doc: tweak cgroup headline

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

doc: epxlain eBPF-based device controller semantics

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

doc: add missing ".[controller file] suffix to lxc.cgroup{2}. key explanations

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: update device cgroup semantics

LXC has supported the bpf device controlller for a while now. A bpf device
program can be attached to the container's cgroup if this is a pure cgroup2
host.

The format for specifying device rules for the cgroup2 bpf device controller is
the same as for the legacy cgroup device controller; only the configuration key
prefix has to change. Specifically, device rules for the legacy cgroup device
controller are specified by via lxc.cgroup.devices.{allow,deny} whereas for the
cgroup2 bpf device controller lxc.cgroup2.devices.{allow,deny} must be used.

The following semantics apply:
1. The device rule "lxc.cgroup2.devices.deny = a" will cause LXC to instruct
   the kernel to block access to all devices by default. To grant access to
   devices "allow device rules" must be added via the
   "lxc.cgroup2.devices.allow" key. This is referred to as a "allowlist" device
   program.
2. The device rule "lxc.cgroup2.devices.allow = a" will cause LXC to instruct
   the kernel to allow access to all devices by default. To deny access to
   devices "deny device rules" must be added via "lxc.cgroup2.devices.deny"
   key. This is referred to as a "denylist" device program.
3. Specifying a rule as explained in 1. or 2. will cause all previous rules to
   be cleared, i.e. the device list will be reset.

For example the set of rules:

lxc.cgroup2.devices.deny = a
lxc.cgroup2.devices.allow = c *:* m
lxc.cgroup2.devices.allow = b *:* m
lxc.cgroup2.devices.allow = c 1:3 rwm

implements a "allowlist" device program, i.e. the kernel will block access to
all devices not specifically allowed in this list. This particular program
states that all character and block devices might be created but only /dev/null
might be read or written.

If we to switch to the set of rules to:

lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm

then LXC would instruct the kernel to implement a "denylist", i.e. the kernel
will allow access to all devices not specifically denied in this list. This
particular program states that no character devices or block devices might be
created and that /dev/null is not allow allowed to be read, written, or
created.

Consider the same program but followed by a rule as explained in 1. or 2.:

lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm
lxc.cgroup2.devices.allow = a

The last line will cause LXC to reset the device list without changing the type
of device program.

lxc.cgroup2.devices.allow = a
lxc.cgroup2.devices.deny = c *:* m
lxc.cgroup2.devices.deny = b *:* m
lxc.cgroup2.devices.deny = c 1:3 rwm
lxc.cgroup2.devices.deny = a

The last line will cause LXC to reset the device list and switch from a
"allowlist" program to a "denylist" program.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: tweak bpf_device_cgroup_prepare()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: expose lxc_clear_cgroup2_devices()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: improve lxc_clear_cgroups()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: fix typos

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: comment bpf_cgroup_devices_update()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: only update bpf device program if really needed

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make device cgroup handling smarter and simpler

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure no garbage is returned

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3686 from cyphar/apparmor-attr-subdir

apparmor: prefer /proc/.../attr/apparmor/current over legacy interface

apparmor: prefer /proc/.../attr/apparmor/current over legacy interface

It turns out that since Linux 5.1 there are now per-LSM subdirectories
for major LSMs, which users are recommended to use over the "legacy"
top-level /proc/$pid/attr/... files[1]:

> Process attributes associated with “major” security modules should be
> accessed and maintained using the special files in /proc/.../attr. A
> security module may maintain a module specific subdirectory there,
> named after the module. /proc/.../attr/smack is provided by the Smack
> security module and contains all its special files. The files directly
> in /proc/.../attr remain as legacy interfaces for modules that provide
> subdirectories.

AppArmor has had such a directory since Linux 5.8[2], and it turns out
that with certain CONFIG_LSM configurations you can end up with AppArmor
files not being accessible from the legacy interface. Arch Linux
recently added BPF as one of the enabled LSM in their configuration, and
this broke runc[3] and LXC.

The solution is to first try to use /proc/$pid/attr/apparmor/current and
fall back to /proc/$pid/attr/current if the former is not available.

[1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html
[2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs")
[3]: https://github.com/opencontainers/runc/issues/2801

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

apparmor: clean up apparmor_process_label_get

Rather than open-coding file reading and retry semantics and
implementing the path generation logic separately to
apparmor_process_label_fd_get, refactor the logic so that it looks
closer to the pidfd version.

