf1cb75e5a52","ref":"refs/heads/kirkstone","pushedAt":"2024-08-08T13:32:50.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"scd/usbtoken: use special select APDU instead of queryPIN for SE watchdog\n\nUsing queryPIN() would intercept established secure channel\ncommunication of the SE. Thus to check if the SE is still available,\nwe now use a special 'unselectable' AID (0x00, 0x00, 0x00, 0x00, 0x00)\nto which the Card Manager on the SE will answer with 0x6A86 (wrong P1 or\nP2 parameter). This won't disturb current Applet selection.\n\nWe provide a new helper function usbtoken_is_card_present() which is\nused in usbtoken_se_comm_watchdog_cb() instead of queryPIN().\n\nThis helper sends the select APDU with processAPDU() function to directly\ncommunicate with the SE and not the reader.\n\nThe usually foreseen GET_STATUS APDU to the reader is not handled as\nexpected by the USB token. Thus, we use this mechanism to check\ncard presence.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"scd/usbtoken: use special select APDU instead of queryPIN for SE watc…"}},{"before":"963e7e063eeeefd5b6c62e7ed9739bb54f961d4a","after":"fab5e8c5787e15767ec35fe69d618ae565e6d9ac","ref":"refs/heads/kirkstone","pushedAt":"2024-08-07T13:39:32.000Z","pushType":"pr_merge","commitsCount":6,"pusher":{"login":"jwsbck","name":"Johannes Wiesböck","path":"/jwsbck","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32040864?s=80&v=4"},"commit":{"message":"scd/usbtoken: Handle SE connection errors while token is plugged\n\nIn case, the SE is removed from the usbtoken this was not handled\ncorrectly. Causing errors on which the SE would not be recognized\nanymore. Now if the SE is temporarily disconnected (e.g.) by a\npower glitch we can recover the connection and every thing is fine.\nIf the SE is removed for a longer time, we treat this as token\nremoval and inform the cmld with the lately introduced scd event\nSE_REMOVED. The cmld already has the facility to stop the container\nin this case.\n\nIf the SE is plugged in again, we recover at the next token request\nfrom the cmld.\n\nFor the SE removal detection during normal run, we us a watchdog\ntimer which is currently using queryPIN() to detect if the SE\n(SmartCardHSM) is still available in the token.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"scd/usbtoken: Handle SE connection errors while token is plugged"}},{"before":"61df43f0f3d60c47cb8fd830d8d4b522a5fc57bf","after":"963e7e063eeeefd5b6c62e7ed9739bb54f961d4a","ref":"refs/heads/kirkstone","pushedAt":"2024-08-01T11:26:47.000Z","pushType":"pr_merge","commitsCount":11,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"common/ns: moved define of CLONE_NEWTIME to header\n\nCLONE_NEW_TIME is used in macro CLONE_NEWALL. Thus, for musl which\ndoes not have CLONE_NEWTIME move define from 'ns.c' to 'ns.h'\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"common/ns: moved define of CLONE_NEWTIME to header"}},{"before":"526d6ccf99d30b268e1bc23ef8a1e2a9c41b5042","after":"61df43f0f3d60c47cb8fd830d8d4b522a5fc57bf","ref":"refs/heads/kirkstone","pushedAt":"2024-07-16T09:18:07.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"common/logf: Disable buffering\n\nThis commit disables stream buffering for CML log files.\n\nSigned-off-by: Felix Wruck ","shortMessageHtmlLink":"common/logf: Disable buffering"}},{"before":"26b918c8b285c20ab7a3ee3d0ac35d55aeb4e9be","after":"526d6ccf99d30b268e1bc23ef8a1e2a9c41b5042","ref":"refs/heads/kirkstone","pushedAt":"2024-07-15T09:52:59.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"daemon/audit: locking of audit log file\n\nIn some cases where audit log is written in child_early hooks,\nconcurrent access to the audit logfile could happen. Thus,\nwe introduce file locks using flock() to protect access to the\naudit log file.