conf: va_end was not called.

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

network: fix socket handle leak

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

utils: fix task_blocking_signal()

Closes #2342.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435803

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435805

Logically dead code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: fix lxc-create with global config value II

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: fix lxc-create with global config value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: order architectures

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: fix fd leaks when sending signals

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: fix task_blocking_signal()

sscanf() skips whitespace anyway so don't account for tabs in case the file
layout changes.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/sigprocmask/pthread_sigmask()/g

The behavior of sigprocmask() is unspecified in multi-threaded programs. Let's
use pthread_sigmask() instead.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-init: skip signals that can't be caught

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425802

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

capabilities: raise ambient capabilities

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Jonathan Calmels <jcalmels@nvidia.com>

config: allow read-write /sys in user namespace

Unprivileged containers can safely mount /sys as read-write. This also allows
systemd-udevd to be started in unprivileged containers.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425844

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1248106

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1425836

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1435603

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435604

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Revert "tools: s/strncpy()/strlcpy()/g"

This reverts commit 2ec47d5149e73db97f7877d06d67cb11421097bb.

First, I forgot to actually replace strncpy() with strlcpy(). Second, we don't
want to \0-terminate since this is an abstract unix socket and this is not
required. Instead, let's simply use memcpy() which is more correct and also
silences gcc-8.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: s/strncpy()/strlcpy()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CODING_STYLE: add section about using strlcpy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/strncpy()/strlcpy()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

strlcpy: add strlcpy() implementation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

autodev: adapt to changes in Linux 4.18

Starting with commit
55956b59df33 ("vfs: Allow userns root to call mknod on owned filesystems.")
Linux will allow mknod() in user namespaces for userns root if CAP_MKNOD is
available.
However, these device nodes are useless since

static struct super_block *alloc_super(struct file_system_type *type, int flags,
                                       struct user_namespace *user_ns)
{
    /* <snip> */

    if (s->s_user_ns != &init_user_ns)
            s->s_iflags |= SB_I_NODEV;

    /* <snip> */
}

will set the SB_I_NODEV flag on the filesystem. When a device node created in
non-init userns is open()ed the call chain will hit:

bool may_open_dev(const struct path *path)
{
    return !(path->mnt->mnt_flags & MNT_NODEV) &&
            !(path->mnt->mnt_sb->s_iflags & SB_I_NODEV);
}

which will cause an EPERM because the device node is located on an fs
owned by non-init-userns and thus doesn't grant access to device nodes due to
SB_I_NODEV.

This commit enables LXC to deal with such kernels.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: adhere to IFNAMSIZ limit

The additional \0-byte space added is not needed since IFNAMSIZ needs to
include the \0-byte.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: silence gcc-8

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: account for terminating \0 byte

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425744

Dereference after null check

userns_exec_{1,full} are called from functions that might not have a conf.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

genl: remove

These files have never been used and as such have no dependencies in the
codebase whatsoever. So remove them. If we need them we can simply pull them
out of the git history.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

execute: account for -o path option count

This always works fine... until your exec() fails and you try to go and
free it, you've overwritten the allocator's metadata (and potentially other
stuff) and it fails.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

lxc-unshare: add missing declaration

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

execute: do not check inherited fds again

This is already done in do_lxcapi_start{l}() so a) no need to do it again here
and b) this would close the state socket pair sockets, corrup the fd, and lead
to EBADF.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

execute: use static buffer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

fix logic for execute log file

The problem here is that lxc-init runs *inside* the container. So if a
person has the log file set to /home/$USER/foo, lxc-init ends up making a
directory /home/$USER/foo inside the container to put the log file in. What
we really want are the logs to be propagated from inside the container to
the outside. We accomplish this by passing an fd without O_CLOEXEC, and
telling lxc-init to log to that file.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

coverity: #1435263

Use after free

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_unfreeze()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_freeze()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_is_running()

There's no need to do string comparisons.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: use thread-safe *_OFD_* locks

If they aren't available fallback to BSD flock()s.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435198

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435205

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435207

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435208

Unused value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fix memory leak in list_active_containers

Signed-off-by: LiFeng <lifeng68@huawei.com>

Fix the memory leak in cgfsng_attach

Signed-off-by: LiFeng <lifeng68@huawei.com>

do_lxcapi_create: set umask

Always use 022 as the umask when creating the rootfs directory and
executing the template. A too loose umask may cause security issues.
A too strict umask may cause programs to fail inside the container.

Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>

conf: ret-try devpts mount without gid=5 on error

We should always default to mounting devpts with gid=5 but we should fallback
to mounting without gid=5. This let's us cover use-cases such as container
started with only a single mapping e.g.:

lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1

Closes #2257.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: define __NR_setns if missing on old glibcs

Closes #2248.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc init: coding style

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc init: remove dead code

Value stored is never read.

Closes #2262.

Signed-off-by: C0deAi <techsupport@mycode.ai>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

fix signal sending in lxc.init

The problem here is that these two clauses were ordered backwards: we first
check if the signal came from not the init pid, and if it did, then we give
a notice and return. The comment notes that this is intended to protect
against SIGCHLD, but we don't in fact know if the signal is a SIGCHLD yet,
because that's tested in the next hunk.

