execute: use execveat() syscall if supported

The execveat allows us to exec stuff via a fd so we don't have to bind mount
stuff in. See the comment about why we're using the syscall directly.

Closes #2339.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
[christian.brauner@ubuntu.com: adapt error message and whitespace fixes]
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2337 from brauner/2018-05-18/cgroup_rework

cgroups: refactor cgroup handling

conf: simplify write_id_mapping()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: #ifdef SCMP_ARCH_AARCH64

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove freezer_state()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: refactor cgroup handling

This replaces the constructor implementation of cgroup handling with a simpler,
thread-safe on-demand model of cgroup driver initialization.
Making the cgroup initialization code run in a constructor means that each time
the shared library gets mapped the cgroup parsing code gets run. That's
unnecessary overhead.
It also feels to me that this is only accidently thread-safe because
constructors are only run once. But should threads actually end up manipulating
or freeing memory that is file-global to cgfsng.c we'd be screwed. Now, I might
be wrong here but the cleaner implementation is to allocate a cgroup driver on
demand whenever we need it.
Take the chance and rework the cgroup_ops interface to make the functions it
wants to have implemented a lot cleaner.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2328 from simos/fix-resource-leak-cid1425802

coverity: #1425802

coverity: #1425802

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

Merge pull request #2324 from simos/fix-resource-leak-cid1248106

Fixed resource leak in is_wlan() at network.c

Merge pull request #2323 from simos/fix-resource-leak-cid1425836

Fixed resource leak in userns_exec_full()

Merge pull request #2332 from brauner/2018-05-16/use_ambient_capabilities

capabilities: raise ambient capabilities

capabilities: raise ambient capabilities

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Jonathan Calmels <jcalmels@nvidia.com>

Merge pull request #2319 from brauner/2018-05-13/allow_sys_rw_for_unpriv_containers

config: allow read-write /sys in user namespace

Merge pull request #2327 from brauner/2018-05-15/coverity

coverity

Merge pull request #2329 from simos/fix-resource-leak-cid1425844

coverity: #1425844

config: allow read-write /sys in user namespace

Unprivileged containers can safely mount /sys as read-write. This also allows
systemd-udevd to be started in unprivileged containers.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425844

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1248106

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1425836

Resource leak

Signed-off-by: Simos Xenitellis <simos.lists@googlemail.com>

coverity: #1435602

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435603

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435604

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2326 from tenforward/japanese

Update Japanese man pages

doc: Fix size unit style in Japanese lxc.container.conf(5)

fix "kB" to "KB", and tweak description. Update for commit 6d276ed and
6d276ed .

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

doc: Add "-d/--daemon" option to Japanese lxc-execute(1)

Update for commit 4160ef0

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

Merge pull request #2318 from brauner/2018-05-11/compiler_fixes

tools: s/strncpy()/memcpy()/g

tools: s/strncpy()/memcpy()/

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Revert "tools: s/strncpy()/strlcpy()/g"

This reverts commit 2ec47d5149e73db97f7877d06d67cb11421097bb.

First, I forgot to actually replace strncpy() with strlcpy(). Second, we don't
want to \0-terminate since this is an abstract unix socket and this is not
required. Instead, let's simply use memcpy() which is more correct and also
silences gcc-8.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2317 from brauner/2018-05-11/compiler_fixes

tools: s/strncpy()/strlcpy()/g

tools: s/strncpy()/strlcpy()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2316 from brauner/2018-05-11/compiler_fixes

tree-wide: s/strncpy()/strlcpy()/g

CODING_STYLE: add section about using strlcpy()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/strncpy()/strlcpy()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

strlcpy: add strlcpy() implementation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2315 from duguhaotian/master

support case ignored suffix for sizes

utils: fix parse_byte_size_string() coding style

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

support case ignored suffix for sizes

suffix of console max size and console buffer max size

Signed-off-by: l00355512 <liuhao27@huawei.com>

Merge pull request #2314 from brauner/2018-05-11/compiler_fixes

gcc-8: silence

network: adhere to IFNAMSIZ limit

The additional \0-byte space added is not needed since IFNAMSIZ needs to
include the \0-byte.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: silence gcc-8

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2313 from brauner/2018-05-11/compiler_fixes

confile: satisfy gcc-8

confile: satisfy gcc-8

Apparently -Werror=stringop-overflow will trigger an error here even though
this is completely valid since we now that we're definitely copying a \0-byte.
Work around this gcc-8 quirk by using memcpy(). This shouldn't trigger the
warning.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2299 from brauner/2018-05-01/bugfixes

coverity + code removal

utils: account for terminating \0 byte

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1425744

Dereference after null check

userns_exec_{1,full} are called from functions that might not have a conf.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1248105

Time of check time of use

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1248104

Argument cannot be negative

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

genl: remove

These files have never been used and as such have no dependencies in the
codebase whatsoever. So remove them. If we need them we can simply pull them
out of the git history.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2308 from tych0/add-logging

fix execute when init in the container already exists

execute: set init_path when existing init is found

I'm not really sure we should be looking in the rootfs for an existing
init, but I'll send a much more invasive patch to correct that. For now,
let's just make sure we set init_path when we find one, so that later in
execute_start() we don't bail.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

execute: account for -o path option count

This always works fine... until your exec() fails and you try to go and
free it, you've overwritten the allocator's metadata (and potentially other
stuff) and it fails.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

add some TRACE/ERROR reporting

The errors in execute_start are important because nothing actually prints
out what error if any there was in these cases, so you're left with an
empty log.

