Fixing hooks functionality Android where 'sh' is placed under /system/bin

Signed-off-by: ondra <ondrak@localhost.localdomain>

Fix memory leak in cgroup_exit

Add free memory pointed by struct cgroup_ops *ops

Signed-off-by: LiFeng <lifeng68@huawei.com>

conf.c: fix memory leak and mount error

1. cleanup namespace memory
2. fix bug when ro mount not setted, mount propagation will be skipped.

Signed-off-by: t00416110 <tanyifeng1@huawei.com>

Revert "conf: remove extra MS_BIND with sysfs:mixed"

This reverts commit 51a922baf724689ff3a0df938ca8975601c9c815.

The above commit confuses the mountall unit of privileged
Ubuntu 14.04 containers at startup so that they cannot
finish booting.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

network: prefix veth interface name with uid info

Signed-off-by: Hajo Noerenberg <hajo-github@noerenberg.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: handle missing CLONE_NEWCGROUP

If cgroup namespaces are not supported we should just record it in the
log and move on.

Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixing compile error when compiling for android

Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>

fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' character in the randomly generated device name part because for modulo one does not need to substract 1 from strlen().

Signed-off-by: Hajo Noerenberg <hajo-github@noerenberg.de>

lxccontainer: fix container copy

We need to strip the prefix from the container's source path before
trying to update the file.

Closes #2380.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Revert "Set c to NULL after freeing it"

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>

conf: use SYSERROR on lxc_write_to_file errors

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Set c to NULL after freeing it

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>

terminal: remove sigwinch command

SIGWINCH is handled in lxc_terminal_signalfd_cb().

I cannot for the life of me figure out what this is supposed to do.
Afaict, it scans a global list that is totally unnecessary and also
let's say you have 100 ttys and for a single one SIGWINCH is sent. In
that case the whole list is walked and two ioctl()s are performed: one
to get window size one to set window size. For 99 of them the window
size hasn't changed.
If we see issues we can revert!

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: add newline to lxc-cgroup output

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

fix lxc-cgroup not giving output

lxc-cgroup fails to provide any output since the latest version, this
should fix it

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>

storage: remove unused function

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

configure.ac: fix build without stack-protector

Compiler based hardening (including -fstack-protector-strong) are
enabled since version 3.0.3 and
https://github.com/lxc/lxc/commit/2268c27754152aa538db2c9e3753d72d19bcd17a

However, some compilers could missed the needed library (-lssp or
-lssp_nonshared) at linking step so use ax_check_link_flag instead of
ax_check_compile_flag

Fixes:
 - http://autobuild.buildroot.org/results/0b90e7dca2984652842832a41abad93ac49a9b86

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

stringutils: include stdarg for va_list

Fixes:
 - http://autobuild.buildroot.org/results/0b90e7dca2984652842832a41abad93ac49a9b86

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Add template-options to help output

Copied from the [manpage](https://github.com/lxc/lxc/blob/9e42c1e3f102be48be9014e1ecbacc2a57446e20/doc/lxc-create.sgml.in#L175).

Signed-off-by: Adam Kasztenny <adamkasztenny@gmail.com>

fix install error when using --disable-commands option

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

lxc-usernsexec: fix default map functionality

* Place NULL bytes at the end of strings so that
  lxc_safe_ulong() can parse them correctly

* Only free the newly created id_map on error,
  to avoid passing garbage to lxc_map_ids()

Signed-off-by: Cameron Nemo <camerontnorman@gmail.com>

rexec: handle old kernels

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

include: add fexecve() for Android's Bionic

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CVE-2019-5736 (runC): rexec callers as memfd

Adam Iwaniuk and Borys Popławski discovered that an attacker can compromise the
runC host binary from inside a privileged runC container. As a result, this
could be exploited to gain root access on the host. runC is used as the default
runtime for containers with Docker, containerd, Podman, and CRI-O.

The attack can be made when attaching to a running container or when starting a
container running a specially crafted image.  For example, when runC attaches
to a container the attacker can trick it into executing itself. This could be
done by replacing the target binary inside the container with a custom binary
pointing back at the runC binary itself. As an example, if the target binary
was /bin/bash, this could be replaced with an executable script specifying the
interpreter path #!/proc/self/exe (/proc/self/exec is a symbolic link created
by the kernel for every process which points to the binary that was executed
for that process). As such when /bin/bash is executed inside the container,
instead the target of /proc/self/exe will be executed - which will point to the
runc binary on the host. The attacker can then proceed to write to the target
of /proc/self/exe to try and overwrite the runC binary on the host. However in
general, this will not succeed as the kernel will not permit it to be
overwritten whilst runC is executing. To overcome this, the attacker can
instead open a file descriptor to /proc/self/exe using the O_PATH flag and then
proceed to reopen the binary as O_WRONLY through /proc/self/fd/<nr> and try to
write to it in a busy loop from a separate process. Ultimately it will succeed
when the runC binary exits. After this the runC binary is compromised and can
be used to attack other containers or the host itself.

