Fix `lxc-cgroup` smart completion.

Also make bash function more readable for itself.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Refactor ` __lxc_check_name_present()`.

Print name of container found, if any.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Check completion for prefixes names.

If a name is a prefix of another word available for completion, adjust
to show all words with given prefix.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Add `__lxc_cgroup_state_object()`.

Support cgroup state-object completion values for `lxc-cgroup`.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Update `_lxc_usernsexec`.

Not really much can be done for this function, as `-m` requires an ID
mapping that has to be manually input, since it will use
`/etc/sub{g,u}id` if not specified.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Add completion for `lxc-copy` param `--fssize`.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Add `__lxc_get_selinux_contexts()`.

List SElinux contexts available. Not clear if this could be only for
root or if normal user with `sudo` is also supported.

Using `Fedora34` for basic testing.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Refactor `__lxc_groups()` to `__lxc_get_groups()`.

Make code logic be more clear to what it is being done.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Another round of more bash-like syntax.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Fix `lxc-create` completion.

Do not append a name of an existing container.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Add support for comma as a completion word.

For `lxc-ls --groups` and `lxc-autostart --groups`.
Support leading comma, trailing comma, embedded double comma.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Refactor `__lxc_piped_args`.

Use bash functions for common array operations. Keep code logic somewhat
easy to read for bug hunting.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Fix `lxc-snapshot` completion.

For options `-r,--restore` and `-d,--destroy`, we need the container
name to create the list of completion values.

Therefore, it is needed to scan the current command line to check if
there is a container name available.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Use more bash-like syntax.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Add support for container composed names.

When a container name has whitespace in it
(e.g. created by `lxc-create -t download -n "arch linux"` ),
the completion for other commands should be able to work by adding a
backslash to escape it.

Although it may be interesting to support names between quotes, this
would probably means to have to add quotes to all names. Might not be
interesting just due to an edge case.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Add completion output for `lxc-ls --fancy-format`.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Improve name completion handling.

Use regex to handle short option `-n`, since short options can be
combined (e.g. `-nd`) as long as at max one requires an argument.

Also consider the case when the arg for the long option is not given
together with `--name=`.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Add `compopt` call to `__lxc_piped_args`.

On pair with how other functions do it. Also, be smarter about adding
whitespace when there are no more completions available for the
parameter.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Use `--running` instead of `--active`.

Commands block if container is frozen.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Fill missing commands on name completion.

Signed-off-by: Edênis Freindorfer Azevedo <edenisfa@gmail.com>

Merge pull request #3962 from brauner/2021-09-02.fixes

tree-wide: build fixes

tree-wide: fix build

Fixes: #3960
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

include: make all functions __hidden

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3959 from brauner/2021-09-01.fixes

configure: add sanitizer flags to LDFLAGS as well

configure: add sanitizer flags to LDFLAGS as well

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3957 from brauner/2021-08-27.list.2

conf: port more types to new list type

lxccontainer: don't pass NULL pointer

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: fail when container can't be loaded

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: remove useless {}

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: use free_disarm() in list_all_containers()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-usernsexec: small tweaks

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: fix list_entry()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3954 from blenk92/fix-attach-c2

attach: Fix -c option v2 :-D

attach: Fix -c command

Currently, the -c command (to set the selinux context) seems to be
broken because the passed context is ignored and always overwritten by
the context specified in the config file. The intention behind the -c
imho was to be able to manually overwrite this behavior. This patch
ensures that the selinux context will be set if passed via the command
line.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

lxccontainer: tweak some array handling helpers

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: improve add_to_clist()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxccontainer: improve add_to_array()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port groups to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port hooks to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port apparmor to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3956 from brauner/2021-08-27.list

conf: port more types to new list type

conf: port mounts to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix bpf device list

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: port ipv6 routes to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: port ipv4 routes to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: fix cgroup settings sorting

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3955 from brauner/2021-08-26.list.2

conf: port more types to new list type

lxccontainer: align initialization

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: s/ipv{4,6}_list/ipv{4,6}_addresses/g

