Release LXC 3.0.1

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Patch lxc-update-config

The current script doesn't generate a valid configuration for
lxc.network.ipv4 key, it lacking an .address part which lead to:

parse.c: lxc_file_for_each_line: 58 Failed to parse config: lxc.net.0.ipv4 = 192.168.10.101/24

Signed-off-by: Julien Surloppe <julien@surloppe.fr>

templates: fix download template

This patch fixes
commit 6e62213e0294 ("templates: actually create DOWNLOAD_TEMP directory".
To use mktemp -p correctly the directories need to exist. So call mkdir -p.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

templates: actually create DOWNLOAD_TEMP directory

The way 'mktemp' is currently used you will get a temp directory in
$TMPDIR or '/tmp' and DOWNLOAD_TEMP will not be pointing to an actual
directory. This will result in the wget operations failing and the
container will fail to create:

    ERROR: Failed to download http://....

Instead we want to use the '-p' option for mktemp to set the base path
and this will ensure that the temp directory is created in the correct
location and DOWNLOAD_TEMP will be consistent with this location.

Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>

confile_utils: apply strprint()

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

tree-wide: fix mode of some files

commit 321db0260f6f ("start: fix waitpid() blocking issue") and
commit b2a485085392 ("change defines for return value of handlers)
changed the mode of files.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: log unknown info.si_code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix waitpid() blocking issue

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

change defines for return value of handlers

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

confile: improve strprint()

POSIX specifies [1]:
"If the value of n is zero on a call to snprintf(), nothing shall be written,
the number of bytes that would have been written had n been sufficiently large
excluding the terminating null shall be returned, and s may be a null pointer."

But in case there are any non-sane libcs out there that do actually dereference
the buffer when when 0 is passed as length to snprintf() let's give them a
dummy buffer.

[1]: The Open Group Base Specifications Issue 7, 2018 edition
     IEEE Std 1003.1-2017 (Revision of IEEE Std 1003.1-2008)
     Copyright © 2001-2018 IEEE and The Open Group

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reported-by: Donghwa Jeong <dh48.jeong@samsung.com>

conf: va_end was not called.

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

conf: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: make tmp_umount_proc bool

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: make root idmap structs const

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: add reboot macros

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: ensure lxc_delete_tty() does not crash

We need to make sure that the ttys are actually initialized otherwise deleting
them is not safe.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: do not init ns_clone_flags to -1

ns_clone_flags is used as a bitmask so initializing it to -1 is a bad idea.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: fix socket handle leak

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

utils: fix task_blocking_signal()

Closes #2342.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: pts -> pty_max

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: simplify tty handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: reshuffle mount members

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: make close_all_fds a boolean

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: make is_execute a boolean

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435747

Dereference before null check

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435803

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435805

Logically dead code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435806

Logically dead code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: fix lxc-create with global config value II

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: fix lxc-create with global config value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: make do_resolve_add_rule() more strict

Let's error out on syscalls that cannot be resolved or fail to resolve instead
of just warning users.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: parse_v2_rules()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: lxc_read_seccomp_config()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: error on unrecognized actions

Be more strict about unrecognized actions. Previously the
parser would happily accept lines with typos like:

  kexec_load errrno 1

(note the extra 'r')

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

seccomp: refactor line handling of parse_config

Moving parse_config_v2 to use getline accidentally parsed
the wrong buffer. Since both _v1 and _v2 now use getline it
seems to be simpler to also use getline() for the first line
before entering the version specific parsers and pass along
the pointer and size so they can reuse them.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: 9c3798eba41c ("seccomp: parse_config_v2()")

seccomp: re-add action parse error handling

This can happen when the 'errno' action can't parse its
supplied number.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: f67c94d00a0d ("seccomp: parse_v2_rules()")

seccomp: leak fixup

Fix an error case not free()ing the line forgotten during
the move from fgets() on a static buffer to using getline.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: ccf8d128e430 ("seccomp: parse_config_v1()")

start: log setns() failure

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: order architectures

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: fix fd leaks when sending signals

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: fix task_blocking_signal()

sscanf() skips whitespace anyway so don't account for tabs in case the file
layout changes.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/sigprocmask/pthread_sigmask()/g

The behavior of sigprocmask() is unspecified in multi-threaded programs. Let's
use pthread_sigmask() instead.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: lxc_read_seccomp_config()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: parse_config()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: parse_config_v2()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: do_resolve_add_rule()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: scmp_filter_ctx get_new_ctx()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: get_hostarch()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: move #ifdefines

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: parse_v2_rules()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: fix get_seccomp_arg_value()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: get_v2_action()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: get_action_name()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: get_v2_default_action()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: add remove_trailing_newlines()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: parse_config_v1()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxcseccomp: cleanup header

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: fix type mismatch when parsing syscall arguments filters

Specifier %lli was insufficient for the type uint64_t, all values
between 2^63-1 and 2^64-1 were silently converted to 2^63-1.

