Merge pull request #3867 from brauner/2021-06-14.fixes

config/templates/common.conf.in

@@ -77,7 +77,7 @@ lxc.cgroup2.devices.allow = c 10:229 rwm
 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
 lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
 
-# Blacklist some syscalls which are not safe in privileged
+# Block some syscalls which are not safe in privileged
 # containers
 lxc.seccomp.profile = @LXCTEMPLATECONFIG@/common.seccomp
 

doc/examples/lxc-complex.conf.in

@@ -17,7 +17,7 @@ lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
 
 lxc.net.0.type = phys
 lxc.net.0.flags = up
-lxc.net.0.link = dummy0
+lxc.net.0.link = random0
 lxc.net.0.hwaddr = 4a:49:43:49:79:ff
 lxc.net.0.ipv4.address = 10.2.3.6/24
 lxc.net.0.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297

doc/ja/lxc-user-nic.sgml.in

@@ -91,7 +91,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
       <!--
       It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
       to determine the number of interfaces which the calling user is allowed to
-      create, and which bridge he may attach them to.  It tracks the
+      create, and which bridge they may attach them to.  It tracks the
       number of interfaces each user has created using the file
       <filename>@LXC_USERNIC_DB@</filename>.  It ensures that the calling
       user is privileged over the network namespace to which the interface

doc/ja/lxc.container.conf.sgml.in

@@ -1487,7 +1487,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
         the container at some <filename>path</filename>, and then mounts
         under <filename>path</filename>, then a TOCTTOU attack would be
         possible where the container user modifies a symbolic link under
-        his home directory at just the right time.
+        their home directory at just the right time.
           -->
         注意: 通常 LXC は、マウント対象と相対パス指定のバインドマウントを、適切にコンテナルート以下に閉じ込めます。
         これは、ホストのディレクトリやファイルに対して重ね合わせを行うようなマウントによる攻撃を防ぎます。(絶対パス指定のマウントソース中の各パスがシンボリックリンクである場合は無視されます。)
@@ -3844,7 +3844,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
         lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
         lxc.net.2.type = phys
         lxc.net.2.flags = up
-        lxc.net.2.link = dummy0
+        lxc.net.2.link = random0
         lxc.net.2.hwaddr = 4a:49:43:49:79:ff
         lxc.net.2.ipv4.address = 10.2.3.6/24
         lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297

doc/ko/lxc-user-nic.sgml.in

@@ -76,7 +76,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
       <!--
       It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
       to determine the number of interfaces which the calling user is allowed to
-      create, and which bridge he may attach them to.  It tracks the
+      create, and which bridge they may attach them to.  It tracks the
       number of interfaces each user has created using the file
       <filename>@LXC_USERNIC_DB@</filename>.  It ensures that the calling
       user is privileged over the network namespace to which the interface

doc/ko/lxc.container.conf.sgml.in

@@ -1060,7 +1060,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
         the container at some <filename>path</filename>, and then mounts
         under <filename>path</filename>, then a TOCTTOU attack would be
         possible where the container user modifies a symbolic link under
-        his home directory at just the right time.
+        their home directory at just the right time.
         -->
         주의 - 보통 LXC는 마운트 대상과 상대 경로로 된 바인드 마운트 소스들이 컨테이너의 루트 아래에 있도록 보장할 것이다. 이는 호스트 디렉토리와 파일들을 겹쳐서 마운트하는 유형의 공격을 피하기 위한 것이다. (절대 경로로 된 마운트 소스 내에 존재하는 심볼릭 링크들은 무시될 것이다.)
         하지만, 만약 컨테이너 설정에서 컨테이너 사용자가 제어할 수 있는, 예를 들어 /home/joe와 같은 디렉토리를 컨테이너 내의 <filename>path</filename>에 먼저 마운트 하고 나서,  <filename>path</filename> 내에 또 마운트를 하는 경우가 있다면,
@@ -2613,7 +2613,7 @@ mknod errno 0
 	lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
 	lxc.net.2.type = phys
 	lxc.net.2.flags = up
-	lxc.net.2.link = dummy0
+	lxc.net.2.link = random0
 	lxc.net.2.hwaddr = 4a:49:43:49:79:ff
 	lxc.net.2.ipv4.address = 10.2.3.6/24
 	lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297

