bpf: comment bpf_cgroup_devices_update()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: only update bpf device program if really needed

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make device cgroup handling smarter and simpler

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure no garbage is returned

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3686 from cyphar/apparmor-attr-subdir

apparmor: prefer /proc/.../attr/apparmor/current over legacy interface

apparmor: prefer /proc/.../attr/apparmor/current over legacy interface

It turns out that since Linux 5.1 there are now per-LSM subdirectories
for major LSMs, which users are recommended to use over the "legacy"
top-level /proc/$pid/attr/... files[1]:

> Process attributes associated with “major” security modules should be
> accessed and maintained using the special files in /proc/.../attr. A
> security module may maintain a module specific subdirectory there,
> named after the module. /proc/.../attr/smack is provided by the Smack
> security module and contains all its special files. The files directly
> in /proc/.../attr remain as legacy interfaces for modules that provide
> subdirectories.

AppArmor has had such a directory since Linux 5.8[2], and it turns out
that with certain CONFIG_LSM configurations you can end up with AppArmor
files not being accessible from the legacy interface. Arch Linux
recently added BPF as one of the enabled LSM in their configuration, and
this broke runc[3] and LXC.

The solution is to first try to use /proc/$pid/attr/apparmor/current and
fall back to /proc/$pid/attr/current if the former is not available.

[1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html
[2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs")
[3]: https://github.com/opencontainers/runc/issues/2801

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

apparmor: clean up apparmor_process_label_get

Rather than open-coding file reading and retry semantics and
implementing the path generation logic separately to
apparmor_process_label_fd_get, refactor the logic so that it looks
closer to the pidfd version.

This will make it easier to implement the two-step handling for
/proc/self/attr/apparmor/current and makes this code slightly less
confusing.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

Merge pull request #3681 from brauner/2021-02-18/cgroups

cgroups: fixes & bpf rework

Merge pull request #3682 from brauner/2021-02-18/fixes

console: fixes

conf: don't log garbage

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix non-daemonized and application containers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use saner mode for console

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: simplify bpf (device) program freeing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: make bpf_program_cgroup_attach() static

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: prevent double-close

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use close_equal() and free_equal()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

memory_utils: add close_equal() and free_equal()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: fix reboot logging

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: rework live device cgroup update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

compiler: fix fallthrough attribute

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: fix return values in bpf_program_cgroup_attach()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: let bpf_list_add_device() take the device list directly

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: add and use bpf_cgroup_devices_attach() helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove compile-time bpf support detection

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: vendor bpf headers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: handling missing defines

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: rework bpf_program_cgroup_detach()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: rework bpf devices BPF_F_REPLACE codepath

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: don't close invalid fd, simply swap

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use __u32 not uint32_t

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

macro: add swap helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: replace bpf program on update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: improve bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: add helpers for better bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve bpf device program handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make device cgroups semantics clearer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: enable helpers to let caller replace existing bpf programs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: align struct initialization

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use return macros

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: introduce lxc_bpf_devices_rule_t type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use cgroup fd directly instead of paths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: kill monitor_full_path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: free correct path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: fix print_r() debugging helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix error values

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't overwrite type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make it extremely obvious that we're transitioning from a flag to a type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3680 from brauner/2021-02-17/cgroups_2

cgroups: fourth batch of cgroup fixes

cgroups: create controller directories if missing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use non-flag based checking now that we switched all codepaths over

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use brackets to clarify check semantics

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: validate that only a single cgroup mount type is set

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: prevent cgroup mount type overwrite

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure that cgroup_root is initialized in legacy codepaths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: distinguish between tmpfs and unified based cgroup layouts file descriptors

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: log intermediate cleanup

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3679 from brauner/2021-02-17/cgroups

cgroups: third batch of cgroup fixes

cgroups: prevent NULL pointer deref

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: simplify mount opening

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure we prune the limit dir

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure we don't remove cgroups we didn't create

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't move pivot cgroup under the monitor's cgroup

Otherwise we will never be able to destroy the monitor's cgroup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't rely on absolute path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: be stricter when creating payloads

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework cgroup tree creation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure leaf cgroup is correctly pruned on creation failure

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework cgroup tree removal on creation failure

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove obsolote check

In the new layout we don't need to do this.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: reorder function arguments

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3678 from brauner/2021-02-17/unified_controller_delegation

cgroups: rework unified cgroup controller delegation

start: delegate than move into the target cgroup

This is a way more sensible model.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework unified controller delegation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: check correct variable

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: s/openat()/open_at()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3677 from brauner/2021-02-17/cgroup_pruning

cgroups: fd-only cgroup tree pruning

Merge pull request #3676 from brauner/2021-02-16/fixes

cgroups: fixes

cgroups: remove obsolote cgroup_tree handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fd-only cgroup tree pruning

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

file_utils: move dup_cloexec() to header

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: prevent double-close

Fixes: Coverity 1473183
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

namespace: add missing \0 terminator

Link: https://launchpadlibrarian.net/523195972/buildlog_ubuntu-groovy-ppc64el.lxc_1%3A4.0.6+master~20210215-1740-0ubuntu1~groovy_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3675 from brauner/2021-02-16/fixes

cgroups: second batch of cgroup fixes

cgroups: rework how hierarchies are added

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix fd leaks

They didn't really matter because we want to keep them around for as long as
the container lives anyway.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: allow "" base cgroup paths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

string_utils: handle empty strings in must_make_path()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve logging

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework legacy cpuset handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fd-based only cgroup creation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: stash fds for the controller mountpoint and base cgroup path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fail when no cgroup hierarchies are found

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework base cgroup parsing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework add_hierarchy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: better document stashed file descriptors

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: stash host's cgroupfs file descriptor

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: s/cg_init()/__cgroup_init()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3674 from brauner/2021-02-15/nesting

cgroups: tighten cgroup config items

confile: forbid absolute paths in config items that modify the cgroup layout

This is not a safety measure but merely is supposed to raise awareness that
these paths are always relative to the cgroup root as determined by
lxc.cgroup.relative.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: forbid walking upwards for confile items that modify cgroup layout

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>