Merge pull request #2823 from brauner/2019-02-05/compiler_based_hardening

compiler: hardening

Merge pull request #2823 from brauner/2019-02-05/compiler_based_hardening
4e950c76 · Stéphane Graber · GitHub · 1fba6a85 · a7547c5c · 4e950c76
Unverified Commit 4e950c76 authored Feb 05, 2019 by Stéphane Graber Committed by GitHub Feb 05, 2019
21 changed files
--- a/configure.ac
+++ b/configure.ac
@@ -690,8 +690,9 @@ AC_PROG_SED
 # See if we support thread-local storage.
 LXC_CHECK_TLS
+# Hardening flags
 AX_CHECK_COMPILE_FLAG([-fdiagnostics-color], [CFLAGS="$CFLAGS -fdiagnostics-color"],,[-Werror])
-AX_CHECK_COMPILE_FLAG([-Wimplicit-fallthrough], [CFLAGS="$CFLAGS -Wimplicit-fallthrough"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wimplicit-fallthrough=5], [CFLAGS="$CFLAGS -Wimplicit-fallthrough=5"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Wcast-align], [CFLAGS="$CFLAGS -Wcast-align"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Wstrict-prototypes], [CFLAGS="$CFLAGS -Wstrict-prototypes"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing], [CFLAGS="$CFLAGS -fno-strict-aliasing"],,[-Werror])
@@ -700,6 +701,16 @@ AX_CHECK_LINK_FLAG([-fstack-protector-strong], [CFLAGS="$CFLAGS -fstack-protecto
 AX_CHECK_COMPILE_FLAG([-g], [CFLAGS="$CFLAGS -g"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([--mcet -fcf-protection], [CFLAGS="$CFLAGS --mcet -fcf-protection"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Werror=implicit-function-declaration], [CFLAGS="$CFLAGS -Werror=implicit-function-declaration"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wlogical-op], [CFLAGS="$CFLAGS -Wlogical-op"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wmissing-include-dirs], [CFLAGS="$CFLAGS -Wmissing-include-dirs"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wold-style-definition], [CFLAGS="$CFLAGS -Wold-style-definition"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Winit-self], [CFLAGS="$CFLAGS -Winit-self"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wfloat-equal], [CFLAGS="$CFLAGS -Wfloat-equal"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wsuggest-attribute=noreturn], [CFLAGS="$CFLAGS -Wsuggest-attribute=noreturn"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Werror=return-type], [CFLAGS="$CFLAGS -Werror=return-type"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Werror=incompatible-pointer-types], [CFLAGS="$CFLAGS -Werror=incompatible-pointer-types"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wformat=2], [CFLAGS="$CFLAGS -Wformat=2"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wshadow], [CFLAGS="$CFLAGS -Wshadow"],,[-Werror])
 AX_CHECK_LINK_FLAG([-z relro], [LDLAGS="$LDLAGS -z relro"],,[])
 AX_CHECK_LINK_FLAG([-z now], [LDLAGS="$LDLAGS -z now"],,[])

--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -1351,10 +1351,10 @@ int lxc_attach(const char *name, const char *lxcpath,
 		if ((options->namespaces & CLONE_NEWNS) &&
 		    (options->attach_flags & LXC_ATTACH_LSM) &&
 		    init_ctx->lsm_label) {
-			int ret = -1;
 			int labelfd;
 			bool on_exec;
+			ret = -1;
 			on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
 			labelfd = lsm_process_label_fd_get(attached_pid, on_exec);
 			if (labelfd < 0)

--- a/src/lxc/cmd/lxc_user_nic.c
+++ b/src/lxc/cmd/lxc_user_nic.c
@@ -1250,7 +1250,6 @@ int main(int argc, char *argv[])
 	free(me);
 	if (request == LXC_USERNIC_DELETE) {
-		int ret;
 		struct alloted_s *it;
 		bool found_nicname = false;

--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3377,7 +3377,6 @@ again:
 	}
 	while (getline(&line, &len, f) != -1) {
-		int ret;
 		char *opts, *target;
 		target = get_field(line, 4);