The symptom is that if I e.g. send SIGTERM from the outside world to the
container init, it ignores it and gives this notice. If we re-order these
clauses, it forwards non SIGCHLD signals, and ignores SIGCHLD signals from
things that aren't the real container process.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

locktests: fix test suite

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxclock: use thread-safe *_OFD_* fcntl() locks

If they aren't available fallback to BSD flock()s.

Closes #2245.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: always make us dumpable

Otherwise lxc.hook.mount hooks that try to inspect /proc/<pid>/*
will fail.

Cc: Jonathan Calmels <jcalmels@nvidia.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: simplify lxc_fill_autodev()

This function was way more syscall heavy than it needed to be.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Rename ifup/down and remove usless parameter passing

Signed-off-by: Felix <de-ch@hotmail.de>

fix handler use-after-free

The problem here is that __lxc_start frees the handler, so any use
afterwards is invalid. Since we don't have access to the actual struct
lxc_container object in __lxc_start, let's pass a pointer to error_num in
so it can be returned.

Unfortunately, I'm a little too paranoid to change the return type of
lxc_start, since it returns failure if some of the cleanup fails, which
may be useful in some cases. So let's keep this out of band.

Closes #2218
Closes #2219

Reported-by: Felix Abecassis <fabecassis@nvidia.com>
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

conf: fix clang warning when building w/o libcap

when compiling lxc with clang-5.0 parse_cap()'s main loop will produce a
warning about a tautological comparision (#2215).

By moving the result of computation into a variable (end) this is no
longer a constant expression. clang-5.0 does not do dataflow analysis at
this point, so it is, to quote someone from #llvm, "morally equivalent"
to casting `(int)i`.

in addition, we also clean up the #if HAVE_LIBCAP to no longer need
its #else branch!

Signed-off-by: Igor Galić <igor.galic@automatic-server.com>

Revert "cgroups: don't escape if we're not real root"

This reverts commit 8d961e28f1d759669b477a659cbb694aaa2af915.

Unfortunately I don't believe the check is correct in the general case.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>

cgroups: don't escape if we're not real root

If we're host unpriv but root in our userns, we can't really escape
cgroups. Let's switch the cgroup escape test to reflect this.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

usernsexec: init log fd

lxc-usernsexec uses some functions (e.g. lxc_map_ids()), which are part of
the lxc library and thus use the WARN etc. macros to emit log messages.
However, it doesn't initialize the log in any way, so these messages go
into the ether.

lxc-usernsexec currently has no log parameters, so let's just log these to
stderr. Someone can do something fancier later if they want.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

Add a workaround for a build issue with old versions of libcap

Fixes: #2178
Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

CODING_STYLE: add languages to highlight

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CODING_STYLE: arrays of structs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CODING_STYLE: clang-format

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CODING_STYLE: remove duplicate _exit() entry

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

config: start with a full capability set

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mainloop: add LXC_MAINLOOP_ERROR

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgfsng: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc_init: don't mount filesystems

We have an extensive set of container config options to do this
for us, and doing this unconditionally breaks several use cases.
For instance, if we want to bind mount a /dev/shm using the
container configuration, then lxc-execute, then lxc-init will
rudely unmount the /dev/shm and remount it as a private tmpfs.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>

lxc-snapshot: fix segfault

https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1751780

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: remove mutex from state client list

I was thinking about the locking here yesterday and it dawned on me that we
actually don't need this at all:
- possible contention between traversing list to send states to state clients
  and adding new state clients to the list:
  It is the command handler that adds new state clients to the state client
  list. The command handler and the code that actually sends out the container
  states run in the same process so there's not contention and thus no locking
  needed.
- adding state clients to the list from multiple threads:
  The command handler itself is single-threaded so only one thread's request can
  be served at the same time so no locking is needed.
- sending out the state to state clients via the command handler itself:
  The state client also adds and removes state clients from the state client
  list so there's no locking needed.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CODING_STYLE: add section about _exit()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

fix download template for /tmp as tmpfs or noexec

* prepend $LXC_PATH to $DOWNLOAD_TEMP on systems with /tmp mounted
  securely as a small tmpfs / noexec

* gpg_setup() creates $DOWNLOAD_TEMP so remove superflous mkdir

* fixes https://github.com/lxc/lxc/issues/516

Signed-off-by: Stuart Cardall <developer@it-offshore.co.uk>

cgfsng: fix get_hierarchy() for unified hierarchy

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

criu: du_dump()

thread-safety: s/exit()/_exit()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

criu: do_restore()

thread-safety: s/exit()/_exit()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

criu: criu_version_ok()

thread-safety: s/exit()/_exit()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: create_container_dir()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_create_container_dir()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: lxcapi_startl()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: lxcapi_start()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: free_init_cmd()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: split_init_cmd()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: push_arg()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: am_single_threaded()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_wait()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_want_close_all_fds()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_want_daemonize()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_load_config()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: load_config_locked()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: lxcapi_console()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_console_getfd()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_unfreeze()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>