coverity: #1437936

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: simplify lxc_attach_getpwshell()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: thread-safety backports

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: don't unconditionally open("/dev/null")

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425816

Explicit null dereferenced

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

CODING_STYLE: add section about using strlcat()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: account for Android's Bionic's strerror_r()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: add lxc_log_strerror_r macro

Let's ensure that we always use the thread-safe strerror_r() function and add
an approriate macro.
Additionally, define SYS*() macros for all log levels. They will use the new
macro and ensure thread-safe retrieval of errno values.

Signed-off-by: 2xsec <dh48.jeong@samsung.com>
[christian.brauner@ubuntu.com: simplify lxc_log_strerror_r macro]
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

move some comments in lxc.spec.in

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

monitor: change exit() => _exit() system call in child process

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

commands: simplify lxc_cmd()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

fix pointer c is dereferenced after checking null

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

fix fd handle leak

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

secure coding: #2 strcpy => strlcpy

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

btrfs: fix get_btrfs_subvol_path()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

include: add strlcat() implementation

CC: Donghwa Jeong <dh48.jeong@samsung.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

btrfs: fix btrfs_snapshot()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

secure coding: network: strcpy => strlcpy

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

secure coding: strcpy => strlcpy

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1437027

Read from pointer after free

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425855

String not null terminated

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425789

Unchecked return value from library

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425846

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425840

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425837

String not null terminated

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425825

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425824

Missing break in switch

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425819

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425818

Dereference after null check

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425813

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425810

Explicit null dereferenced

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425799

Logically dead code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425793

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425792

Insecure temporary file

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425789

Unchecked return value from library

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425771

Insecure temporary file

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425770

Insecure temporary file

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

include: add getgrgid_r()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage: Resource leak

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1425768

Untrusted array index read

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425767

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425766

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425760

Use of untrusted scalar value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425778

Out-of-bounds write

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

coverity: #1437017

Uninitialized pointer

Signed-off-by: 2xsec <dh48.jeong@samsung.com>

fix getgrgid() thread safe issue

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

fix getpwuid() thread safe issue

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1436916

Resource leak

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

attach: fix double free

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

fix getpwnam() thread safe issue

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

tools: restore lxc-create log behavior

Older versions of lxc-create used to set log_file to "none" when a log priority
but no log file was specified on the command line. Let's restore this behavior.

Closes #2392.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425781

Resource leak

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

arguments: improve some operations

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

conf: only use newuidmap and newgidmap when necessary

Signed-off-by: Jonathan Calmels <jcalmels@nvidia.com>

coverity: #1425836

Resource leak

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1425849

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1425841

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1425795

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1425794

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1425779

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

coverity: #1425777

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

Fix typo

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

support tls in cross-compile

AC_RUN_IFELSE will fail in cross-compile,
we can use AC_COMPILE_IFELSE replace.

Signed-off-by: duguhaotian <duguhaotian@gmail.com>

conf: copy mountinfo for remount_all_slave()

While a container reads mountinfo from proc fs, the mountinfo can be changed by
the kernel anytime. This has caused critical issues on some devices.

Signed-off-by: Donghwa Jeong dh48.jeong@samsung.com
Reported-by: Donghwa Jeong dh48.jeong@samsung.com
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: handle EINTR in some read()/write()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: log unknown info.si_code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix waitpid() blocking issue

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

confile: improve strprint()

POSIX specifies [1]:
"If the value of n is zero on a call to snprintf(), nothing shall be written,
the number of bytes that would have been written had n been sufficiently large
excluding the terminating null shall be returned, and s may be a null pointer."

But in case there are any non-sane libcs out there that do actually dereference
the buffer when when 0 is passed as length to snprintf() let's give them a
dummy buffer.

[1]: The Open Group Base Specifications Issue 7, 2018 edition
     IEEE Std 1003.1-2017 (Revision of IEEE Std 1003.1-2008)
     Copyright © 2001-2018 IEEE and The Open Group

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reported-by: Donghwa Jeong <dh48.jeong@samsung.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: va_end was not called.

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

network: fix socket handle leak

Signed-off-by: Donghwa Jeong <dh48.jeong@samsung.com>

utils: fix task_blocking_signal()

Closes #2342.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435803

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435805

Logically dead code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: fix lxc-create with global config value II

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: fix lxc-create with global config value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: order architectures

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: fix fd leaks when sending signals

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: fix task_blocking_signal()

sscanf() skips whitespace anyway so don't account for tabs in case the file
layout changes.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/sigprocmask/pthread_sigmask()/g

The behavior of sigprocmask() is unspecified in multi-threaded programs. Let's
use pthread_sigmask() instead.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-init: skip signals that can't be caught

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425802

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

capabilities: raise ambient capabilities

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Jonathan Calmels <jcalmels@nvidia.com>

config: allow read-write /sys in user namespace

Unprivileged containers can safely mount /sys as read-write. This also allows
systemd-udevd to be started in unprivileged containers.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425844

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1248106

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1425836

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1435603

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435604

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Revert "tools: s/strncpy()/strlcpy()/g"

This reverts commit 2ec47d5149e73db97f7877d06d67cb11421097bb.

First, I forgot to actually replace strncpy() with strlcpy(). Second, we don't
want to \0-terminate since this is an abstract unix socket and this is not
required. Instead, let's simply use memcpy() which is more correct and also
silences gcc-8.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: s/strncpy()/strlcpy()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

CODING_STYLE: add section about using strlcpy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/strncpy()/strlcpy()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

strlcpy: add strlcpy() implementation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

autodev: adapt to changes in Linux 4.18

Starting with commit
55956b59df33 ("vfs: Allow userns root to call mknod on owned filesystems.")
Linux will allow mknod() in user namespaces for userns root if CAP_MKNOD is
available.
However, these device nodes are useless since

static struct super_block *alloc_super(struct file_system_type *type, int flags,
                                       struct user_namespace *user_ns)
{
    /* <snip> */

    if (s->s_user_ns != &init_user_ns)
            s->s_iflags |= SB_I_NODEV;

    /* <snip> */
}

will set the SB_I_NODEV flag on the filesystem. When a device node created in
non-init userns is open()ed the call chain will hit:

bool may_open_dev(const struct path *path)
{
    return !(path->mnt->mnt_flags & MNT_NODEV) &&
            !(path->mnt->mnt_sb->s_iflags & SB_I_NODEV);
}

which will cause an EPERM because the device node is located on an fs
owned by non-init-userns and thus doesn't grant access to device nodes due to
SB_I_NODEV.

This commit enables LXC to deal with such kernels.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: adhere to IFNAMSIZ limit

The additional \0-byte space added is not needed since IFNAMSIZ needs to
include the \0-byte.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: silence gcc-8

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: account for terminating \0 byte

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425744

Dereference after null check

userns_exec_{1,full} are called from functions that might not have a conf.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

genl: remove

These files have never been used and as such have no dependencies in the
codebase whatsoever. So remove them. If we need them we can simply pull them
out of the git history.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

execute: account for -o path option count

This always works fine... until your exec() fails and you try to go and
free it, you've overwritten the allocator's metadata (and potentially other
stuff) and it fails.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>