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/audit: locking of audit log file"}},{"before":"2096aa5473368739f7a163a92591783ff1bfb89c","after":"26b918c8b285c20ab7a3ee3d0ac35d55aeb4e9be","ref":"refs/heads/kirkstone","pushedAt":"2024-07-05T13:13:20.000Z","pushType":"pr_merge","commitsCount":5,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"Jenkinsfile: Add 'CI_LIB_VERSION' parameter\n\nUsing the 'CI_LIB_VERSION' parameter it is possible to load a specific\nversion of gyroidos_ci_common.\n\nSigned-off-by: Maximilian Peisl ","shortMessageHtmlLink":"Jenkinsfile: Add 'CI_LIB_VERSION' parameter"}},{"before":"8adb459f10b385bca05fbcef891326910f12456c","after":"2096aa5473368739f7a163a92591783ff1bfb89c","ref":"refs/heads/kirkstone","pushedAt":"2024-07-01T05:21:45.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"scd/scd: Fixed hw_serial in common name of device.csr\n\nAccidentialy hw_serial was set by HARDWARE_NAME instead of\nHARDWARE_SERIAL and hw_name was set to \"generic\" in any case.\nThis is fixed now.\n\nFixes: 8adb459f10b3 (\"scd/scd: Fixed common_name in device.csr generation\")\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"scd/scd: Fixed hw_serial in common name of device.csr"}},{"before":"ab185ea446890de165e3e3f311db73099491524a","after":"8adb459f10b385bca05fbcef891326910f12456c","ref":"refs/heads/kirkstone","pushedAt":"2024-06-28T15:26:31.000Z","pushType":"pr_merge","commitsCount":7,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"scd/scd: Fixed common_name in device.csr generation\n\nThe common name field for the device.csr contained the bogus string\n\"common_name\". Provide proper values of hardware name and serial if\navailable from dmi driver in sysfs.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"scd/scd: Fixed common_name in device.csr generation"}},{"before":"6ac33b2a1bd72c63d5c138238c6c7b886fd704bd","after":"ab185ea446890de165e3e3f311db73099491524a","ref":"refs/heads/kirkstone","pushedAt":"2024-06-28T08:06:01.000Z","pushType":"pr_merge","commitsCount":5,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"daemon/control: allow GET_LAST_LOG in cc_mode (EXPERIMENTAL)\n\nWARNING!! EXPERIMENTAL !! Logfile encryption is not yet implemented !!\n\nSince CML logfiles may contain sensitive data, this command needs\nspecial protection. The logfiles need to be encrypted by the cmld to\nsafely retrieve logfiles!\n\nWARNING!! EXPERIMENTAL !! Logfile encryption is not yet implemented !!\n\nTherefore, to enable this feature CC_MODE_EXPERIMENTAL needs to be set\nas build flag to \"y\". The default value in the Makefile is set to \"n\".\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/control: allow GET_LAST_LOG in cc_mode (EXPERIMENTAL)"}},{"before":"09e33a94281df9209c71dc77ca2a4ffd8f721c0f","after":"6ac33b2a1bd72c63d5c138238c6c7b886fd704bd","ref":"refs/heads/kirkstone","pushedAt":"2024-06-27T07:51:20.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"common/sock: set socket opetion in sock_inet_create\n\nSet SO_REUSEADDR to avoid blocked ports after\nungraceful shutdowns of applications.\n\nSigned-off-by: Simon Ott ","shortMessageHtmlLink":"common/sock: set socket opetion in sock_inet_create"}},{"before":null,"after":"41e37274cdc21969f0fa5bfa7e6c0ee4cb223bc5","ref":"refs/heads/sock-options","pushedAt":"2024-06-26T14:04:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"smo4201","name":null,"path":"/smo4201","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/72933253?s=80&v=4"},"commit":{"message":"common/sock: set socket opetion in sock_inet_create\n\nSet SO_REUSEADDR to avoid blocked ports after\nungraceful shutdowns of applications.\n\nSigned-off-by: Simon Ott ","shortMessageHtmlLink":"common/sock: set socket opetion in sock_inet_create"}},{"before":"df5b874f63f49dde13d9dde0f4b4f52048073b8c","after":"09e33a94281df9209c71dc77ca2a4ffd8f721c0f","ref":"refs/heads/kirkstone","pushedAt":"2024-06-21T09:22:50.000Z","pushType":"pr_merge","commitsCount":5,"pusher":{"login":"MPeisl","name":"Maximilian Peisl","path":"/MPeisl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/62542337?s=80&v=4"},"commit":{"message":"daemon/c_automount: use namespace_exec to mount external block devices\n\nMount propagation does not work with c_idmapped submodule. Since, we\novermount the '/tmp//media/' directory in the rootns with\nthe idmapped mount for the container, access from the root user namespace\nwill result in an \"errno (75: Value too large for defined data type)\".