--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -388,7 +388,7 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf,
 		goto err;
 	while (getmntent_r(mnts, &mntent, buf, sizeof(buf))) {
-		char *fmt, *key, *val, *mntdata;
+		char *mntdata;
 		char arg[2 * PATH_MAX + 2];
 		unsigned long flags;
@@ -401,17 +401,12 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf,
 		if (!(flags & MS_BIND))
 			continue;
-		if (strcmp(opts->action, "dump") == 0) {
+		if (strcmp(opts->action, "dump") == 0)
-			fmt = "/%s:%s";
+			ret = snprintf(arg, sizeof(arg), "/%s:%s",
-			key = mntent.mnt_dir;
+				       mntent.mnt_dir, mntent.mnt_dir);
-			val = mntent.mnt_dir;
+		else
-		} else {
+			ret = snprintf(arg, sizeof(arg), "%s:%s",
-			fmt = "%s:%s";
+				       mntent.mnt_dir, mntent.mnt_fsname);
-			key = mntent.mnt_dir;
-			val = mntent.mnt_fsname;
-		}
-		ret = snprintf(arg, sizeof(arg), fmt, key, val);
 		if (ret < 0 || ret >= sizeof(arg)) {
 			fclose(mnts);
 			ERROR("snprintf failed");
@@ -547,7 +542,6 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf,
 		lxc_list_for_each(it, &opts->c->lxc_conf->network) {
 			size_t retlen;
 			char eth[128], *veth;
-			char *fmt;
 			struct lxc_netdev *n = it->elem;
 			bool external_not_veth;
@@ -579,18 +573,23 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf,
 				if (n->link[0] != '\0') {
 					if (external_not_veth)
-						fmt = "veth[%s]:%s@%s";
+						ret = snprintf(buf, sizeof(buf),
+							       "veth[%s]:%s@%s",
+							       eth, veth,
+							       n->link);
 					else
-						fmt = "%s=%s@%s";
+						ret = snprintf(buf, sizeof(buf),
+							       "%s=%s@%s", eth,
-					ret = snprintf(buf, sizeof(buf), fmt, eth, veth, n->link);
+							       veth, n->link);
 				} else {
 					if (external_not_veth)
-						fmt = "veth[%s]:%s";
+						ret = snprintf(buf, sizeof(buf),
+							       "veth[%s]:%s",
+							       eth, veth);
 					else
-						fmt = "%s=%s";
+						ret = snprintf(buf, sizeof(buf),
+							       "%s=%s", eth,
-					ret = snprintf(buf, sizeof(buf), fmt, eth, veth);
+							       veth);
 				}
 				if (ret < 0 || ret >= sizeof(buf))
 					goto err;
@@ -1071,7 +1070,6 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
 		rmdir(rootfs->mount);
 		goto out_fini_handler;
 	} else {
-		int ret;
 		char title[2048];
 		close(pipes[1]);
@@ -1300,7 +1298,6 @@ static bool do_dump(struct lxc_container *c, char *mode, struct migrate_opts *op
 		int status;
 		ssize_t n;
 		char buf[4096];
-		bool ret;
 		close(criuout[1]);

--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -122,14 +122,20 @@ static char *lxc_log_get_va_msg(struct lxc_log_event *event)
 		return NULL;
 	va_copy(args, *event->vap);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 	len = vsnprintf(NULL, 0, event->fmt, args) + 1;
+#pragma GCC diagnostic pop
 	va_end(args);
 	msg = malloc(len * sizeof(char));
 	if (!msg)
 		return NULL;
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 	rc = vsnprintf(msg, len, event->fmt, *event->vap);
+#pragma GCC diagnostic pop
 	if (rc == -1 || rc >= len) {
 		free(msg);
 		return NULL;
@@ -183,7 +189,10 @@ static int log_append_stderr(const struct lxc_log_appender *appender,
 	        log_container_name ? ": " : "");
 	fprintf(stderr, "%s: %s: %d ", event->locinfo->file,
 	        event->locinfo->func, event->locinfo->line);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 	vfprintf(stderr, event->fmt, *event->vap);
+#pragma GCC diagnostic pop
 	fprintf(stderr, "\n");
 	return 0;
@@ -349,7 +358,10 @@ static int log_append_logfile(const struct lxc_log_appender *appender,
 		return n;
 	if ((size_t)n < STRARRAYLEN(buffer)) {
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 		ret = vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt, *event->vap);
+#pragma GCC diagnostic pop
 		if (ret < 0)
 			return 0;

