selinux: fix typo (AppArmor)

Signed-off-by: Serge Hallyn <serge@hallyn.com>

meson_options.txt: remove space before `:` for consistency

Essentially doing: `s/ : /: /g`

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>

meson_options.txt: don't use str when defining bool default values

Avoids this deprecation notice from `meson` 1.3.2:

```
:: NOTICE: Future-deprecated features used:
::  * 1.1.0: {'"boolean option" keyword argument "value" of type str'}
```

Other options already use this syntax so backward compat should remain unchanged.

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>

bionic: Remove custom getline, openpty and prlimit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

bionic: Remove bionic detection and support

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

README: Remove mention of old LXC version

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

start: Re-introduce first SET_DUMPABLE call

Without it, we're running into issues with complex hooks like nvidia.

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

Release LXC 6.0.4

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

lxc/start: do prctl(PR_SET_DUMPABLE) after last uid/gid switch

We need to do prctl(PR_SET_DUMPABLE) later, after last lxc_switch_uid_gid()
call. Because otherwise, our earlier call won't be effective as commit_creds()
in the kernel [1] will set_dumpable(task->mm, suid_dumpable) if UID/GID or capabilities
were affected by lxc_switch_uid_gid() call.

This only affects LXC API ->start(struct lxc_container *c, int useinit, char *const argv[])
call when useinit == 1 because in this case we don't perform additinal exec() and
task's dumpable bit remains set to 2 (default value taken from /proc/sys/fs/suid_dumpable).

If useinit == 0, then we do exec() (see start_ops->start callback) and then dumblable
flag will be reset in begin_new_exec() to SUID_DUMP_USER=1 [2]. Then everything will be fine.

Reproducer (problem with lxc-attach).

1. Create unprivileged container

$ ./normalbuild/src/lxc/tools/lxc-create -n testcaps -t download

with busybox template and config:

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.init.uid = 1234
lxc.init.gid = 4321
lxc.init.cwd = /
lxc.sched.core = 1

2. Run a container with useinit = 1

$ ./lxcbuild/src/lxc/tools/lxc-execute -n testcaps -l TRACE -o /home/ubuntu/debug.log -- /bin/sleep 100

1. Try to attach

$ strace -f -e prctl ./normalbuild/src/lxc/tools/lxc-attach -n testcaps

prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_GET, 4124, 0 /* PIDTYPE_PID */, [0xd00f7fff]) = 0
strace: Process 4165 attached
strace: Process 4166 attached
[pid  4166] +++ exited with 0 +++
[pid  4164] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4166, si_uid=100000, si_status=0, si_utime=0, si_stime=0} ---
strace: Process 4167 attached
[pid  4167] prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM, 1, 0 /* PIDTYPE_PID */, NULL) = -1 EPERM (Operation not permitted)           <<<<< OOPS
[pid  4165] +++ exited with 0 +++
[pid  4164] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4165, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
lxc-attach: testcaps: ../src/lxc/attach.c: do_attach: 1160 Operation not permitted - Failed to join core scheduling domain of 4124
lxc-attach: testcaps: ../src/lxc/attach.c: do_attach: 1382 Failed to attach to container

prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM...) fails with EPERM, because:
- container's init task->mm: (get_dumpable(mm) != SUID_DUMP_USER)
AND
- mm->user_ns == init_user_ns (as there was no exec() and mm_struct->user_ns was set in the initial
user namespace when we run lxc-execute)
( for more details see [3] )

[1] https://github.com/torvalds/linux/blob/acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1/kernel/cred.c#L412
[2] https://github.com/torvalds/linux/blob/a2cc6ff5ec8f91bc463fd3b0c26b61166a07eb11/fs/exec.c#L1331
[3] https://github.com/torvalds/linux/blob/acc4d5ff0b61eb1715c498b6536c38c1feb7f3c1/kernel/ptrace.c#L344

Reported-by: Stéphane Graber <stgraber@stgraber.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

lxc/caps: fix open /proc/sys/kernel/cap_last_cap

Since 7418b27f1 ("tree-wide: use __u32 for capabilities") open
/proc/sys/kernel/cap_last_cap never worked, it was failing with
EXDEV and we were using a fallback codepath to get a last cap.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

lxc/conf: handle rootfs open_at error in lxc_mount_rootfs

If LXC build is misconfigured, for instance, --prefix=/
and /lib is a symlink to /usr/lib then open_at always fails
to open rootfs. Let's add error print to make it easier to
figure out this.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

tools/lxc_attach: fix ENFORCE_MEMFD_REXEC checks

We unconditionally define ENFORCE_MEMFD_REXEC in meson.build
to a corresponding boolean value, so we need to use #if
instead of #ifdef in the code.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

github: Add packaging workflow

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

global: Switch to new MAC prefix

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

global: Switch MAC generation to Zabbly prefix

Zabbly obtained the 10:66:6a MAC address prefix for use by
the Linux Containers project.

