macro: move MAX_GRBUF_SIZE

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3589 from tych0/fix-nonet-cleanup

network: fix LXC_NET_NONE cleanup

network: fix LXC_NET_NONE cleanup

We have a case where we have a nested container with LXC_NET_NONE run
inside a container that's *also* got no network namespace (run by
lxc-usernsexec).

The "am I root" check in this function then does not suffice, since the
euid of the task is 0 but it does not have privilege over its network
namespace, and thus cannot do any of the restore operations:

lxc foo 20201201232059.271 TRACE    network - network.c:lxc_restore_phys_nics_to_netns:3299 - Moving physical network devices back to parent network namespace
lxc foo 20201201232059.271 ERROR    network - network.c:lxc_restore_phys_nics_to_netns:3307 - Operation not permitted - Failed to enter network namespace
lxc foo 20201201232059.271 ERROR    start - start.c:__lxc_start:2045 - Failed to move physical network devices back to parent network namespace

Let's check that we indeed did clone the network namespace, and thus have
things to restore to their correct namespace before attempting to actually
restore them.

I suspect it's possible we can also get rid of some of the network namespace
preservation stuff in start.c in the LXC_NET_NONE case.

Signed-off-by: Tycho Andersen <tycho@tycho.pizza>

Merge pull request #3586 from tenforward/japanese

doc: Add lxc.cgroup.dir.monitor.pivot to Japanese man page

doc: Add lxc.cgroup.dir.monitor.pivot to Japanese man page

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Merge pull request #3583 from brauner/2020-11-18/fixes

commands_utils: fix lxc-wait

commands_utils: fix lxc-wait

Closes: #3570
Fixes: 7792a5b60f79 ("commands: add additional check to lxc_cmd_sock_get_state()")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3582 from brauner/2020-11-17/bugfixes

file_utils: fix config file parsing

file_utils: fix config file parsing

We accidently used the "bytes_to_write" variable after we've written all the
bytes at which point it is guaranteed to be 0. Let's use the "bytes_read"
variable instead.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3581 from brauner/2020-11-16/fixes

conf: improve mountinfo and config parsing

conf: switch to fd_to_fd() when copying mountinfo

Closes: #3580.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=209971
Suggested-by: Joan Bruguera <joanbrugueram@gmail.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

parse: rework config parsing routine

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3579 from lifeng68/master

cgfsng: adjust log level to warn instead of error

cgfsng: adjust log level to warn instead of error

Signed-off-by: lifeng68 <lifeng68@huawei.com>

Merge pull request #3577 from brauner/2020-11-05/bugfixes

attach: silence stdio permission adjust warnings

attach: silence stdio permission adjust warnings

Closes: #3576.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3574 from Drachenfels-GmbH/seccomp-fixes

Add missing free for monitor_pivot_dir.

Add missing free for monitor_pivot_dir.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Merge pull request #3572 from brauner/2020-11-02/seccomp_nonblocking

seccomp: fixes

seccomp: log aborted system calls

Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: make seccomp notifier fd non-blocking

Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3568 from brauner/2020-10-28/fixes

coverity fixes

attach: require that LXC_ATTACH_LSM_LABEL is specified

to avoid liblxc stumbling over an smaller struct passed in from an older
liblxc. In the future we should version by size but this requires a new
attach2().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: check snprintf return value

Fixes: Coverity 1465853
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: check snprint return value

Fixes: Coverity 1465854
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: don't deref after NULL check

Fixes: Coverity 1465855
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: don't deref after NULL check

Fixes: Coverity 1465657
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3567 from blenk92/lxc-attach-selinux

lxc-attach: Enable setting the SELinux context

Merge pull request #3563 from Drachenfels-GmbH/cgroup-fixes

cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination

Merge pull request #3562 from Drachenfels-GmbH/seccomp-fixes

seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing

Merge pull request #3565 from Drachenfels-GmbH/test-fixes

tests: Fix compilation with appamor enabled.

Merge pull request #3564 from Drachenfels-GmbH/fixes

lxccontainer: fix lxc_config_item_is_supported

lxc-attach: Enable setting the SELinux context

Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

tests: Fix compilation with appamor enabled.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

lxccontainer: fix lxc_config_item_is_supported

Use exact match instead of longest prefix match
to check whether a config item is supported.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Introduce lxc.cgroup.dir.monitor.pivot

On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir).
because only empty cgroups can be removed.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

seccomp: Avoid duplicate processing of rules for host native arch.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

seccomp: Fix handling of pseudo syscalls and improve logging for rule processing.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Merge pull request #3561 from tenforward/japanese

Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2

Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2

Update for commit b87ed83bbc7db3f826b4f54df1bb458c2c539be7

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Merge pull request #3559 from brauner/2020-10-20/fixes

conf: account for early return when sending devpts fd

conf: account for early return when sending devpts fd

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3558 from brauner/2020-10-20/fixes

conf: always send response to parent waiting for devptfs_fd

conf: always send response to parent waiting for devptfs_fd

When no devpts devices are requested we used to return early but did not send a
response to the parent. This is a problem because the parent will be waiting
for a devpts fd to be sent. Make sure to always send a response.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3556 from brauner/2020-10-19/fixes

startup fixes

start: improve devpts fd sending

Closes: #3549.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

sync: log synchronization states

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

sync: switch to new error helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3555 from brauner/2020-10-16/seccomp

seccomp: fix compilation on powerpc

seccomp: fix compilation on powerpc

Link: https://launchpadlibrarian.net/502200189/buildlog_snap_ubuntu_bionic_ppc64el_lxd-latest-edge_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3553 from brauner/2020-10-15/seccomp

seccomp: bugfixes

seccomp: improve default notification sending

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: log invalid seccomp notify ids

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3548 from Drachenfels-GmbH/master

seccomp: Check if syscall is supported on compat architecture.

seccomp: Check if syscall is supported on compat architecture.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Merge pull request #3541 from Mingli-Yu/master

Remove obsolete setting regarding the Standard Output

Remove obsolete setting regarding the Standard Output

The Standard output type "syslog" is obsolete, causing a warning since systemd
version 246 [1].

Please consider using "journal" or "journal+console"

[1] https://github.com/systemd/systemd/blob/master/NEWS#L202

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>

Merge pull request #3540 from brauner/2020-09-17/fixes_2

lxc-usernsexec: setgroups() similar to other places shouldn't fail on…

lxc-usernsexec: setgroups() similar to other places shouldn't fail on EPERM

FAIL: lxc-tests: lxc-test-usernsexec (1s)
---
as test-userns executing /tmp/autopkgtest.waGEXj/build.Hm3/src/src/tests/lxc-test-usernsexec
uid=1001 gid=1001 name=test-userns subuid=165536 subgid=165536 ver=1:4.0.4-0ubuntu3
lxc-utils=1:4.0.4-0ubuntu3 kver=5.8.0-19-generic
USERNSEXEC=lxc-usernsexec
nouidgid: PASS
myuidgid: FAIL - runtest failed 1
  $ lxc-usernsexec -mu:0:1001:1 -mg:0:1001:1 -- /tmp/autopkgtest.waGEXj/build.Hm3/src/src/tests/lxc-test-usernsexec inside f0
  lxc 20200914222824.562 ERROR    utils - utils.c:lxc_setgroups:1363 - Operation not permitted - Failed to setgroups()
  kid 73112 is gone 1
subuidgid: PASS
bothsets: PASS
mismatch: PASS
ERRORS: myuidgid
---

Reported-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3539 from brauner/2020-09-17/fixes

commands: don't fail if unfreeze fails

commands: don't fail if unfreeze fails

We can e.g. fail the unfreeze because the freezer cgroup is not available and
then we erronously report that stopping the container failed.

Closes: #3471.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3532 from alliedtelesis/fix_lxc_attach_crash

avoid a NULL pointer dereference in lxc-attach

attach: use lxc_terminal_signal_sigmask_safe_blocked()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: introduce lxc_terminal_signal_sigmask_safe_blocked()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

avoid a NULL pointer dereference in lxc-attach

Seems to appear when stderr is a terminal and not stdin or stdout.

Signed-off-by: Scott Parlane <scott.parlane@alliedtelesis.co.nz>

Merge pull request #3531 from JingWoo/cleancode

remove useless parameters

remove useless parameters

Signed-off-by: wujing <Jing.Woo@outlook.com>

Merge pull request #3530 from brauner/2020-08-25/fixes

cgroups: fix armhf builds

Merge pull request #3529 from pranaysrivastava/fixup_rootfs_detection

Check only rootfs as filesystem type

cgroups: fix armhf builds

Link: https://launchpadlibrarian.net/494473462/buildlog_ubuntu-groovy-armhf.lxc_1%3A4.0.4-0ubuntu2_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Check only rootfs as filesystem type

When detecting if rootfs is on ramfs instead of checking "- rootfs
rootfs" which is the " - <file_system> <device>" information only check
the file system type. This is due to a change introduced in kernel where
ramfs file system doesn't set the device to "rootfs" but instead mark it
as "none". By making sure we only check for "rootfs" as the file system
name we also offer backward compatibility with earlier kernels as well.

The kernel commit that introduced this change was

commit f32356261d44d580649a7abce1156d15d49cf20f
Author: David Howells <dhowells@redhat.com>
Date:   Mon Mar 25 16:38:31 2019 +0000