--- a/src/lxc/log.h
+++ b/src/lxc/log.h
@@ -342,9 +342,9 @@ ATTR_UNUSED static inline void LXC_##LEVEL(struct lxc_log_locinfo* locinfo,	\
 			char errno_buf[PATH_MAX / 2] = {"Failed to get errno string"};   \
 			char *ptr = NULL;                                                \
 			{                                                                \
-				int saved_errno = errno;				 \
+				int __saved_errno = errno;				 \
 				ptr = strerror_r(errno, errno_buf, sizeof(errno_buf));   \
-				errno = saved_errno;					 \
+				errno = __saved_errno;					 \
 				if (!ptr)                                                \
 					ptr = errno_buf;                                 \
 			}
@@ -353,9 +353,9 @@ ATTR_UNUSED static inline void LXC_##LEVEL(struct lxc_log_locinfo* locinfo,	\
 			char errno_buf[PATH_MAX / 2] = {"Failed to get errno string"};   \
 			char *ptr = errno_buf;                                           \
 			{                                                                \
-				int saved_errno = errno;				 \
+				int __saved_errno = errno;				 \
 				(void)strerror_r(errno, errno_buf, sizeof(errno_buf));   \
-				errno = saved_errno;					 \
+				errno = __saved_errno;					 \
 			}
 	#endif
 #elif ENFORCE_THREAD_SAFETY

--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1041,7 +1041,7 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
 	 * right PID.
 	 */
 	if (c->pidfile) {
-		int ret, w;
+		int w;
 		char pidstr[INTTYPE_TO_STRLEN(pid_t)];
 		w = snprintf(pidstr, sizeof(pidstr), "%d", lxc_raw_getpid());
@@ -2439,8 +2439,7 @@ static char **do_lxcapi_get_ips(struct lxc_container *c, const char *interface,
 	if (pid == 0) {
 		ssize_t nbytes;
 		char addressOutputBuffer[INET6_ADDRSTRLEN];
-		int ret = 1;
+		char *address_ptr = NULL;
-		char *address = NULL;
 		void *tempAddrPtr = NULL;
 		struct netns_ifaddrs *interfaceArray = NULL, *tempIfAddr = NULL;
@@ -2489,16 +2488,16 @@ static char **do_lxcapi_get_ips(struct lxc_container *c, const char *interface,
 			else if (!interface && strcmp("lo", tempIfAddr->ifa_name) == 0)
 				continue;
-			address = (char *)inet_ntop(tempIfAddr->ifa_addr->sa_family,
+			address_ptr = (char *)inet_ntop(tempIfAddr->ifa_addr->sa_family,
 						    tempAddrPtr, addressOutputBuffer,
 						    sizeof(addressOutputBuffer));
-			if (!address)
+			if (!address_ptr)
 				continue;
-			nbytes = lxc_write_nointr(pipefd[1], address, INET6_ADDRSTRLEN);
+			nbytes = lxc_write_nointr(pipefd[1], address_ptr, INET6_ADDRSTRLEN);
 			if (nbytes != INET6_ADDRSTRLEN) {
 				SYSERROR("Failed to send ipv6 address \"%s\"",
-					 address);
+					 address_ptr);
 				goto out;
 			}

