Merge pull request #3748 from brauner/2021-03-29/fixes

fixes & config key validation

Merge pull request #3748 from brauner/2021-03-29/fixes
be43adcd · Stéphane Graber · GitHub · cc19bc54 · ea60ca95 · be43adcd
Unverified Commit be43adcd authored Mar 29, 2021 by Stéphane Graber Committed by GitHub Mar 29, 2021
11 changed files
--- a/configure.ac
+++ b/configure.ac
@@ -629,7 +629,7 @@ AC_CHECK_DECLS([PR_SET_NO_NEW_PRIVS], [], [], [#include <sys/prctl.h>])
 AC_CHECK_DECLS([PR_GET_NO_NEW_PRIVS], [], [], [#include <sys/prctl.h>])
 # Check for some headers
-AC_CHECK_HEADERS([pty.h sys/memfd.h sys/personality.h sys/resource.h sys/signalfd.h sys/timerfd.h utmpx.h])
+AC_CHECK_HEADERS([pty.h sys/memfd.h sys/personality.h sys/resource.h sys/signalfd.h sys/timerfd.h utmpx.h threads.h])
 AC_CHECK_HEADER([ifaddrs.h],
 	AM_CONDITIONAL(HAVE_IFADDRS_H, true)

--- a/src/lxc/compiler.h
+++ b/src/lxc/compiler.h
@@ -12,14 +12,23 @@
 #include "config.h"
-#ifndef thread_local
+#if defined(HAVE_THREADS_H)
-#if __STDC_VERSION__ >= 201112L &&    \
+	#include <threads.h>
-    !(defined(__STDC_NO_THREADS__) || \
+	#define THREAD_LOCAL_STORAGE_SUPPORTED
-      (defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16))
+#elif defined(thread_local)
-#define thread_local _Thread_local
+	#define THREAD_LOCAL_STORAGE_SUPPORTED
 #else
-#define thread_local __thread
+	#if __STDC_VERSION__ >= 201112L &&    \
-#endif
+	    !(defined(__STDC_NO_THREADS__) || \
+	      (defined(__GNU_LIBRARY__) && __GLIBC__ == 2 && __GLIBC_MINOR__ < 16))
+		#define thread_local _Thread_local
+		#define THREAD_LOCAL_STORAGE_SUPPORTED
+	#else
+		#define thread_local __thread
+		#define THREAD_LOCAL_STORAGE_SUPPORTED
+	#endif
 #endif
 #if __GNUC__ >= 7

--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -36,6 +36,7 @@
 #include "af_unix.h"
 #include "caps.h"
 #include "cgroups/cgroup.h"
+#include "compiler.h"
 #include "conf.h"
 #include "config.h"
 #include "confile.h"
@@ -99,11 +100,14 @@
 lxc_log_define(conf, lxc);
-/* The lxc_conf of the container currently being worked on in an API call.
+/*
+ * The lxc_conf of the container currently being worked on in an API call.
 * This is used in the error calls.
 */
-#ifdef HAVE_TLS
+#if defined(THREAD_LOCAL_STORAGE_SUPPORTED)
 thread_local struct lxc_conf *current_config;
+#elif defined(ENFORCE_THREAD_SAFETY)
+#error ENFORCE_THREAD_SAFETY was set but cannot be guaranteed due to missing TLS
 #else
 struct lxc_conf *current_config;
 #endif

--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -474,10 +474,12 @@ struct lxc_conf {
 __hidden extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, size_t buf_size)
    __access_r(3, 4);
-#ifdef HAVE_TLS
+#if defined(THREAD_LOCAL_STORAGE_SUPPORTED)
 extern thread_local struct lxc_conf *current_config;
+#elif defined(ENFORCE_THREAD_SAFETY)
+#error ENFORCE_THREAD_SAFETY was set but cannot be guaranteed due to missing TLS
 #else
-extern struct lxc_conf *current_config;
+struct lxc_conf *current_config;
 #endif
 __hidden extern int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf, char *argv[]);

--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
--- a/src/lxc/confile.h
+++ b/src/lxc/confile.h
@@ -34,6 +34,7 @@ typedef int (*config_clr_cb)(const char *key, struct lxc_conf *conf,
 struct lxc_config_t {
 	char *name;
+	bool strict;
 	config_set_cb set;
 	config_get_cb get;
 	config_clr_cb clr;