doc/ko/lxc.sgml.in

@@ -755,7 +755,7 @@ rootfs
 	state change and exit. This is useful for scripting to
 	synchronize the launch of a container or the end. The
 	parameter is an ORed combination of different states. The
-	following example shows how to wait for a container if he went
+	following example shows how to wait for a container if they went
 	to the background.
 
 	<programlisting>

doc/lxc-user-nic.sgml.in

@@ -81,7 +81,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
     <para>
       It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
       to determine the number of interfaces which the calling user is allowed to
-      create, and which bridge he may attach them to.  It tracks the
+      create, and which bridge they may attach them to.  It tracks the
       number of interfaces each user has created using the file
       <filename>@LXC_USERNIC_DB@</filename>.  It ensures that the calling
       user is privileged over the network namespace to which the interface

doc/lxc.container.conf.sgml.in

@@ -1125,7 +1125,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
         the container at some <filename>path</filename>, and then mounts
         under <filename>path</filename>, then a TOCTTOU attack would be
         possible where the container user modifies a symbolic link under
-        his home directory at just the right time.
+        their home directory at just the right time.
       </para>
       <variablelist>
         <varlistentry>
@@ -3100,7 +3100,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
         lxc.net.1.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3596
         lxc.net.2.type = phys
         lxc.net.2.flags = up
-        lxc.net.2.link = dummy0
+        lxc.net.2.link = random0
         lxc.net.2.hwaddr = 4a:49:43:49:79:ff
         lxc.net.2.ipv4.address = 10.2.3.6/24
         lxc.net.2.ipv6.address = 2003:db8:1:0:214:1234:fe0b:3297

src/lxc/attach.c

@@ -997,7 +997,7 @@ static char *lxc_attach_getpwshell(uid_t uid)
 		if (!token)
 			continue;
 
-		/* next: dummy password field */
+		/* next: placeholder password field */
 		token = strtok_r(NULL, ":", &saveptr);
 		if (!token)
 			continue;
@@ -1009,7 +1009,7 @@ static char *lxc_attach_getpwshell(uid_t uid)
 		    value == LONG_MAX)
 			continue;
 
-		/* dummy sanity check: user id matches */
+		/* placeholder conherence check: user id matches */
 		if ((uid_t)value != uid)
 			continue;
 
@@ -1464,7 +1464,7 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
 	 * just fork()s away without exec'ing directly after, the socket fd will
 	 * exist in the forked process from the other thread and any close() in
 	 * our own child process will not really cause the socket to close
-	 * properly, potentially causing the parent to hang.
+	 * properly, potentially causing the parent to get stuck.
 	 *
 	 * For this reason, while IPC is still active, we have to use shutdown()
 	 * if the child exits prematurely in order to signal that the socket is

src/lxc/cgroups/cgfsng.c

@@ -1910,7 +1910,7 @@ __cgfsng_ops static bool cgfsng_criu_get_hierarchies(struct cgroup_ops *ops,
 	if (!ops->hierarchies)
 		return ret_set_errno(false, ENOENT);
 
-	/* sanity check n */
+	/* consistency check n */
 	for (i = 0; i < n; i++)
 		if (!ops->hierarchies[i])
 			return ret_set_errno(false, ENOENT);

src/lxc/cgroups/cgroup2_devices.c

@@ -528,7 +528,7 @@ int bpf_list_add_device(struct bpf_devices *bpf_devices,
 bool bpf_devices_cgroup_supported(void)
 {
 	__do_bpf_program_free struct bpf_program *prog = NULL;
-	const struct bpf_insn dummy[] = {
+	const struct bpf_insn insn[] = {
 		BPF_MOV64_IMM(BPF_REG_0, 1),
 		BPF_EXIT_INSN(),
 	};
@@ -546,7 +546,7 @@ bool bpf_devices_cgroup_supported(void)
 	if (ret)
 		return log_error_errno(false, ENOMEM, "Failed to initialize bpf program");
 