    vfs: Convert ramfs, shmem, tmpfs, devtmpfs, rootfs to use the new
    mount API

Signed-off-by: Pranay Kr. Srivastava <pranay.srivastava@pantacor.com>

Merge pull request #3528 from graysky2/master

remove deprecated options in lxc.service fixes #3527

Merge pull request #3526 from brauner/2020-08-21/fixes

cgfsng: fix cgroup attach cgroup creation

remove deprecated options in lxc.service fixes #3527

Signed-off-by: graysky <graysky@archlinux.us>

cgfsng: fix cgroup attach cgroup creation

\e[01m\e[Kcgroups/cgfsng.c:\e[m\e[K In function ‘\e[01m\e[Kcgroup_attach_leaf.constprop\e[m\e[K’:
\e[01m\e[Kcgroups/cgfsng.c:2221:10:\e[m\e[K \e[01;31m\e[Kerror: \e[m\e[Kwriting 1 byte into a region of size 0 [\e[01;31m\e[K-Werror=stringop-overflow=\e[m\e[K]
 2221 |   \e[01;31m\e[K*slash = '\0'\e[m\e[K;
      |   \e[01;31m\e[K~~~~~~~^~~~~~\e[m\e[K
\e[01m\e[Kcgroups/cgfsng.c:2213:8:\e[m\e[K \e[01;36m\e[Knote: \e[m\e[Kat offset -13 to object ‘\e[01m\e[Kattach_cgroup\e[m\e[K’ with size 23 declared here
 2213 |   char \e[01;36m\e[Kattach_cgroup\e[m\e[K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
      |        \e[01;36m\e[K^~~~~~~~~~~~~\e[m\e[K
\e[01m\e[Kcgroups/cgfsng.c:2229:10:\e[m\e[K \e[01;31m\e[Kerror: \e[m\e[Kwriting 1 byte into a region of size 0 [\e[01;31m\e[K-Werror=stringop-overflow=\e[m\e[K]
 2229 |   \e[01;31m\e[K*slash = '/'\e[m\e[K;
      |   \e[01;31m\e[K~~~~~~~^~~~~\e[m\e[K
\e[01m\e[Kcgroups/cgfsng.c:2213:8:\e[m\e[K \e[01;36m\e[Knote: \e[m\e[Kat offset -13 to object ‘\e[01m\e[Kattach_cgroup\e[m\e[K’ with size 23 declared here
 2213 |   char \e[01;36m\e[Kattach_cgroup\e[m\e[K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
      |        \e[01;36m\e[K^~~~~~~~~~~~~\e[m\e[K
\e[01m\e[Kcgroups/cgfsng.c:2229:10:\e[m\e[K \e[01;31m\e[Kerror: \e[m\e[Kwriting 1 byte into a region of size 0 [\e[01;31m\e[K-Werror=stringop-overflow=\e[m\e[K]
 2229 |   \e[01;31m\e[K*slash = '/'\e[m\e[K;
      |   \e[01;31m\e[K~~~~~~~^~~~~\e[m\e[K
\e[01m\e[Kcgroups/cgfsng.c:2213:8:\e[m\e[K \e[01;36m\e[Knote: \e[m\e[Kat offset -13 to object ‘\e[01m\e[Kattach_cgroup\e[m\e[K’ with size 23 declared here
 2213 |   char \e[01;36m\e[Kattach_cgroup\e[m\e[K[STRLITERALLEN(".lxc-1000/cgroup.procs") + 1];
      |        \e[01;36m\e[K^~~~~~~~~~~~~\e[m\e[K

Link: https://launchpadlibrarian.net/494354168/buildlog_ubuntu-groovy-armhf.lxc_1%3A4.0.4-0ubuntu1_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3522 from avr1254/master

Updated documentation to reflect lack of support for pure cgroupv2

 Updated documentation to reflect lack of support for pure cgroupv2

Signed-off-by: Arjun Ramachandrula <arjun.ramachandrula@gmail.com>

Merge pull request #3518 from brauner/2020-08-12/fixes

lsm: remove the need for atomic operations

lsm: remove the need for atomic operations

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3517 from brauner/2020-08-10/fixes_2

lsm: rewrite

lsm: use atomic in ase we're used multi-threaded

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lsm: rework lsm handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3514 from brauner/2020-08-10/fixes

conf: terminal and /dev hardening

terminal: harden terminal allocation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: move /dev setup to be file descriptor based

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3513 from brauner/2020-08-09/openat2

openat2() and safe mounting

conf: harden lxc_fill_autodev() via save_mount_beneath_at()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

file_utils: add exists_dir_at()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: make use of stashed container mountpoint fd in mount_autodev()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: stash file descriptor to root mountpoint in struct lxc_rootfs

This way we only need to open it _once_ per container startup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: introduce safe_mount_beneath_at()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgfsng: use safe_mount_beneath()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: switch mount_autodev() to new safe_mount_beneath() helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: add safe_mount_beneath() based on openat2()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscalls: add openat2()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3512 from stgraber/master

lxc-download fixes

lxc-download: Fix retry loop

Closes #3511

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Revert "templates/lxc-download.in: use GPG option --receive-keys instead of --recv-keys"

This reverts commit 409040e702f814a167aed5a0e833f4d5c67fd29d.

Testing of both options show identical behavior but receive-keys does
not exist on older releases, so let's revert this.

Closes #3510

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3509 from brauner/2020-08-06/fixes

api-extension: add missing seccomp_proxy_send_notify_fd extension

api-extension: add missing seccomp_proxy_send_notify_fd extension

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>