\n\nWe now join the mount namespace of the container and switch to the\nroot uid keeping System wide CAP_SYS_ADMIN to execute the mount.\n\nFixes following error:\n [530] dir.c+96: Could not mkdir /tmp/00000000-0000-0000-0000-000000000000/media/external\n\t (75: Value too large for data type)\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/c_automount: use namespace_exec to mount external block devices"}},{"before":"e7bb143505226516105ec6ad29bf65704e03a113","after":"df5b874f63f49dde13d9dde0f4b4f52048073b8c","ref":"refs/heads/kirkstone","pushedAt":"2024-05-29T08:17:32.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"MPeisl","name":"Maximilian Peisl","path":"/MPeisl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/62542337?s=80&v=4"},"commit":{"message":"daemon/hotplug: do not rename physical net interfaces twice\n\nSince now uevents for physical net interfaces are retriggered during\nmodule initialization, the initial rename may be redundant. Thus keep\noldname of the net device in those cases.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/hotplug: do not rename physical net interfaces twice"}},{"before":"4308c59fe6b618bb6b23701080fd9092cf28f2af","after":"e7bb143505226516105ec6ad29bf65704e03a113","ref":"refs/heads/kirkstone","pushedAt":"2024-05-14T14:21:28.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"jwsbck","name":"Johannes Wiesböck","path":"/jwsbck","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32040864?s=80&v=4"},"commit":{"message":"daemon/c_seccomp: fixed formatting of seccomp filter macro\n\nclang does some funny stuff with the comment inside of the macro\nblock of our seccomp filter struct. Thus, refactored to make\nformatter happy.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/c_seccomp: fixed formatting of seccomp filter macro"}},{"before":"3528b7ec91732e49aea0ac228cab2f96df24e881","after":"4308c59fe6b618bb6b23701080fd9092cf28f2af","ref":"refs/heads/kirkstone","pushedAt":"2024-05-14T09:36:39.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"daemon/Makefile: Default to idmapped mounts\n\nChange default mounting option from shitfs to idmapped mounts.\n\nSigned-off-by: Maximilian Peisl ","shortMessageHtmlLink":"daemon/Makefile: Default to idmapped mounts"}},{"before":"286c59e04c2a08753acb0e58c5d21c6881482200","after":"3528b7ec91732e49aea0ac228cab2f96df24e881","ref":"refs/heads/kirkstone","pushedAt":"2024-05-03T14:39:15.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"jwsbck","name":"Johannes Wiesböck","path":"/jwsbck","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32040864?s=80&v=4"},"commit":{"message":"daemon/cmld: Handle cmld_reload_container return value properly\n\nCommit e816bafc026a \"daemon/cmld: Properly register config_sync_cb\"\nchanged the return value from int to container_t*.\nThus, we also have to check if its '== NULL' for error handling in\ncmld_load_containers_cb().\n\nThis avoids the following missleading warning:\n [403] cmld.c+616: Loaded config for container core0\n [403] cmld.c+668: Failed to reload container\n\nFixes: e816bafc026a (\"daemon/cmld: Properly register config_sync_cb\")\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/cmld: Handle cmld_reload_container return value properly"}},{"before":"65858f99a7475e1d5dab910a18a51147aadac48a","after":"286c59e04c2a08753acb0e58c5d21c6881482200","ref":"refs/heads/kirkstone","pushedAt":"2024-05-03T12:46:28.