seccomp: fixes

Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Suggested-by: Jann Horn <jann@thejh.net>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity fixes

to avoid liblxc stumbling over an smaller struct passed in from an older
liblxc. In the future we should version by size but this requires a new
attach2().
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixes: Coverity 1465853
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixes: Coverity 1465854
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixes: Coverity 1465855
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixes: Coverity 1465657
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc-attach: Enable setting the SELinux context

cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination

seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing

tests: Fix compilation with appamor enabled.

lxccontainer: fix lxc_config_item_is_supported

Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before
Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Use exact match instead of longest prefix match
to check whether a config item is supported.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir).
because only empty cgroups can be removed.
Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2

Update for commit b87ed83bSigned-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

conf: account for early return when sending devpts fd

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

conf: always send response to parent waiting for devptfs_fd

When no devpts devices are requested we used to return early but did not send a
response to the parent. This is a problem because the parent will be waiting
for a devpts fd to be sent. Make sure to always send a response.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

startup fixes

Closes: #3549.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: fix compilation on powerpc

Link: https://launchpadlibrarian.net/502200189/buildlog_snap_ubuntu_bionic_ppc64el_lxd-latest-edge_BUILDING.txt.gzSigned-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: bugfixes

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: Check if syscall is supported on compat architecture.

Signed-off-by: Ruben Jenster <r.jenster@drachenfels.de>

Remove obsolete setting regarding the Standard Output

The Standard output type "syslog" is obsolete, causing a warning since systemd
version 246 [1].

Please consider using "journal" or "journal+console"

[1] https://github.com/systemd/systemd/blob/master/NEWS#L202Signed-off-by: Mingli Yu <mingli.yu@windriver.com>

lxc-usernsexec: setgroups() similar to other places shouldn't fail on…