--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -2116,8 +2116,6 @@ static int lxc_create_network_unpriv_exec(const char *lxcpath, const char *lxcna
 	}
 	if (child == 0) {
-		int ret;
-		size_t retlen;
 		char pidstr[INTTYPE_TO_STRLEN(pid_t)];
 		close(pipefd[0]);
@@ -2280,7 +2278,6 @@ static int lxc_delete_network_unpriv_exec(const char *lxcpath, const char *lxcna
 	if (child == 0) {
 		char *hostveth;
-		int ret;
 		close(pipefd[0]);
@@ -2925,8 +2922,6 @@ static int lxc_setup_netdev_in_child_namespaces(struct lxc_netdev *netdev)
 	/* set the network device up */
 	if (netdev->flags & IFF_UP) {
-		int err;
 		err = lxc_netdev_up(current_ifname);
 		if (err) {
 			errno = -err;

--- a/src/lxc/pam/pam_cgfs.c
+++ b/src/lxc/pam/pam_cgfs.c
@@ -297,8 +297,11 @@ static void mysyslog(int err, const char *format, ...)
 	va_list args;
 	va_start(args, format);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 	openlog("PAM-CGFS", LOG_CONS | LOG_PID, LOG_AUTH);
 	vsyslog(err, format, args);
+#pragma GCC diagnostic pop
 	va_end(args);
 	closelog();
 }

--- a/src/lxc/storage/lvm.c
+++ b/src/lxc/storage/lvm.c
@@ -264,6 +264,7 @@ int lvm_umount(struct lxc_storage *bdev)
 	return umount(bdev->dest);
 }
+#define __LVSCMD "lvs --unbuffered --noheadings -o lv_attr %s 2>/dev/null"
 int lvm_compare_lv_attr(const char *path, int pos, const char expected)
 {
 	struct lxc_popen_FILE *f;
@@ -272,12 +273,11 @@ int lvm_compare_lv_attr(const char *path, int pos, const char expected)
 	char *cmd;
 	char output[12];
 	int start = 0;
-	const char *lvscmd = "lvs --unbuffered --noheadings -o lv_attr %s 2>/dev/null";
-	len = strlen(lvscmd) + strlen(path) + 1;
+	len = strlen(__LVSCMD) + strlen(path) + 1;
 	cmd = alloca(len);
-	ret = snprintf(cmd, len, lvscmd, path);
+	ret = snprintf(cmd, len, __LVSCMD, path);
 	if (ret < 0 || (size_t)ret >= len)
 		return -1;

--- a/src/lxc/storage/overlay.c
+++ b/src/lxc/storage/overlay.c
@@ -86,7 +86,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char
 	if (strcmp(orig->type, "dir") == 0) {
 		char *delta, *lastslash;
 		char *work;
-		int ret, len, lastslashidx;
+		int len, lastslashidx;
 		/* If we have "/var/lib/lxc/c2/rootfs" then delta will be
 		 * "/var/lib/lxc/c2/delta0".
@@ -194,7 +194,7 @@ int ovl_clonepaths(struct lxc_storage *orig, struct lxc_storage *new, const char
 		char *clean_old_path, *clean_new_path;
 		char *lastslash, *ndelta, *nsrc, *odelta, *osrc, *s1, *s2, *s3,
 		    *work;
-		int ret, lastslashidx;
+		int lastslashidx;
 		size_t len, name_len;
 		osrc = strdup(orig->src);

--- a/src/lxc/storage/storage.c
+++ b/src/lxc/storage/storage.c
@@ -355,7 +355,6 @@ struct lxc_storage *storage_copy(struct lxc_container *c, const char *cname,
 	}
 	if (!orig->dest) {
-		int ret;
 		size_t len;
 		struct stat sb;