-	ret = bpf_program_add_instructions(prog, dummy, ARRAY_SIZE(dummy));
+	ret = bpf_program_add_instructions(prog, insn, ARRAY_SIZE(insn));
 	if (ret < 0)
 		return log_trace(false, "Failed to add new instructions to bpf device cgroup program");
 

src/lxc/conf.c

@@ -1722,11 +1722,11 @@ static int lxc_setup_devpts_child(struct lxc_handler *handler)
 		DEBUG("Removed existing \"/dev/ptmx\" file");
 	}
 
-	/* Create dummy /dev/ptmx file as bind mountpoint for /dev/pts/ptmx. */
+	/* Create placeholder /dev/ptmx file as bind mountpoint for /dev/pts/ptmx. */
 	ret = mknodat(rootfs->dfd_dev, "ptmx", S_IFREG | 0000, 0);
 	if (ret < 0 && errno != EEXIST)
-		return log_error_errno(-1, errno, "Failed to create dummy \"/dev/ptmx\" file as bind mount target");
-	DEBUG("Created dummy \"/dev/ptmx\" file as bind mount target");
+		return log_error_errno(-1, errno, "Failed to create \"/dev/ptmx\" file as bind mount target");
+	DEBUG("Created \"/dev/ptmx\" file as bind mount target");
 
 	/* Fallback option: create symlink /dev/ptmx -> /dev/pts/ptmx  */
 	ret = mount("/dev/pts/ptmx", "/dev/ptmx", NULL, MS_BIND, NULL);
@@ -1736,7 +1736,7 @@ static int lxc_setup_devpts_child(struct lxc_handler *handler)
 		/* Fallthrough and try to create a symlink. */
 		ERROR("Failed to bind mount \"/dev/pts/ptmx\" to \"/dev/ptmx\"");
 
-	/* Remove the dummy /dev/ptmx file we created above. */
+	/* Remove the placeholder /dev/ptmx file we created above. */
 	ret = unlinkat(rootfs->dfd_dev, "ptmx", 0);
 	if (ret < 0)
 		return log_error_errno(-1, errno, "Failed to remove existing \"/dev/ptmx\"");
@@ -3411,7 +3411,7 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
 	}
 
 	/* Check if we really need to use newuidmap and newgidmap.
-	* If the user is only remapping his own {g,u}id, we don't need it.
+	* If the user is only remapping their own {g,u}id, we don't need it.
 	*/
 	if (use_shadow && lxc_list_len(idmap) == 2) {
 		use_shadow = false;
@@ -3761,7 +3761,7 @@ static int lxc_execute_bind_init(struct lxc_handler *handler)
 	if (!file_exists(destpath)) {
 		ret = mknod(destpath, S_IFREG | 0000, 0);
 		if (ret < 0 && errno != EEXIST)
-			return log_error_errno(-1, errno, "Failed to create dummy \"%s\" file as bind mount target", destpath);
+			return log_error_errno(-1, errno, "Failed to create \"%s\" file as bind mount target", destpath);
 	}
 
 	ret = safe_mount(path, destpath, "none", MS_BIND, NULL, conf->rootfs.mount);

src/lxc/ringbuf.c

@@ -95,7 +95,7 @@ int lxc_ringbuf_write(struct lxc_ringbuf *buf, const char *msg, size_t len)
 	char *w_addr;
 	uint64_t free;
 