The TRACE logs are simply to tell you which version of start lxc chose to
invoke: exec or start.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

Merge pull request #2309 from brauner/2018-05-08/fix_execute

execute: do not check inherited fds again

execute: do not check inherited fds again

This is already done in do_lxcapi_start{l}() so a) no need to do it again here
and b) this would close the state socket pair sockets, corrup the fd, and lead
to EBADF.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2305 from brauner/2018-05-04/fix_execute_logging

fix logic for execute log file

execute: use static buffer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: add LXC_PROC_PID_FD_LEN

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

fix logic for execute log file

The problem here is that lxc-init runs *inside* the container. So if a
person has the log file set to /home/$USER/foo, lxc-init ends up making a
directory /home/$USER/foo inside the container to put the log file in. What
we really want are the logs to be propagated from inside the container to
the outside. We accomplish this by passing an fd without O_CLOEXEC, and
telling lxc-init to log to that file.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

coverity: #1435263

Use after free

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2297 from brauner/2018-04-29/bugfixes

coverity

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: use thread-safe open() + write()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_unfreeze()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_freeze()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: do_lxcapi_is_running()

There's no need to do string comparisons.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: use thread-safe *_OFD_* locks

If they aren't available fallback to BSD flock()s.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1426734

Argument cannot be negative

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435198

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435200

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435203

Resource leak

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435205

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435206

Time of check time of use

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435207

Unchecked return value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435208

Unused value

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity: #1435210

Logically dead code

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #2279 from kunkku/create-umask

do_lxcapi_create: set umask

Merge pull request #2293 from pkun/master

Fix tool_utils.c build when HAVE_SETNS is unset

Fix tool_utils.c build when HAVE_SETNS is unset

Add inline setns() function to tool_utils.h. Without it
tool_utils.c can't be build when HAVE_SETNS is unset.

Signed-off-by: Serj Kalichev <serj.kalichev@gmail.com>

Merge pull request #2289 from lifeng68/Fix_mem_leak_list_active_containers

Fix memory leak in list_active_containers

Fix memory leak in list_active_containers

Signed-off-by: LiFeng <lifeng68@huawei.com>

Fix the memory leak in cgfsng_attach

Signed-off-by: LiFeng <lifeng68@huawei.com>

Merge pull request #2288 from lifeng68/Fix_mem_leak_cgfsng_attach

Fix the memory leak in cgfsng_attach

Merge pull request #2287 from thyth/master

Also pass action scripts to CRIU on checkpointing

Also pass action scripts to CRIU on checkpointing

Signed-off-by: Daniel Selifonov <ds@thyth.com>

Merge pull request #2284 from 3XX0/pamcgfs-ignore-umask

pam-cgfs: ignore the system umask when creating the cgroup hierarchy

pam-cgfs: ignore the system umask when creating the cgroup hierarchy

Fixes: #2277
Signed-off-by: Jonathan Calmels <jcalmels@nvidia.com>

Merge pull request #2285 from tpetazzoni/offsetof-stddef-fix

lxc/tools/lxc_monitor: include missing <stddef.h>

lxc/tools/lxc_monitor: include missing <stddef.h>

lxc_monitor.c uses offsetof(), so it should include
<stddef.h>. Otherwise the build fails with the musl C library:

tools/lxc_monitor.c: In function ‘lxc_abstract_unix_connect’:
tools/lxc_monitor.c:324:9: warning: implicit declaration of function ‘offsetof’ [-Wimplicit-function-declaration]
         offsetof(struct sockaddr_un, sun_path) + len + 1);
         ^~~~~~~~
tools/lxc_monitor.c:324:18: error: expected expression before ‘struct’
         offsetof(struct sockaddr_un, sun_path) + len + 1);
                  ^~~~~~

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Merge pull request #2283 from flx42/lxc-oci-mkdir-download-directory

lxc-oci: mkdir the download directory

lxc-oci: mkdir the download directory

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

Merge pull request #2281 from brauner/2018-04-15/seccomp_fixes

seccomp: handle arch inversion - The Architecture Strikes Back

seccomp: handle arch inversion II

LXC generates and loads the seccomp-bpf filter in the host/container which
spawn the new container. In other words, userspace N is responsible for
generating and loading the seccomp-bpf filter which restricts userspace N + 1.
Assume 64bit kernel and 32bit userspace running a 64bit container. In this case
the 32-bit x86 userspace is used to create a seccomp-bpf filter for a 64-bit
userspace. Unless one explicitly adds the 64-bit ABI to the libseccomp filter,
or adjusts the default behavior for "BAD_ARCH", *all* 64-bit x86 syscalls will
be blocked.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Paul Moore <paul@paul-moore.com>

seccomp: non-functional changes

Rename "compat_ctx" to "contexts" and "compat_arch" to "architectures".

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: document -d/--daemonize for lxc-execute

Closes #2280.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: improve logging

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>