--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -403,26 +403,29 @@ void lxc_log_configured_netdevs(const struct lxc_conf *conf)
 	}
 }
-static void lxc_free_netdev(struct lxc_netdev *netdev)
+void lxc_clear_netdev(struct lxc_netdev *netdev)
 {
 	struct lxc_list *cur, *next;
+	ssize_t idx;
 	if (!netdev)
 		return;
-	free(netdev->upscript);
+	idx = netdev->idx;
-	free(netdev->downscript);
-	free(netdev->hwaddr);
+	free_disarm(netdev->upscript);
-	free(netdev->mtu);
+	free_disarm(netdev->downscript);
+	free_disarm(netdev->hwaddr);
+	free_disarm(netdev->mtu);
-	free(netdev->ipv4_gateway);
+	free_disarm(netdev->ipv4_gateway);
 	lxc_list_for_each_safe(cur, &netdev->ipv4, next) {
 		lxc_list_del(cur);
 		free(cur->elem);
 		free(cur);
 	}
-	free(netdev->ipv6_gateway);
+	free_disarm(netdev->ipv6_gateway);
 	lxc_list_for_each_safe(cur, &netdev->ipv6, next) {
 		lxc_list_del(cur);
 		free(cur->elem);
@@ -448,7 +451,19 @@ static void lxc_free_netdev(struct lxc_netdev *netdev)
 		}
 	}
-	free(netdev);
+	memset(netdev, 0, sizeof(struct lxc_netdev));
+	lxc_list_init(&netdev->ipv4);
+	lxc_list_init(&netdev->ipv6);
+	netdev->type = -1;
+	netdev->idx = idx;
+}
+static void lxc_free_netdev(struct lxc_netdev *netdev)
+{
+	if (netdev) {
+		lxc_clear_netdev(netdev);
+		free(netdev);
+	}
 }
 bool lxc_remove_nic_by_idx(struct lxc_conf *conf, unsigned int idx)

--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
@@ -37,6 +37,7 @@ __hidden extern struct lxc_netdev *lxc_get_netdev_by_idx(struct lxc_conf *conf, 
 __hidden extern void lxc_log_configured_netdevs(const struct lxc_conf *conf);
 __hidden extern bool lxc_remove_nic_by_idx(struct lxc_conf *conf, unsigned int idx);
 __hidden extern void lxc_free_networks(struct lxc_list *networks);
+__hidden extern void lxc_clear_netdev(struct lxc_netdev *netdev);
 __hidden extern int lxc_veth_mode_to_flag(int *mode, const char *value);
 __hidden extern char *lxc_veth_flag_to_mode(int mode);
 __hidden extern int lxc_macvlan_mode_to_flag(int *mode, const char *value);

--- a/src/lxc/initutils.c
+++ b/src/lxc/initutils.c
@@ -54,8 +54,10 @@ const char *lxc_global_config_value(const char *option_name)
 	};
 	/* placed in the thread local storage pool for non-bionic targets */
-#ifdef HAVE_TLS
+#if defined(THREAD_LOCAL_STORAGE_SUPPORTED)
 	static thread_local const char *values[sizeof(options) / sizeof(options[0])] = {0};
+#elif defined(ENFORCE_THREAD_SAFETY)
+	#error ENFORCE_THREAD_SAFETY was set but cannot be guaranteed due to missing TLS
 #else
 	static const char *values[sizeof(options) / sizeof(options[0])] = {0};
 #endif

--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2315,6 +2315,9 @@ static bool add_to_clist(struct lxc_container ***list, struct lxc_container *c,
 static char** get_from_array(char ***names, char *cname, int size)
 {
+	if (!*names)
+		return NULL;
 	return (char **)bsearch(&cname, *names, size, sizeof(char *), (int (*)(const void *, const void *))string_cmp);
 }

--- a/src/tests/parse_config_file.c
+++ b/src/tests/parse_config_file.c
@@ -877,15 +877,13 @@ int main(int argc, char *argv[])
 		goto non_test_error;
 	}
-	ret = set_get_compare_clear_save_load(c, "lxc.hook.version", "2", tmpf, true);
+	if (c->set_config_item(c, "lxc.hook.version", "2")) {
-	if (ret == 0) {
+		lxc_error("%s\n", "Managed to set to set invalid config item \"lxc.hook.version\" to \"2\"");
-		lxc_error("%s\n", "lxc.hook.version");
 		goto non_test_error;
 	}
-	ret = set_get_compare_clear_save_load(c, "lxc.monitor.signal.pdeath", "SIGKILL", tmpf, true);
+	if (!c->set_config_item(c, "lxc.monitor.signal.pdeath", "SIGKILL")) {
-	if (ret == 0) {
+		lxc_error("%s\n", "Failed to set to set invalid config item \"lxc.monitor.signal.pdeath\" to \"SIGKILL\"");
-		lxc_error("%s\n", "lxc.hook.version");
 		goto non_test_error;
 	}
@@ -904,6 +902,11 @@ int main(int argc, char *argv[])
 		return -1;
 	}
+	if (c->set_config_item(c, "lxc.hook.versionasdfsadfsadf", "1")) {
+		lxc_error("%s\n", "Managed to set to set invalid config item \"lxc.hook.versionasdfsadfsadf\" to \"2\"");
+		goto non_test_error;
+	}
 	fret = EXIT_SUCCESS;
 non_test_error: