Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

So far, we opened a file descriptor refering to proc on the host inside the
host namespace and handed that fd to the attached process in
attach_child_main(). This was done to ensure that LSM labels were correctly
setup. However, by exploiting a potential kernel bug, ptrace could be used to
prevent the file descriptor from being closed which in turn could be used by an
unprivileged container to gain access to the host namespace. Aside from this
needing an upstream kernel fix, we should make sure that we don't pass the fd
for proc itself to the attached process. However, we cannot completely prevent
this, as the attached process needs to be able to change its apparmor profile
by writing to /proc/self/attr/exec or /proc/self/attr/current. To minimize the
attack surface, we only send the fd for /proc/self/attr/exec or
/proc/self/attr/current to the attached process. To do this we introduce a
little more IPC between the child and parent:

	 * IPC mechanism: (X is receiver)
	 *   initial process        intermediate          attached
	 *        X           <---  send pid of
	 *                          attached proc,
	 *                          then exit
	 *    send 0 ------------------------------------>    X
	 *                                              [do initialization]
	 *        X  <------------------------------------  send 1
	 *   [add to cgroup, ...]
	 *    send 2 ------------------------------------>    X
	 *						[set LXC_ATTACH_NO_NEW_PRIVS]
	 *        X  <------------------------------------  send 3
	 *   [open LSM label fd]
	 *    send 4 ------------------------------------>    X
	 *   						[set LSM label]
	 *   close socket                                 close socket
	 *                                                run program

The attached child tells the parent when it is ready to have its LSM labels set
up. The parent then opens an approriate fd for the child PID to
/proc/<pid>/attr/exec or /proc/<pid>/attr/current and sends it via SCM_RIGHTS
to the child. The child can then set its LSM laben. Both sides then close the
socket fds and the child execs the requested process.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Configure a static MAC address on the LXC bridge

Signed-off-by: Cam Cope <cam@dropbox.com>

tools: replace non-standard namespace identifiers

tests: remove overflow tests

They do not behave correctly on some architectures, so let's remove them for
now and come up with better ones later.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The identifiers for namespaces used with lxc-unshare and lxc-attach as given on
the manpage do not align with the standard identifiers. This affects network,
mount, and uts namespaces. The standard identifiers are: "mnt", "uts", and
"net" whereas lxc-unshare and lxc-attach use "MOUNT", "UTSNAME", and "NETWORK".
I'm weary to hack this into namespace.{c.h} by e.g. adding additional members
to the ns_info struct or to special case this in lxc_fill_namespace_flags().
Internally, we should only accept standard identifiers to ensure that we are
always correctly aligned with the kernel. So let's use some cheap memmove()s to
replace them by their standard identifiers in lxc-unshare and lxc-attach.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

remove atoi

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

This function safely parses an unsigned integer. On success it returns 0 and
stores the unsigned integer in @converted. On error it returns a negative
errno.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>

cgroup: improve isolcpus handling

If the file "/sys/devices/system/cpu/isolated" doesn't exist, we can't just
simply bail. We still need to check whether we need to copy the parents cpu
settings.
Signed-off-by: Christian Brauner <christian.brauner@canonical.com>