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

sysconfig/lxc: remove false comment

Signed-off-by: Managor <42655600+Managor@users.noreply.github.com>

Added LXC_IPV6_ENABLE option for lxc-net to enable or disable IPv6

Signed-off-by: Mathias Aerts <mathias.aerts@delta.blue>

github: Switch to native arm64 runners

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

config-bcast: fix incorrect broadcast address calculation

Signed-off-by: Irnes Mujkanovic <irnes.mujkanovic@gmail.com>

lxc/attach: Revert "- LXC attach should exit on SIGCHLD"

This reverts commit f02158439677d0c1d4b2ed2ed1ba9bc43923a05d.

Let's revert this change as it introduces 2 regressions:
1. it's not correct to do exit(2) from a signal handler in this case,
as we skip a proper cleaning procedures like restoring PTY configuration
state (see lxc_terminal_delete()) which leads to a problem with a PTY after lxc-attach exits.

[ hint: just try to use lxc-attach on a main branch with this change and you will
see it. After lxc-attach exits you won't be able to type anything in your
current terminal session as it's messed up. ]

2. this introduces race-condition in the code which leads to a
regression on LXD/(and I believe Incus too) which can be seen as
random "Failed to retrieve PID of executing child process" errors
on "lxc exec"/"incus exec" commands. It's extremely hard to reproduce,
but my guess is that we are getting a race condition here, because
by the time when we set a new signal handler for SIGCHLD, transient process
is still alive and when it exists it generates SIGCHLD which may lead to
exit().

3. This changes a behavior of lxc-attach which was there for *years*
and it's quite scary to be honest. I'm not against having this change, but
in a different form, for example we can add a new command line parameter for
lxc-attach command which will enable this behavior.

My first attempt was to fix that change to prevent race, but then
I've noticed that we also have a more serious problem described in (1),
this requires more work to do.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

conf: warn when capabilities are disabled or libcap is not found

The reason for this warning, is that the project will compile and when it does
not work, it's not clear from the logs what the reason might be.

Signed-off-by: Sotir Danailov <sndanailov@gmail.com>

dbus: replace hardcoded dbus address with environment variable

Signed-off-by: Sotir Danailov <sndanailov@gmail.com>

conf: log name of invalid capability in error

Signed-off-by: Sotir Danailov <sndanailov@gmail.com>

confile-vlanid: undefined is not a zero value

Signed-off-by: Asain Kujovic <asainnp@gmail.com>

- LXC attach should exit on SIGCHLD

Signed-off-by: Asain Kujovic <asainnp@gmail.com>

Release LXC 6.0.3

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

github: Improve progress reporting

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

github: Cleanup OSS-fuzz

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

github: Rework test workflow

Introduce a main "tests" workflow which runs the LXC testsuite on both
x86_64 and aarch64, on a variety of compilers and OS as well as handling
the santizer runs.

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

github: Introduce shared testsuite logic

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

github: Introduce shared build logic

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

github: Update coverity workflow

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

lxc.init: Allow SIGHUP from outside the container

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

lxc.init: Ignore user signals coming from inside the contianer

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

lxc.init: Switch to sigaction

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

lxccontainer: fix enter_net_ns helper to work when netns is inherited

If a network namespace is shared by setting lxc.namespace.share.net and
the container is unprivileged, then the network namespace should be
entered before entering the user namespace. However, if an unprivileged
user started a container, then the network namespace should be entered
after entering the user namespace. To solve this, we try to enter the
network namespace before entering the user namespace. If it did not
succeed, it will be tried again inside the uder namespace.

Signed-off-by: Jef Steelant <jef.steelant_ext@softathome.com>

fix return code of recursive all of cgroup_tree_prune

Signed-off-by: Guido Jäkel <g.jaekel@dnb.de>

lxc-net: Replace random IPv6 subnet

This is meant to be a completely random ULA subnet.