-	/* sanity check: a write should never exceed the ringbuffer's total size */
+	/* consistency check: a write should never exceed the ringbuffer's total size */
 	if (len > buf->size)
 		return -EFBIG;
 

src/lxc/seccomp.c

@@ -1513,7 +1513,7 @@ retry:
 	}
 
 	if (resp->id != req_id) {
-		ERROR("Proxy returned response with illegal id(%llu) != id(%llu)",
+		ERROR("Proxy returned response with invalid id(%llu) != id(%llu)",
 		      (long long unsigned int)resp->id, (long long unsigned int)req_id);
 		resp->id = req_id;
 		seccomp_notify_default_answer(fd, req, resp, hdlr);
@@ -1528,7 +1528,7 @@ retry:
 	}
 
 	if (resp->id != req_id) {
-		ERROR("Proxy returned response with illegal id(%llu) != id(%llu)",
+		ERROR("Proxy returned response with invalid id(%llu) != id(%llu)",
 		      (long long unsigned int)resp->id, (long long unsigned int)req_id);
 		resp->id = req_id;
 	}

src/lxc/start.c

@@ -1537,9 +1537,9 @@ int resolve_clone_flags(struct lxc_handler *handler)
  * newer glibc versions where the getpid() cache is removed and the pid/tid is
  * not reset anymore.
  * However, if for whatever reason you - dear committer - somehow need to get the
- * pid of the dummy intermediate process for do_share_ns() you need to call
- * lxc_raw_getpid(). The next lxc_raw_clone() call does not employ CLONE_VM and
- * will be fine.
+ * pid of the placeholder intermediate process for do_share_ns() you need to
+ * call lxc_raw_getpid(). The next lxc_raw_clone() call does not employ
+ * CLONE_VM and will be fine.
  */
 static inline int do_share_ns(void *arg)
 {

src/lxc/terminal.c

@@ -251,7 +251,7 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf,
 		/* This isn't a regular file. so rotating the file seems a
 		 * dangerous thing to do, size limits are also very
 		 * questionable. Let's not risk anything and tell the user that
-		 * he's requesting us to do weird stuff.
+		 * they're requesting us to do weird stuff.
 		 */
 		if (terminal->log_rotate > 0 || terminal->log_size > 0)
 			return -EINVAL;

src/lxc/tools/lxc_ls.c

@@ -198,7 +198,7 @@ int main(int argc, char *argv[])
 
 	/*
 	 * The lxc parser requires that my_args.name is set. So let's satisfy
-	 * that condition by setting a dummy name which is never used.
+	 * that condition by setting a placeholder name which is never used.
 	 */
 	my_args.name  = "";
 	if (lxc_arguments_parse(&my_args, argc, argv))

src/tests/api_reboot.c

@@ -109,7 +109,7 @@ int main(int argc, char *argv[])
 	/* reboot 10 times */
 	for (i = 0; i < 10; i++) {
 		/* Give the init system some time to setup it's signal handlers
-		 * otherwise we will hang indefinitely.
+		 * otherwise we will wait indefinitely.
 		 */
 		sleep(5);
 
@@ -126,7 +126,7 @@ int main(int argc, char *argv[])
 	}
 
 	/* Give the init system some time to setup it's signal handlers
-	 * otherwise we will hang indefinitely.
+	 * otherwise we will wait indefinitely.
 	 */
 	sleep(5);
 

src/tests/lxc-test-unpriv

@@ -42,7 +42,7 @@ if modprobe -q overlayfs; then
         mkdir ${MOUNTDIR}/{lowerdir,upperdir,workdir,overlayfs}
         mount -t overlayfs -o lowerdir="${MOUNTDIR}/lowerdir",upperdir="${MOUNTDIR}/upperdir",workdir="${MOUNTDIR}/workdir" none "${MOUNTDIR}/overlayfs"
 
-        CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/dummy_file"
+        CORRECT_LINK_TARGET="${MOUNTDIR}/overlayfs/placeholder_file"
         exec 9> "${CORRECT_LINK_TARGET}"
 
         DETECTED_LINK_TARGET=$(readlink -q /proc/$$/fd/9)