bpf: simplify bpf (device) program freeing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: make bpf_program_cgroup_attach() static

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: prevent double-close

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use close_equal() and free_equal()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

memory_utils: add close_equal() and free_equal()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: fix reboot logging

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: rework live device cgroup update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

compiler: fix fallthrough attribute

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: fix return values in bpf_program_cgroup_attach()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: let bpf_list_add_device() take the device list directly

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: add and use bpf_cgroup_devices_attach() helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove compile-time bpf support detection

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: vendor bpf headers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: handling missing defines

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: rework bpf_program_cgroup_detach()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: rework bpf devices BPF_F_REPLACE codepath

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: don't close invalid fd, simply swap

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use __u32 not uint32_t

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

macro: add swap helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: replace bpf program on update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: improve bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: add helpers for better bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve bpf device program handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make device cgroups semantics clearer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: enable helpers to let caller replace existing bpf programs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: align struct initialization

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use return macros

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: introduce lxc_bpf_devices_rule_t type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use cgroup fd directly instead of paths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: kill monitor_full_path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: free correct path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: fix print_r() debugging helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix error values

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't overwrite type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make it extremely obvious that we're transitioning from a flag to a type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3680 from brauner/2021-02-17/cgroups_2

cgroups: fourth batch of cgroup fixes

cgroups: create controller directories if missing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use non-flag based checking now that we switched all codepaths over

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use brackets to clarify check semantics

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: validate that only a single cgroup mount type is set

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: prevent cgroup mount type overwrite

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure that cgroup_root is initialized in legacy codepaths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: distinguish between tmpfs and unified based cgroup layouts file descriptors

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: log intermediate cleanup

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3679 from brauner/2021-02-17/cgroups

cgroups: third batch of cgroup fixes

cgroups: prevent NULL pointer deref

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: simplify mount opening

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure we prune the limit dir

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure we don't remove cgroups we didn't create

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't move pivot cgroup under the monitor's cgroup

Otherwise we will never be able to destroy the monitor's cgroup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't rely on absolute path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: be stricter when creating payloads

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework cgroup tree creation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure leaf cgroup is correctly pruned on creation failure

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework cgroup tree removal on creation failure

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove obsolote check

In the new layout we don't need to do this.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: reorder function arguments

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3678 from brauner/2021-02-17/unified_controller_delegation

cgroups: rework unified cgroup controller delegation

start: delegate than move into the target cgroup

This is a way more sensible model.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework unified controller delegation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: check correct variable

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: s/openat()/open_at()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3677 from brauner/2021-02-17/cgroup_pruning

cgroups: fd-only cgroup tree pruning

Merge pull request #3676 from brauner/2021-02-16/fixes

cgroups: fixes

cgroups: remove obsolote cgroup_tree handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fd-only cgroup tree pruning

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

file_utils: move dup_cloexec() to header

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: prevent double-close

Fixes: Coverity 1473183
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

namespace: add missing \0 terminator

Link: https://launchpadlibrarian.net/523195972/buildlog_ubuntu-groovy-ppc64el.lxc_1%3A4.0.6+master~20210215-1740-0ubuntu1~groovy_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3675 from brauner/2021-02-16/fixes

cgroups: second batch of cgroup fixes

cgroups: rework how hierarchies are added

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix fd leaks

They didn't really matter because we want to keep them around for as long as
the container lives anyway.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: allow "" base cgroup paths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

string_utils: handle empty strings in must_make_path()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve logging

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework legacy cpuset handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fd-based only cgroup creation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: stash fds for the controller mountpoint and base cgroup path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fail when no cgroup hierarchies are found

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework base cgroup parsing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework add_hierarchy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: better document stashed file descriptors

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: stash host's cgroupfs file descriptor

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: s/cg_init()/__cgroup_init()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3674 from brauner/2021-02-15/nesting

cgroups: tighten cgroup config items

confile: forbid absolute paths in config items that modify the cgroup layout

This is not a safety measure but merely is supposed to raise awareness that
these paths are always relative to the cgroup root as determined by
lxc.cgroup.relative.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: forbid walking upwards for confile items that modify cgroup layout

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile_utils: normalize paths in config items

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: use set_config_path_item() for most cgroup layout modifiers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3673 from brauner/2021-02-15/nesting

cgroups: first batch of cgroup mounting fixes

cgroupfs: rework cgroup2 mounting

We now explicitly refuse to mount cgroups on pure unified layouts when the
container is not running in a separate cgroup namespace. This is not a
regression since we simply always failed before anyway. I will likely fix this
very soon though. But there are bigger fish to fry currently.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: log early return

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: s/__cg_mount_direct()/__cgroupfs_mount()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: strip LXC_AUTO_CGROUP_MIXED and LXC_AUTO_CGROUP_FULL_MIXED when cgroup namespaces are supported and used

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix flag checking in legacy mount paths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: s/cg_mount_cgroup_full()/cgroupfs_bind_mount()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: s/cg_mount_in_cgroup_namespace()/cgroupfs_mount()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: remove wrong comment

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: switch to flag-based checking

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>