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

meson: fix minor typo

Fixes: https://github.com/lxc/lxc/issues/4492
Signed-off-by: Seungki Kim <tttuuu888@gmail.com>

Avoid null pointer dereference when using shared rootfs.
rootfs->storage not set by lxc_storage_prepare when using a shared
rootfs.

Fixes: https://github.com/lxc/lxc/issues/4476
Signed-off-by: Steven Galgano <sgalgano@adjacentlink.com>

create_run_template: don't use txtuid and txtguid out of scope

It's ok that we don't free the malloc()d space since we're
immediately exec()ing.

Originally-by: Kurt Godwin <kgodwin@itron.com>
Reported-by: Kurt Godwin <kgodwin@itron.com>
Signed-off-by: Serge Hallyn <serge@hallyn.com>

Add suppport for PuzzleFS images in the oci template

PuzzleFS images (media type 'application/vnd.puzzlefs.image.rootfs.v1')
can be mounted in a similar way to squashfs images, we just have to
detect the type and reuse the existing code for providing a mount
helper. PuzzleFS is a next-generation container filesystem [1] with
several benefits, such as  reduced duplication, reproducible image
builds, direct mounting support and memory safety guarantees.

Since PuzzleFS currently doesn't provide an image config, also add
support for empty image configs, they are supported by the OCI spec [2].

The MOUNT_HELPER is now passed a `--persist <upperdir>` flag, so it
knows that it needs to create an overlay. This is needed because LXC
expects a writable rootfs and both atomfs and puzzlefs are read-only
filesystems.

Example:
```
$ sudo env PATH=$PATH build/src/lxc/tools/lxc-create --name mycontainer -t \
oci -- --url oci:/$HOME/.local/share/puzzlefs/pfs_ubuntu:eg --no-cache

$ sudo build/src/lxc/tools/lxc-start --name mycontainer --foreground /bin/bash
```

--no-cache is needed for puzzlefs until [3] is solved

[1] https://github.com/project-machine/puzzlefs
[2] https://github.com/opencontainers/image-spec/blob/main/manifest.md#image-manifest
[3] https://github.com/project-machine/puzzlefs/issues/131

Signed-off-by: Ariel Miculas-Trif <amiculas@cisco.com>

meson.build: drop suggest-attribute=noreturn build option

The suggest-attribute=noreturn option marks functions which will
never return, to give the compiler some hints.  It catches all of
our src/lxc/tools/*.c *_main functions as follows:

error: function might be candidate for attribute ‘noreturn’ [-Werror=suggest-attribute=noreturn]

But if we mark those __noreturn, then  the compiler complains that:

../src/lxc/tools/lxc_attach.c:320:53: warning: ‘main’ specifies less restrictive attribute than its target ‘lxc_attach_main’: ‘noreturn’ [-Wmissi
ng-attributes]
  320 | int __attribute__((weak, alias("lxc_attach_main"))) main(int argc, char *argv[]);

This recommendation is really not very important, so let's not ask
the build to warn about it.

Signed-off-by: Serge Hallyn <serge@hallyn.com>

meson.build: add -ffat-lto-objects

Otherwise, if we generate a static library, lintian warns that
it has no code sections.  See

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977596

Signed-off-by: Serge Hallyn <serge@hallyn.com>

Release LXC 6.0.2

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

fix possible clang compile error in AARCH

Signed-off-by: yuncang123 <135211779+yuncang123@users.noreply.github.com>

README: Update security contact

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

doc: Fix definitions of get_config_path and set_config_path

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

Exit 0 when there's no error

Signed-off-by: Jip de Beer <2871973+Jip-Hop@users.noreply.github.com>

idmap: Lower logging level of newXidmap tools to INFO

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

Remove unused function

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

Release LXC 6.0.1

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

meson: fix build with -Dtools-multicall=true on NixOS

See also:
https://github.com/lxc/lxc/pull/4428

Fixes: #4427
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

github: exclude clang & ubuntu-24.04 combination

Temporary workaround for:
https://bugs.launchpad.net/ubuntu/+source/llvm-toolchain-18/+bug/2064187

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

lxc/storage/zfs: ignore false-positive use-after-free warning

free(dataset) is perfecly valid after failed realloc(dataset, len) call.