--- a/src/lxc/storage/zfs.c
+++ b/src/lxc/storage/zfs.c
@@ -468,7 +468,6 @@ int zfs_clonepaths(struct lxc_storage *orig, struct lxc_storage *new,
 	orig_src = lxc_storage_get_path(orig->src, orig->type);
 	if (!strcmp(orig->type, "zfs")) {
-		size_t len;
 		if (*orig_src == '/') {
 			bool found;
@@ -594,8 +593,6 @@ int zfs_destroy(struct lxc_storage *orig)
 	 * "<lxcpath>/<lxcname>/rootfs" is given.
 	 */
 	if (*src == '/') {
-		char *tmp;
 		found = zfs_list_entry(src, cmd_output, sizeof(cmd_output));
 		if (!found) {
 			ERROR("Failed to find zfs entry \"%s\"", orig->src);

--- a/src/lxc/string_utils.c
+++ b/src/lxc/string_utils.c
@@ -295,19 +295,22 @@ char *lxc_append_paths(const char *first, const char *second)
 	int ret;
 	size_t len;
 	char *result = NULL;
-	const char *pattern = "%s%s";
+	int pattern_type = 0;
 	len = strlen(first) + strlen(second) + 1;
 	if (second[0] != '/') {
 		len += 1;
-		pattern = "%s/%s";
+		pattern_type = 1;
 	}
 	result = calloc(1, len);
 	if (!result)
 		return NULL;
-	ret = snprintf(result, len, pattern, first, second);
+	if (pattern_type == 0)
+		ret = snprintf(result, len, "%s%s", first, second);
+	else
+		ret = snprintf(result, len, "%s/%s", first, second);
 	if (ret < 0 || (size_t)ret >= len) {
 		free(result);
 		return NULL;

--- a/src/lxc/tools/lxc_info.c
+++ b/src/lxc/tools/lxc_info.c
@@ -274,28 +274,28 @@ static void print_stats(struct lxc_container *c)
 	}
 }
-static void print_info_msg_int(const char *key, int value)
+static void print_info_msg_int(const char *k, int value)
 {
 	if (humanize)
-		printf("%-15s %d\n", key, value);
+		printf("%-15s %d\n", k, value);
 	else {
 		if (filter_count == 1)
 			printf("%d\n", value);
 		else
-			printf("%-15s %d\n", key, value);
+			printf("%-15s %d\n", k, value);
 	}
 	fflush(stdout);
 }
-static void print_info_msg_str(const char *key, const char *value)
+static void print_info_msg_str(const char *k, const char *value)
 {
 	if (humanize)
-		printf("%-15s %s\n", key, value);
+		printf("%-15s %s\n", k, value);
 	else {
 		if (filter_count == 1)
 			printf("%s\n", value);
 		else
-			printf("%-15s %s\n", key, value);
+			printf("%-15s %s\n", k, value);
 	}
 	fflush(stdout);
 }

--- a/src/lxc/tools/lxc_ls.c
+++ b/src/lxc/tools/lxc_ls.c
@@ -512,8 +512,6 @@ static int ls_get(struct ls **m, size_t *size, const struct lxc_arguments *args,
 				l->unprivileged = !(val == NULL);
 				free(val);
 			} else {
-				int ret;
 				ret = c->get_config_item(c, "lxc.idmap", NULL, 0);
 				l->unprivileged = !(ret == 0);
 			}

