seccomp: remove seccomp fd from event loop after task exited

Linux v5.8 will land my patch where seccomp notifies when a filter goes unused,
i.e. when the last task using a given seccomp filter has exited. This wasn't
possible before and so we accumulated file descriptors in the container's event
loop whenever we attached to the container.
I'm not sure whether the task exiting before we could handle its syscall should
cause us to report and error or not. For now, let's simply close the event loop
and not report an error.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3498 from brauner/master

selinux: remove security_context_t usage as it's deprecated

selinux: remove security_context_t usage as it's deprecated

Link: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1888705
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3497 from brauner/2020-07-23/fix_snap_compilation

autotools: fix Makefile

Merge pull request #3496 from brauner/2020-07-18/mount_pid

new mount api support: basics

Makefile: fix Makefile

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: don't break logging by hiding symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: use new mount api

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mount_utils: add mount_filesystem() helper

that translates between the two mount apis.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mount_utils: add mount utils

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscalls: add fsmount()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscalls: add fsconfig()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscalls: add fspick()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

syscalls: add fsopen()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3492 from brauner/2020-07-18/visibility_hidden

tree-wide: hide unnecessary symbols

Merge pull request #3495 from siv0/boot_id_remount_apparmor_fix

apparmor: Allow ro remount of boot_id

apparmor: Allow ro remount of boot_id

The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
necessary mount calls for /proc/sys/kernel/random/boot_id
(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

start: simplify gotos

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: hide further unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

storage: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

arguments: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lsm: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

uuid: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

sync: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

state: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

ringbuf: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

rexec: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

process_utils: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

parse: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

namespace: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

monitor: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mainloop: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxcseccomp: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxclock: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

log: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

initutils: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

file_utils: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

error: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

criu: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile_utils: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3490 from brauner/master

lxc-ls: bugfixes

lxc-ls: bugfixes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Makefile.am: Fix typo

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Merge pull request #3488 from brauner/2020-07-17/fixes

hide unnecessary symbols I

conf: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands_utils: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

caps: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

af_unix: hide unnecessary symbols

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

string_utils: make all helpers hidden

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

compiler: add and use __hidden visbility

Closes: #3485.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: remove unused variable

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3487 from samboyles1/master

Improve efficiency of lxc_ifname_alnum_case_sensitive

Improve efficiency of lxc_ifname_alnum_case_sensitive

To detect if a newly generated interface name is a duplicate of an existing interface lxc_ifname_alnum_case_sensitive() currently gets a list of all interfaces using netns_getifaddrs(). When the system has a small number of interfaces this works fine, however when there are thousands or tens of thousands of interfaces this quickly becomes less than optimal.

As we only need to check if an interface name exists, and do not need the detailed information about the interfaces provided by netns_getifaddrs(), we can instead use the if_nametoindex() function, which is much more efficient.

Signed-off-by: Sam Boyles <sam.boyles@alliedtelesis.co.nz>

Merge pull request #3486 from brauner/2020-07-16/license

autotools: include COPYING file

autotools: include COPYING file

Closes: #3484.
Suggested-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3480 from Drachenfels-GmbH/master

checkconfig: Show LXC version in output.

checkconfig: Show LXC version in output.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Merge pull request #3479 from brauner/2020-07-06/fixes

openpty: improve implementation and handling of platforms without it

openpty: improve implementation and handling of platforms without it

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3478 from brauner/2020-07-05/fixes

openpty: fix faulty rename

openpty: fix faulty rename

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3477 from brauner/2020-07-05/fixes

tree-wide: update terminal terminology once more

tree-wide: s/pts/pty/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/ptmx/ptx/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3476 from brauner/2020-07-05/fixes

cgroups: handle empty bpf log buffer

cgroups: handle empty bpf log buffer

Link: https://launchpadlibrarian.net/487274879/buildlog_ubuntu-eoan-amd64.lxc_1:4.0.3+master~20200705-1541-0ubuntu1~eoan_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3475 from brauner/2020-07-05/fixes

cgroups: fix bpf device program generation

cgroups: fix bpf device program generation

Closes: #3473.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3474 from brauner/2020-07-03/fixes

api-extensions: add seccomp_allow_deny_syntax extension

api-extensions: add seccomp_allow_deny_syntax extension

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3472 from brauner/2020-07-03/fixes

fixes

cgroup2_devices: fix access rule parsing

Closes: #3473.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use empty {} to initialize struct

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: support allowlist/denylist in profiles

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: update terminology II

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: update terminology

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3469 from johanneskastl/20200630_Kastl_fix_gpg_option

templates/lxc-download.in: use GPG option "--receive-keys"

templates/lxc-download.in: use GPG option --receive-keys instead of --recv-keys

Signed-off-by: Johannes Kastl <kastl@b1-systems.de>

Merge pull request #3468 from johanneskastl/20200630_Kastl_fix_shell_download_template

templates/lxc-download.in: fix wrong if-condition

templates/lxc-download.in: make shellcheck happy

Signed-off-by: Johannes Kastl <kastl@b1-systems.de>

templates/lxc-download.in: fix wrong if condition (use the result of the gpg command, not the result when executing the result of the gpg command)

Signed-off-by: Johannes Kastl <kastl@b1-systems.de>

Merge pull request #3466 from alivenets/fix-no-new-privs

attach: set no_new_privs flag after LSM label

attach: set no_new_privs flag after LSM label

In `start.c:1284`, no_new_privs flag is set after LSM label is set.
Also, in `lxc.container.conf` documentation it is written that:
```
Note that PR_SET_NO_NEW_PRIVS is applied after the container has
changed into its intended AppArmor profile or SElinux context.
```
This commit fixes the behavior of `lxc_attach` by moving
`PR_SET_NO_NEW_PRIVS` set logic after LSM for the process is configured;

Closes #3393

Signed-off-by: Alexander Livenets <a.livenets@gmail.com>

Merge pull request #3465 from brauner/2020-06-19/clone_into_cgroup

clone_into_cgroup: fixes

start: use __aligned_u64

Closes: Coverity 1465044.
Closes: Coverity 1465046.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: initialize cgroup_fd

Fixes: Coverity 1465045.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3464 from brauner/2020-06-19/clone_into_cgroup

lxc: support CLONE_INTO_CGROUP

lxc: support CLONE_INTO_CGROUP

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3463 from brauner/2020-06-26/fixes

confile: handle overflow in lxc.time.offset.{boot,monotonic}

Merge pull request #3462 from tenforward/japanese

Update Japanese lxc.container.conf(5)

start: preserve time namespace

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: handle overflow in lxc.time.offset.{boot,monotonic}

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>