*/
static int lxc_pivot_root(const char *rootfs)
{
- int newroot = -1, oldroot = -1, ret = -1;
+ int oldroot;
+ int newroot = -1, ret = -1;
- oldroot = open("/", O_DIRECTORY | O_RDONLY);
+ oldroot = open("/", O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (oldroot < 0) {
SYSERROR("Failed to open old root directory");
return -1;
}
- newroot = open(rootfs, O_DIRECTORY | O_RDONLY);
+ newroot = open(rootfs, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
if (newroot < 0) {
SYSERROR("Failed to open new root directory");
goto on_error;
TRACE("pivot_root(\"%s\") successful", rootfs);
on_error:
- if (oldroot != -1)
- close(oldroot);
- if (newroot != -1)
+ close(oldroot);
+
+ if (newroot >= 0)
close(newroot);
return ret;
TRACE("Created temporary mount file");
}
- if (fd < 0) {
- SYSERROR("Could not create temporary mount file");
- return NULL;
- }
lxc_list_for_each (iterator, mount) {
size_t len;
SYSERROR("Failed to set limit %s", lim->resource);
return -1;
}
+
+ TRACE("Setup \"%s\" limit", lim->resource);
#else
- ERROR("Cannot set limit %s as prlimit is missing", lim->resource);
+ ERROR("Cannot set limit \"%s\" as prlimit is missing", lim->resource);
return -1;
#endif
}
* of the doubt. Otherwise we might fail even though all the necessary
* file capabilities are set.
*/
- DEBUG("Cannot check for file capabilites as full capability support is "
+ DEBUG("Cannot check for file capabilities as full capability support is "
"missing. Manual intervention needed");
fret = 1;
#endif
}
}
-#define __LXC_SENDFILE_MAX 0x7ffff000 /* maximum number of bytes sendfile can handle */
again:
- copied = sendfile(memfd, mntinfo_fd, NULL, __LXC_SENDFILE_MAX);
+ copied = lxc_sendfile_nointr(memfd, mntinfo_fd, NULL, LXC_SENDFILE_MAX);
if (copied < 0) {
if (errno == EINTR)
goto again;
lxc_list_for_each (it, &conf->hooks[LXCHOOK_START]) {
int ret;
- struct stat st;
char *hookname = it->elem;
ret = snprintf(path, PATH_MAX, "%s%s",
if (ret < 0 || ret >= PATH_MAX)
return false;
- ret = stat(path, &st);
+ ret = access(path, X_OK);
if (ret < 0) {
- SYSERROR("Start hook %s not found in container",
+ SYSERROR("Start hook \"%s\" not found in container",
hookname);
return false;
}
return -1;
}
- /* Make sure any start hooks are in the container */
- if (!verify_start_hooks(lxc_conf))
- return -1;
-
if (lxc_conf->is_execute) {
if (execveat_supported()) {
int fd;
}
}
+ /* Make sure any start hooks are in the container */
+ if (!verify_start_hooks(lxc_conf)) {
+ ERROR("Failed to verify start hooks");
+ return -1;
+ }
+
ret = lxc_setup_console(&lxc_conf->rootfs, &lxc_conf->console,
lxc_conf->ttys.dir);
if (ret < 0) {
* - the container root {g,u}id as seen from the host > user's host {g,u}id
* - the container root -> some sub{g,u}id
* The former we add, if the user did not specifiy a mapping. The latter we
- * retrieve from the ontainer's configured {g,u}id mappings as it must have been
+ * retrieve from the container's configured {g,u}id mappings as it must have been
* there to start the container in the first place.
*/
int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data,