seccomp: add rules for specified architecture only 

If the architecture is specified in the seccomp configuration, like:
```
2
whitelist errno 1
[x86_64]
accept allow
accept4 allow
```
We shoud add rules only for amd64 instead of add rules for
x32/i386/amd64.

1. If the [arch] was not specified in seccomp config, add seccomp rules
for all all compat architectures.
2. If the [arch] specified in seccomp config irrelevant to native host
arch, the rules will be ignored.
3. If specified [all] in seccomp config, add seccomp rules for all
compat architectures.
4. If specified [arch] as same as native host arch, add seccomp rules
for the native host arch.
5. If specified [arch] was not native host arch, but compat to host
arch, add seccomp rules for the specified arch only, NOT add seccomp
rules for native arch.
Signed-off-by: LiFeng <lifeng68@huawei.com>

Fixing hooks functionality Android where 'sh' is placed under /system

Handle alternative loop device location on Android

Signed-off-by: ondra <ondrak@localhost.localdomain>

Signed-off-by: ondra <ondrak@localhost.localdomain>

conf.c: fix memory leak and mount error

Fix memory leak in cgroup_exit

Add free memory pointed by struct cgroup_ops *ops
Signed-off-by: LiFeng <lifeng68@huawei.com>

1. cleanup namespace memory
2. fix bug when ro mount not setted, mount propagation will be skipped.
Signed-off-by: t00416110 <tanyifeng1@huawei.com>

start: __lxc_start return -1 when start fails

Signed-off-by: LiFeng <lifeng68@huawei.com>

network: prefix veth interface name with uid info

Signed-off-by: Hajo Noerenberg <hajo-github@noerenberg.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: handle missing CLONE_NEWCGROUP

If cgroup namespaces are not supported we should just record it in the
log and move on.

Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: try to handle layouts with no cgroups

Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixing compile error when compiling for android

Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>

trivial fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' char

fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' character in the randomly generated device name part because for modulo one does not need to substract 1 from strlen().
Signed-off-by: Hajo Noerenberg <hajo-github@noerenberg.de>

terminal: remove sigwinch command

storage: do not destroy pre-existing rootfs

cgfsng: do not free container_full_path on error

lxccontainer: fix container copy

confile: add lxc.seccomp.allow_nesting

Closes #2741.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This adds the lxc.seccomp.allow_nesting api extension. If
lxc.seccomp.allow_nesting is set to 1 then seccomp profiles will be
stacked. This way nested containers can load their own seccomp policy on
top of the policy that the outer container might have applied.

Cc: Simon Fels <simon.fels@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We need to strip the prefix from the container's source path before
trying to update the file.

Closes #2380.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Revert "Set c to NULL after freeing it"

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>

conf: use SYSERROR on lxc_write_to_file errors

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Set c to NULL after freeing it

Signed-off-by: S.Çağlar Onur <caglar@10ur.org>

lxccontainer: fix mount api (mount_injection_file)

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Closes #2752.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>