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"jwsbck","name":"Johannes Wiesböck","path":"/jwsbck","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32040864?s=80&v=4"},"commit":{"message":"daemon/c_seccomp: Disable mknod handling for arm64\n\nARM64 does not provide the mknod syscall (SYS_mknod is not defined)\nwhich preventes compilation. Therefore do not handle the syscall on\narm64.\n\nSigned-off-by: Johannes Wiesböck ","shortMessageHtmlLink":"daemon/c_seccomp: Disable mknod handling for arm64"}},{"before":"4ab2e78d916fc31a8288c9063f4411307c3bc694","after":"65858f99a7475e1d5dab910a18a51147aadac48a","ref":"refs/heads/kirkstone","pushedAt":"2024-05-02T13:32:50.000Z","pushType":"pr_merge","commitsCount":5,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"daemon/c_seccomp: Remove comment about usage of filter from man page\n\nSince commit 9683983 \" daemon/c_seccomp: Refactor BPF filter for\nmultiarch support\", we have a totally new designed syscall filter.\nThis has nothing to do with the man page sample code. Thus, remove\nthe corresponding comment \"slightly modified sample code from the\nseccomp manpage [...]\".\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/c_seccomp: Remove comment about usage of filter from man page"}},{"before":"726c8ecefa41b66162863aa08bea23c827cf9d32","after":"4ab2e78d916fc31a8288c9063f4411307c3bc694","ref":"refs/heads/kirkstone","pushedAt":"2024-04-25T09:17:12.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"k0ch4lo","name":"Felix Wruck","path":"/k0ch4lo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/35745080?s=80&v=4"},"commit":{"message":"daemon/c_seccomp: white out module parameters during emulation\n\nDuring finit_module() syscall emulation do not pass the parameters\nas is anymore. Until we do not have a proper module parameters sanity\nchecking, we white out parameters since there may be dangerous ones.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/c_seccomp: white out module parameters during emulation"}},{"before":"2123ccf5b2f099cb2daa86ad30b663e3281395f6","after":"726c8ecefa41b66162863aa08bea23c827cf9d32","ref":"refs/heads/kirkstone","pushedAt":"2024-04-23T08:09:33.000Z","pushType":"pr_merge","commitsCount":11,"pusher":{"login":"jwsbck","name":"Johannes Wiesböck","path":"/jwsbck","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/32040864?s=80&v=4"},"commit":{"message":"daemon/c_seccomp: check allowed list during finit_module() emulation\n\nIn c_seccomp_new(), use the allowed list from the container object\n(config) to retrieve a list of modules according the dependencies in\n'modules.dep' file and store this in the c_seccomp struct.\n\nLater during emulation check if the module name is in the generated\nlist of allowed modules and their depending modules, if not drop out\nof emulation early.\n\nSigned-off-by: Michael Weiß ","shortMessageHtmlLink":"daemon/c_seccomp: check allowed list during finit_module() emulation"}},{"before":"6cf17beb83a5db6dafb30aef75c2addaa7ffb388","after":"2123ccf5b2f099cb2daa86ad30b663e3281395f6","ref":"refs/heads/kirkstone","pushedAt":"2024-04-19T21:29:33.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"quitschbo","name":"Michael Weiß","path":"/quitschbo","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/22143809?s=80&v=4"},"commit":{"message":"daemon/guestos: Relative download paths\n\nThis commit allows the update_base_url parameter in the device or\nguestos config to take on a relative format without leading /. In this\ncase the update url is interpreted relative to the calling containers\nroot directory which is accessed via /proc//root. The behaviour of\nabsolute update paths with leading / is unchanged.\n\nSigned-off-by: Johannes Wiesböck ","shortMessageHtmlLink":"daemon/guestos: Relative download paths"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0yMFQxMDo1MzozOC4wMDAwMDBazwAAAAS72iaR","startCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wOS0yMFQxMDo1MzozOC4wMDAwMDBazwAAAAS72iaR","endCursor":"Y3Vyc29yOnYyOpK7MjAyNC0wNC0xOVQyMToyOTozMy4wMDAwMDBazwAAAAQ1i-IX"}},"title":"Activity · gyroidos/cml"}