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

github: properly check apparmor profile changes

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

github: start using ubuntu-24.04

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

apparmor: regenerate rules

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

apparmor: use /{,**} instead of /**

It turned out, that old (and incorrect) rule:
mount options=(rw,make-slave) -> **,

is NOT equivalent to:
mount options=(rw,make-slave) -> /**,

Let's use:
mount options=(rw,make-slave) -> /{,**},

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

apparmor: regenerate rules

Follow the instruction from config/apparmor/README:

./lxc-generate-aa-rules.py container-rules.base > container-rules
cat abstractions/container-base.in container-rules > abstractions/container-base

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

apparmor: fix rule path pattern specification syntax

See also:
https://bugs.launchpad.net/lxc/+bug/2064144
https://github.com/lxc/incus/pull/889/commits/d2c13e3f6312f08750981a80a510530e881c4ec7

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

lxc-local: remove check for template existence before extraction

This check always fails because template files do not exist until the
rootfs is unpacked. File existence is already confirmed before replacing
variables

Signed-off-by: Jacob McNamee <jacob@jacobmcnamee.com>

lxc-local: fix incorrect path to `templates` file

Signed-off-by: Jacob McNamee <jacob@jacobmcnamee.com>

lxc-local: fix use of `LXC_PATH` before init

Signed-off-by: Jacob McNamee <jacob@jacobmcnamee.com>

Update lxc-execute.sgml.in

Update for a7aa297

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Update lxc-{attach,execute}.sgml.in

Update for 52bf34d and a7aa297

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Update lxc-execute.sgml.in

add hint to use numerical values for uid and gid

Signed-off-by: MMFuba <114305581+MMFuba@users.noreply.github.com>

Update lxc-attach.sgml.in

added hint to use numerical value for uid and gid

Signed-off-by: MMFuba <114305581+MMFuba@users.noreply.github.com>

network: netdev_configure_server_veth: reduce scope of disable_ipv6_fd/path vars

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

lxc/network: handle non-existing sysctl <ifname>/disable_ipv6

Skip writting to /proc/sys/net/ipv6/conf/<ifname>/disable_ipv6
if it does not exist.

Fixes: #4431
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

github: test the lxc multicall binary builds too

Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

meson: fix build on NixOS

Fixes: #4427
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

Release LXC 6.0.0

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

Merge pull request #4424 from stgraber/main

Cleanup MAINTAINERS, COPYING and sort out SPDX headers

lxc.spec: Align SPDX license id

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

Makefile: Align SPDX license id

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

meson: Align SPDX license id

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

COPYING: Clarify licensing of files without SPDX

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

doc: Add SPDX headers and remove Author field

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

src/include: Add SPDX headers

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

src/tests: Add SPDX headers

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

hooks: Add SPDX headers

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

lxc.spec: Clear default changelog

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

lxc.spec: Use SPDX

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

template: Use SPDX

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

config/yum: Use SPDX header

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

COPYING: Remove whitespace

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

MAINTAINERS: Remove Dwight from the maintainer list

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

Merge pull request #4377 from adamcstephens/install-options

build: add more options for customizing install

Merge pull request #4423 from stgraber/main

lxc-checkconfig improvements

lxc-checkconfig: Fix shellcheck

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

lxc-checkconfig: Show namespace limits

Closes #4259

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>

Merge pull request #4422 from mihalicyn/ct_list_fix

lxc-ls: list names with whitespaces in `--active`.

lxc-ls: list names with whitespaces in `--active`.

Fixes: #3970
Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>
[ small fixes ]
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

Merge pull request #4421 from mihalicyn/lxc_copy_fixes

lxc/tools: set default log_priority to ERROR

Merge pull request #4418 from mihalicyn/cumulative_fixes_2apr2024

confile_utils: fix incorrect multiply_overflow test #2

Merge pull request #4420 from mihalicyn/autostart_fix

tools/lxc_autostart: don't fail when there are no containers

Merge pull request #4419 from mihalicyn/fixup_mod_rdep

lxc/lxccontainer: specify file mode in open() call inside mod_rdep

lxc/tools: set default log_priority to ERROR

For some reason, we don't have default log_priority
set for many tools which leads to the situation when
tools can fail silently even if error occurs.

Fixes: #4405
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

tools/lxc_autostart: don't fail when there are no containers

Fixes: #3847
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>