This attack is only possible with privileged containers since it requires root
privilege on the host to overwrite the runC binary. Unprivileged containers
with a non-identity ID mapping do not have the permission to write to the host
binary and therefore are unaffected by this attack.

LXC is also impacted in a similar manner by this vulnerability, however as the
LXC project considers privileged containers to be unsafe no CVE has been
assigned for this issue for LXC. Quoting from the
https://linuxcontainers.org/lxc/security/ project's Security information page:

"As privileged containers are considered unsafe, we typically will not consider
new container escape exploits to be security issues worthy of a CVE and quick
fix. We will however try to mitigate those issues so that accidental damage to
the host is prevented."

To prevent this attack, LXC has been patched to create a temporary copy of the
calling binary itself when it starts or attaches to containers. To do this LXC
creates an anonymous, in-memory file using the memfd_create() system call and
copies itself into the temporary in-memory file, which is then sealed to
prevent further modifications. LXC then executes this sealed, in-memory file
instead of the original on-disk binary. Any compromising write operations from
a privileged container to the host LXC binary will then write to the temporary
in-memory binary and not to the host binary on-disk, preserving the integrity
of the host LXC binary. Also as the temporary, in-memory LXC binary is sealed,
writes to this will also fail.

Note: memfd_create() was added to the Linux kernel in the 3.17 release.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Co-Developed-by: Aleksa Sarai <asarai@suse.de>
Acked-by: Serge Hallyn <serge@hallyn.com>

Merge pull request #2830 from brauner/2019-02-08/capabilities_stable-3.0

caps: check uid and euid

caps: check uid and euid

When we are running inside of a user namespace getuid() will return a
non-zero uid. So let's check euid as well to make sure we correctly drop
capabilities

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2772 from brauner/2018-01-09/fix_cgroup_deletion_stable-3.0

cgfsng: do not free container_full_path on error

cgfsng: do not free container_full_path on error

Closes #2741.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2758 from Blub/2018-12-17/stable-3.0/apparmor-bind-remount

apparmor: allow various remount,bind options

apparmor: allow various remount,bind options

RW bind mounts need to be restricted for some paths in
order to avoid MAC restriction bypasses, but read-only bind
mounts shouldn't have that problem.

Additionally, combinations of 'nosuid', 'nodev' and
'noexec' flags shouldn't be a problem either and are
required with newer systemd versions, so let's allow those
as long as they're combined with 'ro,remount,bind'.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
(cherry picked from commit e6ec0a9e71aa68c9fd67c691a62aaae87e356cef)

Release LXC 3.0.3

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #2735 from brauner/lxc/stable-3.0

start: don't call cgroup_exit() twice

start: don't call cgroup_exit() twice

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgfsng: remove freezer requirement

The freezer controller has been made optional in all other codepaths so
don't require it.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

autotools: fix lxc-{create,copy} build

After commit 2b670df lxc-create and lxc-copy fails with "undefined
symbol: get_fssize".

Closes #2730

Signed-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

utils: make keyring allocation failure non-fatal

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Adds -qq flags to lvcreate commands to avoid answer 'no' to ant questions the LVM subsystem asks to avoid hanging lxc-create command

Signed-off-by: tomponline <tomp@tomp.uk>

utils: add errno logs for exception case

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

utils: fix coding styles

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

pam_cgfs: remove dependency from cap & log

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

cgfs: remove redundancy utils

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

pam_cgfs: remove redundancy file utils

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

conf: s/ty/tty/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

dlog: move match_dlog_fds()

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

log: replace write with lxc_write_nointr

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

caps: replace read with lxc_read_nointr

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

Fix spacing error in namespace.c

Signed-off-by: Jungsub Shin supsup5642@tmax.co.kr

include: correctly include macro.h

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: move to separate branch

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: fix too wide or inconsistent non-owner permissions

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

string_utils: coding rules

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

lxcmntent: coding rules

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

spelling: without

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: userns

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: unsigned

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: timeout

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: syscall

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: successfully

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: subtracting

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: specify

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: specified

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: snapshotting

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: securityfs

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: root

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: returns

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: potentially

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: portion

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: pertains

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: perhaps

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: passphrase

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: override

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: overridden

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: overlayfs

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: output

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: otherwise

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: namespace

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: loglevel

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: libraries

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: keepdata

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: javascript

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: initialize

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: inherited

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: implementations

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: ifindices

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: hoops

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: hierarchy

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: github

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: feature

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: explicitly

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: exiting

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: device

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: describing

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: could

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: convenience

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: control

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: container

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: constant

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: configuration

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: committer

Signed-off-by: Josh Soref <jsoref@gmail.com>

spelling: command

Signed-off-by: Josh Soref <jsoref@gmail.com>