We can't use %llu since it doesn't handle hexadecimal. Instead, we
parse the values as strings and then use strtoull(3).

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

seccomp: remove unnecessary memset

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

seccomp: remove confusing comment line

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

seccomp: fix off-by-one error in array allocation for sscanf

The maximum field width does not include the null terminator.

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

tools: only create log file when requested

We used to initialize a log unconditionally before. This has led to scenarios
where users where left with container directories and an empty log file even
though they didn't request a log be created at all.
Switch all tools to only create a log file when the user explicitly requests
this.

Closes #1779.
Closes #2032.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

execute: use execveat() syscall if supported

The execveat allows us to exec stuff via a fd so we don't have to bind mount
stuff in. See the comment about why we're using the syscall directly.

Closes #2339.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
[christian.brauner@ubuntu.com: adapt error message and whitespace fixes]
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-init: skip signals that can't be caught

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: enable per-thread container name prefix

When using the LXC API multi-thread and users initialize a log:

struct lxc_log log;
log.name = "my-log";
lxc_log_init(&log);

all threads will have the same "my-log" prefix even though thy might call
lxc_container_new() in separate threads. There is currently no easy way to
handle per-thread container name prefixes.
To handle this carry a reference to the name of the container in struct
lxc_conf and if no log.name was set, use it by default. This way each thread
will get the container it is currently working on as a log-prefix.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reported-by: duguhaotian <duguhaotian@gmail.com>

conf: simplify write_id_mapping()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: #ifdef SCMP_ARCH_AARCH64

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove freezer_state()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: refactor cgroup handling

This replaces the constructor implementation of cgroup handling with a simpler,
thread-safe on-demand model of cgroup driver initialization.
Making the cgroup initialization code run in a constructor means that each time
the shared library gets mapped the cgroup parsing code gets run. That's
unnecessary overhead.
It also feels to me that this is only accidently thread-safe because
constructors are only run once. But should threads actually end up manipulating
or freeing memory that is file-global to cgfsng.c we'd be screwed. Now, I might
be wrong here but the cleaner implementation is to allocate a cgroup driver on
demand whenever we need it.
Take the chance and rework the cgroup_ops interface to make the functions it
wants to have implemented a lot cleaner.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425802

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

capabilities: raise ambient capabilities

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Jonathan Calmels <jcalmels@nvidia.com>

coverity: #1248106

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1425836

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

config: allow read-write /sys in user namespace

Unprivileged containers can safely mount /sys as read-write. This also allows
systemd-udevd to be started in unprivileged containers.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425844

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1435602

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435603

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435604

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

doc: Fix size unit style in Japanese lxc.container.conf(5)

fix "kB" to "KB", and tweak description. Update for commit 6d276ed and
6d276ed .

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

doc: Add "-d/--daemon" option to Japanese lxc-execute(1)

Update for commit 4160ef0

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

tools: s/strncpy()/memcpy()/

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Revert "tools: s/strncpy()/strlcpy()/g"

This reverts commit 2ec47d5149e73db97f7877d06d67cb11421097bb.

First, I forgot to actually replace strncpy() with strlcpy(). Second, we don't
want to \0-terminate since this is an abstract unix socket and this is not
required. Instead, let's simply use memcpy() which is more correct and also
silences gcc-8.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: s/strncpy()/strlcpy()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CODING_STYLE: add section about using strlcpy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/strncpy()/strlcpy()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

strlcpy: add strlcpy() implementation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: fix parse_byte_size_string() coding style

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

support case ignored suffix for sizes

suffix of console max size and console buffer max size

Signed-off-by: l00355512 <liuhao27@huawei.com>

network: adhere to IFNAMSIZ limit

The additional \0-byte space added is not needed since IFNAMSIZ needs to
include the \0-byte.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: silence gcc-8

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: satisfy gcc-8

Apparently -Werror=stringop-overflow will trigger an error here even though
this is completely valid since we now that we're definitely copying a \0-byte.
Work around this gcc-8 quirk by using memcpy(). This shouldn't trigger the
warning.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: account for terminating \0 byte

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425744

Dereference after null check

userns_exec_{1,full} are called from functions that might not have a conf.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1248105

Time of check time of use

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1248104

Argument cannot be negative

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

genl: remove

These files have never been used and as such have no dependencies in the
codebase whatsoever. So remove them. If we need them we can simply pull them
out of the git history.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

execute: set init_path when existing init is found

I'm not really sure we should be looking in the rootfs for an existing
init, but I'll send a much more invasive patch to correct that. For now,
let's just make sure we set init_path when we find one, so that later in
execute_start() we don't bail.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>