Prevent privileged containers from messing with the host's pci devices
directly.  Refuse access under /proc/bus, and drop cap_sys_rawio.  Some
containers may need to re-enable cap_sys_rawio (i.e. if they run an
X server).

It may be desirable to break some of this stuff into files which can be
separately included (or not included), but this patch isn't the right
place for that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

2016 03 15/nest

we're having it inserted in every config by the lxcapi_create
itself.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

build: fix build on android (and ppc)

The problem here is that dev_t on most platforms is `long unsigned`, but on
android (and ppc?) it's `long long unsigned`. Let's just upcast to `long
long unsigned` and use that format string to keep the compilers happy.

Safety first!
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Dont require dev console none

There are a few things going on in this patch.

1. /dev/console is an external mount since it is bind mounted from the
   host. However, we don't want to use criu's --ext-mount-map auto handling
   here, because that will bind mount exactly the same path from the host
   on restore, but if the pts device is different on the target host, we'll
   bind mount the wrong one, which is obviously wrong.

2. We need to tell CRIU how to restore the TTY. Since we declare the tty as
   --external, we need to provide it via --inherit-fd (even though we've
   already fixed up the environment).
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Various other functions/structures are now only used in criu.c, so let's
hide stuff there so as not to pollute headers.

This commit also bumps the required CRIU versions to 2.0. While we don't
*require* any features that aren't in 1.8 patchlevel 21 or above, 2.0 is a
vast improvement, and so we should use that instead.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

cgfsng: chmod the tasks and procns files

remove the hierarchy if the fullcgpath is NOT null.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 Changelog - stgraber points out s/chgrp/chmod and wrong perms

cgfsng: get_cgroup_path: return the cgroup path not full mounted path

Add a temporary workaround for talking to containers started with the
buggy monitor.  We can remove it sometime after 2.0 release.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Cgfsng fixes

cgroup_escape() is a slight abuse of the cgroup code: what we really want
here is to escape the *current* process, whether it happens to be the LXC
monitor or not, into the / cgroups.

In the case of dump, we can't do an lxc_init(), because:

lxc 20160310103501.547 ERROR    lxc_commands - commands.c:lxc_cmd_init:993 - ##
lxc 20160310103501.547 ERROR    lxc_commands - commands.c:lxc_cmd_init:994 - # The container appears to be already running!
lxc 20160310103501.547 ERROR    lxc_commands - commands.c:lxc_cmd_init:995 - ##

We don't want to make this a command to send to the handler, because again,
cgroup_escape() is intended to escape the *current* task to the root
cgroups.

So, let's just have cgroup_escape() build its own handler when required.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

This is no longer needed outside of criu.c with the ->migrate API call, so
let's mark it that way.
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>

lxc-attach: update and improve tests

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

2016 03 08/batch

Our mkdir_p ignore eexist, and of course we want that for
upper path components, but the final directory itself must
not already exist.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

read_file was using the wrong value for the string length.  Also,
realloc on i386 is wonky with small sizes - so use a batch size
to avoid small reallocs.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

tests: set clone_children if need be

Lxc only sets it on /lxc, not on /.

It's conceivable that we should really re-set this to the original
value, to prevent making later tests not fail when they should.  I
didn't do that.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

cgfsng: set cpuset clone_children if needed

Sigh.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

cgfsng: enter/escape error msgs: differentiate and add errno

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Remove trailing newlines in log

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

prevent containers from reading /sys/kernel/debug

Unprivileged containers cannot read it anyway, but also prevent root
owned containers from doing so.  Sadly upstart's mountall won't run
if we try to prevent it from being mounted at all.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

cgfsng: next generation filesystem-backed cgroup implementation

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>