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

network: port ipv6 addresses to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3953 from brauner/2021-08-26.list

conf: port more types to new list type

network: port ipv4 to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3952 from brauner/2021-08-25.list.2

conf: port more types to new list type

conf: simplify and port caps to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroup: remove unneeded forward declaration

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: remove unused struct member

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port environment to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: remove unused variables

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: switch to parse_mount_attrs() even for legacy mount()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: support recursive propagation options properly

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: rework recursive mount option handling

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

rootfs: remove "options" member

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: remove unused mountflags nember

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port id_map to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port cgroup settings to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port procs to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port sysctls to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: port rlimits to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3950 from brauner/2021-08-25.list

tree-wide: introduce new list type and port network handling to it

conf: port state_clients to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

mainloop: port handlers to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: port bpf devices to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tree-wide: port network handling to new list type

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

list: add new kernel-based list implementation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3949 from brauner/2021-08-24.attach

tools: lxc-attach fixes

Merge pull request #3948 from brauner/2021-08-24.fixes

confile: return negative errno everywhere

tools: fix elevated privilege handler in lxc-attach

Make sure to return an error when the user requests an LSM profile to be
set while also requesting that elevated LSM privileges are to be used.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: rework lxc_fill_elevated_privileges()

Cc: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach_options: add LXC_ATTACH_LSM_LABEL to LXC_ATTACH_LSM flags

Cc: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: align struct initialization

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tools: fix variable declarations in lxc-attach

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

attach: allow LSM attach without new mnt namespace

Currently, the -c command (to set the selinux context) seems to be
broken because lxc-attach expects that also a new mount namespace
is specified via command line. This commit remove the check for the new
mount namespace to fix this issue. Please note that the
--elevated-privileges option is not affected by this issue.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: return negative errno everywhere

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3947 from blenk92/fix-missing-seccomp

config: enable seccomp profile only when compiled with libseccomp

config: enable seccomp profile only when compiled with libseccomp

Make lxc fail if seccomp.profile is specified but lxc is compiled
without seccomp support. Currently, seccomp.profile is silently ignored
if is specified in such a scenario. This could lead to the false
impression that the seccomp filter is applied while it actually isn't.

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

Merge pull request #3943 from brauner/2021-08-19.fixes

seccomp: fix complication when !HAVE_DECL_SECCOMP_NOTIFY_FD

seccomp: fix complication when !HAVE_DECL_SECCOMP_NOTIFY_FD

[2021-08-18 05:48:26] [build-stdout] mv -f $depbase.Tpo $depbase.Po
[2021-08-18 05:48:26] [build-stderr] seccomp.c: In function ‘seccomp_notify_cleanup_handler’:
[2021-08-18 05:48:26] [build-stderr] seccomp.c:1367:25: error: ‘struct lxc_seccomp’ has no member named ‘notifier’
[2021-08-18 05:48:26] [build-stderr]  1367 |  if (fd == conf->seccomp.notifier.notify_fd)
[2021-08-18 05:48:26] [build-stderr]       |                         ^
[2021-08-18 05:48:26] [build-stderr] In file included from af_unix.h:12,
[2021-08-18 05:48:26] [build-stderr]                  from seccomp.c:14:
[2021-08-18 05:48:26] [build-stderr] seccomp.c:1368:29: error: ‘struct lxc_seccomp’ has no member named ‘notifier’
[2021-08-18 05:48:26] [build-stderr]  1368 |   fd = move_fd(conf->seccomp.notifier.notify_fd);
[2021-08-18 05:48:26] [build-stderr]       |                             ^
[2021-08-18 05:48:26] [build-stderr] macro.h:655:26: note: in definition of macro ‘move_fd’
[2021-08-18 05:48:26] [build-stderr]   655 |   int __internal_fd__ = (fd); \
[2021-08-18 05:48:26] [build-stderr]       |                          ^~
[2021-08-18 05:48:26] [build-stderr] seccomp.c:1368:29: error: ‘struct lxc_seccomp’ has no member named ‘notifier’
[2021-08-18 05:48:26] [build-stderr]  1368 |   fd = move_fd(conf->seccomp.notifier.notify_fd);
[2021-08-18 05:48:26] [build-stderr]       |                             ^
[2021-08-18 05:48:26] [build-stderr] macro.h:656:4: note: in definition of macro ‘move_fd’
[2021-08-18 05:48:26] [build-stderr]   656 |   (fd) = -EBADF;              \
[2021-08-18 05:48:26] [build-stderr]       |    ^~
[2021-08-18 05:48:26] [build-stderr] make[3]: *** [Makefile:4496: seccomp.o] Error 1
[2021-08-18 05:48:26] [build-stdout] make[3]: Leaving directory '/opt/src/src/lxc'
[2021-08-18 05:48:26] [build-stdout] make[2]: Leaving directory '/opt/src/src'
[2021-08-18 05:48:26] [build-stdout] make[1]: Leaving directory '/opt/src/src'
[2021-08-18 05:48:26] [build-stderr] make[2]: *** [Makefile:440: all-recursive] Error 1
[2021-08-18 05:48:26] [build-stderr] make[1]: *** [Makefile:379: all] Error 2
[2021-08-18 05:48:26] [build-stderr] make: *** [Makefile:537: all-recursive] Error 1
[2021-08-18 05:48:26] [build-stderr] + '[' -f build.ninja ']'
[2021-08-18 05:48:26] [build-stdout] Semmle autobuild: no supported build system detected.
[2021-08-18 05:48:26] [build-stderr] + '[' -d ../_lgtm_build_dir ']'
[2021-08-18 05:48:26] [build-stderr] + for f in build build.sh
[2021-08-18 05:48:26] [build-stderr] + '[' -x build ']'
[2021-08-18 05:48:26] [build-stderr] + for f in build build.sh
[2021-08-18 05:48:26] [build-stderr] + '[' -x build.sh ']'
[2021-08-18 05:48:26] [build-stderr] + '[' -f setup.py ']'
[2021-08-18 05:48:26] [build-stderr] + echo 'Semmle autobuild: no supported build system detected.'
[2021-08-18 05:48:26] [build-stderr] + exit 1
[2021-08-18 05:48:26] [ERROR] Spawned process exited abnormally (code 1; tried to run: [/opt/dist/tools/linux64/preload_tracer, /opt/dist/cpp/tools/do-build])
[2021-08-18 05:48:26] [build-stderr] A fatal error occurred: Exit status 1 from command: [/opt/dist/cpp/tools/do-build]
[2021-08-18 05:48:26] [build-stderr] deptrace-server: received exit command
[2021-08-18 05:48:27] [ERROR] Spawned process exited abnormally (code 2; tried to run: [/opt/work/lgtm-workspace/lgtm/extract.sh])
A fatal error occurred: Exit status 2 from command: [/opt/work/lgtm-workspace/lgtm/extract.sh]

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Merge pull request #3940 from brauner/2021-08-16.fixes.2

tests: only rely on busybox template getting rid of all network dependencies; terminal: allow for tty allocation even when container did not request separate devpts instance

tests: use busybox in lxc-test-usernic.in

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests: use busybox in lxc-test-unpriv

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests: use busybox in lxc-test-no-new-privs

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

test: use busybox in lxc-test-autostart

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

test: use busybox in lxc-test-apparmor-mount

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

test: use busybox in lxc-test-apparmor-generated

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

tests: fix order in sys_mixed

We need to set the config item after we loaded the config obviously.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: allow for tty allocation even when container did not request separate devpts instance

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

busybox: simplify

Start relying on autodev for busybox template and wipe all the device
creation.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

busybox: mount sys:ro

There's no udev so sys doesn't need to be read-write.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

terminal: use /dev/ptmx when allocating pty devices from devpts instances we didn't mount ourselves

When we aren't told what devpts instance to allocate from we assume it
is the one in the caller's mount namespace.
This poses a slight complication, a lot of distros will change
permissions on /dev/ptmx so it can be opened by unprivileged users but
will not change permissions on /dev/pts/ptmx itself. In addition,
/dev/ptmx can either be a symlink, a bind-mount, or a separate device
node. So we need to allow for fairly lax lookup.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

file_utils: add same_device() helper

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>