This will make it easier to implement the two-step handling for
/proc/self/attr/apparmor/current and makes this code slightly less
confusing.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

Merge pull request #3681 from brauner/2021-02-18/cgroups

cgroups: fixes & bpf rework

Merge pull request #3682 from brauner/2021-02-18/fixes

console: fixes

conf: don't log garbage

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: fix non-daemonized and application containers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use saner mode for console

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: simplify bpf (device) program freeing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: make bpf_program_cgroup_attach() static

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: prevent double-close

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use close_equal() and free_equal()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

memory_utils: add close_equal() and free_equal()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: fix reboot logging

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: rework live device cgroup update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

compiler: fix fallthrough attribute

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: fix return values in bpf_program_cgroup_attach()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: let bpf_list_add_device() take the device list directly

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: add and use bpf_cgroup_devices_attach() helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove compile-time bpf support detection

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: vendor bpf headers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: handling missing defines

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: rework bpf_program_cgroup_detach()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: rework bpf devices BPF_F_REPLACE codepath

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: don't close invalid fd, simply swap

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use __u32 not uint32_t

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

macro: add swap helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: replace bpf program on update

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

commands: improve bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: add helpers for better bpf device program management

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve bpf device program handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make device cgroups semantics clearer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: enable helpers to let caller replace existing bpf programs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: align struct initialization

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use return macros

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: introduce lxc_bpf_devices_rule_t type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

bpf: use cgroup fd directly instead of paths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: kill monitor_full_path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: free correct path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

utils: fix print_r() debugging helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix error values

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't overwrite type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: make it extremely obvious that we're transitioning from a flag to a type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3680 from brauner/2021-02-17/cgroups_2

cgroups: fourth batch of cgroup fixes

cgroups: create controller directories if missing

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: use non-flag based checking now that we switched all codepaths over

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: use brackets to clarify check semantics

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: validate that only a single cgroup mount type is set

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: prevent cgroup mount type overwrite

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure that cgroup_root is initialized in legacy codepaths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: distinguish between tmpfs and unified based cgroup layouts file descriptors

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: log intermediate cleanup

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3679 from brauner/2021-02-17/cgroups

cgroups: third batch of cgroup fixes

cgroups: prevent NULL pointer deref

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: simplify mount opening

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure we prune the limit dir

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure we don't remove cgroups we didn't create

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't move pivot cgroup under the monitor's cgroup

Otherwise we will never be able to destroy the monitor's cgroup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: don't rely on absolute path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: be stricter when creating payloads

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework cgroup tree creation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: ensure leaf cgroup is correctly pruned on creation failure

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework cgroup tree removal on creation failure

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: remove obsolote check

In the new layout we don't need to do this.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: reorder function arguments

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3678 from brauner/2021-02-17/unified_controller_delegation

cgroups: rework unified cgroup controller delegation

start: delegate than move into the target cgroup

This is a way more sensible model.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework unified controller delegation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: check correct variable

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: s/openat()/open_at()/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3677 from brauner/2021-02-17/cgroup_pruning

cgroups: fd-only cgroup tree pruning

Merge pull request #3676 from brauner/2021-02-16/fixes

cgroups: fixes

cgroups: remove obsolote cgroup_tree handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fd-only cgroup tree pruning

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

file_utils: move dup_cloexec() to header

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: prevent double-close

Fixes: Coverity 1473183
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

namespace: add missing \0 terminator

Link: https://launchpadlibrarian.net/523195972/buildlog_ubuntu-groovy-ppc64el.lxc_1%3A4.0.6+master~20210215-1740-0ubuntu1~groovy_BUILDING.txt.gz
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3675 from brauner/2021-02-16/fixes

cgroups: second batch of cgroup fixes

cgroups: rework how hierarchies are added

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix fd leaks

They didn't really matter because we want to keep them around for as long as
the container lives anyway.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: allow "" base cgroup paths

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

string_utils: handle empty strings in must_make_path()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: improve logging

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: rework legacy cpuset handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fd-based only cgroup creation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: stash fds for the controller mountpoint and base cgroup path

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fail when no cgroup hierarchies are found

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>