--- a/src/lxc/tools/lxc_unshare.c
+++ b/src/lxc/tools/lxc_unshare.c
@@ -64,7 +64,7 @@ struct start_arg {
 static int my_parser(struct lxc_arguments *args, int c, char *arg);
 static inline int sethostname_including_android(const char *name, size_t len);
 static int get_namespace_flags(char *namespaces);
-static bool lookup_user(const char *optarg, uid_t *uid);
+static bool lookup_user(const char *oparg, uid_t *uid);
 static int mount_fs(const char *source, const char *target, const char *type);
 static void lxc_setup_fs(void);
 static int do_start(void *arg);
@@ -180,7 +180,7 @@ static int get_namespace_flags(char *namespaces)
 	return flags;
 }
-static bool lookup_user(const char *optarg, uid_t *uid)
+static bool lookup_user(const char *oparg, uid_t *uid)
 {
 	char name[PATH_MAX];
 	struct passwd pwent;
@@ -189,7 +189,7 @@ static bool lookup_user(const char *optarg, uid_t *uid)
 	size_t bufsize;
 	int ret;
-	if (!optarg || (optarg[0] == '\0'))
+	if (!oparg || (oparg[0] == '\0'))
 		return false;
 	bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
@@ -200,9 +200,9 @@ static bool lookup_user(const char *optarg, uid_t *uid)
 	if (!buf)
 		return false;
-	if (sscanf(optarg, "%u", uid) < 1) {
+	if (sscanf(oparg, "%u", uid) < 1) {
 		/* not a uid -- perhaps a username */
-		if (sscanf(optarg, "%s", name) < 1) {
+		if (sscanf(oparg, "%s", name) < 1) {
 			free(buf);
 			return false;
 		}
@@ -431,24 +431,24 @@ int main(int argc, char *argv[])
 	if (lxc_list_len(&ifnames) > 0) {
 		struct lxc_list *iterator;
 		char* ifname;
-		pid_t pid;
+		pid_t lpid;
 		lxc_list_for_each(iterator, &ifnames) {
 			ifname = iterator->elem;
 			if (!ifname)
 				continue;
-			pid = fork();
+			lpid = fork();
-			if (pid < 0) {
+			if (lpid < 0) {
 				SYSERROR("Failed to move network device \"%s\" to network namespace",
 				         ifname);
 				continue;
 			}
-			if (pid == 0) {
+			if (lpid == 0) {
 				char buf[256];
-				ret = snprintf(buf, 256, "%d", pid);
+				ret = snprintf(buf, 256, "%d", lpid);
 				if (ret < 0 || ret >= 256)
 					_exit(EXIT_FAILURE);
@@ -456,9 +456,9 @@ int main(int argc, char *argv[])
 				_exit(EXIT_FAILURE);
 			}
-			if (wait_for_pid(pid) != 0)
+			if (wait_for_pid(lpid) != 0)
 				SYSERROR("Could not move interface \"%s\" into container %d",
-				         ifname, pid);
+				         ifname, lpid);
 		}
 		free_ifname_list();

--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -48,7 +48,6 @@ AM_CFLAGS=-DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \
 	  -DRUNTIME_PATH=\"$(RUNTIME_PATH)\" \
 	  -I $(top_srcdir)/src \
 	  -I $(top_srcdir)/src/lxc \
-	  -I $(top_srcdir)/src/lxc/bdev \
 	  -I $(top_srcdir)/src/lxc/cgroups \
 	  -I $(top_srcdir)/src/lxc/tools \
 	  -pthread

--- a/src/tests/share_ns.c
+++ b/src/tests/share_ns.c
@@ -269,8 +269,6 @@ int main(int argc, char *argv[])
 		lxc_debug("Starting namespace sharing test iteration %d\n", j);
 		for (i = 0; i < 10; i++) {
-			int ret;
 			args[i].thread_id = i;
 			args[i].success = false;
 			args[i].init_pid = init_pid;
@@ -283,8 +281,6 @@ int main(int argc, char *argv[])
 		}
 		for (i = 0; i < 10; i++) {
-			int ret;
 			ret = pthread_join(threads[i], NULL);
 			if (ret != 0)
 				goto on_error_stop;

--- a/src/tests/state_server.c
+++ b/src/tests/state_server.c
@@ -38,7 +38,7 @@ struct thread_args {
 	struct lxc_container *c;
 };
-void *state_wrapper(void *data)
+static void *state_wrapper(void *data)
 {
 	struct thread_args *args = data;
@@ -108,8 +108,6 @@ int main(int argc, char *argv[])
 		sleep(5);
 		for (i = 0; i < 10; i++) {
-			int ret;
 			args[i].thread_id = i;
 			args[i].c = c;
 			args[i].timeout = -1;
@@ -123,8 +121,6 @@ int main(int argc, char *argv[])
 		}
 		for (i = 0; i < 10; i++) {
-			int ret;
 			ret = pthread_join(threads[i], NULL);
 			if (ret != 0)
 				goto on_error_stop;