The test executes lxc-usernsexec to create some files and chmod them.
Then makes assertions on the uid and gid of those files from outside.
Signed-off-by: Scott Moser <smoser@brickies.net>

Somehow it's documented but wasn't ever added.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

When a newer lxc library communicates with an older one
(such as running an lxc 4.0 lxc-freeze on a longer running
container which was started while lxc was still at version
3), the LXC_CMD_GET_LIMITING_CGROUP command is not
available, causing the remote to just close the socket.
Catch this and try the previous command instead.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Otherwise we cannot use an 'a' entry in devices.deny/allow
as these are not permitted once a subdirectory was created.

Without isolation we initialize the devices cgroup
particularly late, so there are probably cases which cannot
work with isolation.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This is a new approach to #1302 with a container-side
configuration instead of a global boolean flag.

Contrary to the previous PR using an optional additional
parameter for the get-cgroup command, this introduces two
new additional commands to get the limiting cgroup path and
cgroup2 file descriptor. If the limiting option is not in
use, these behave identical to their full-path counterparts.

If these variables are used the payload will end up in the
concatenation of lxc.cgroup.dir.container and
lxc.cgroup.dir.container.inner (which may be empty), and the
monitor will end up in lxc.cgruop.dir.monitor. The
directories are fixed, no retry count logic is applied,
failing to create these directories will simply be a hard
error.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

We can fail to setgroups() when "deny" has been set which we need to set when
we are a fully unprivileged user.

Closes: 3420.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixes: https://lists.linuxcontainers.org/pipermail/lxc-users/2020-May/015245.htmlSigned-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

I introduced a regression: when users didn't specify a specific name via
lxc.net.<idx>.name then the device would retain the random name it received
when we created it. Before we would use the "eth%d" syntax to get the kernel to
assign a fixed name. Restore that behavior.

Closes: #3407.
Fixes: 8bf64b77 ("network: rework network device creation")
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

No more weird api quirks between architectures and cool new features.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

EPOLLIN will always be true and therefore end up
busy-looping
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

in order to be able to listen for EPOLLPRI
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This will be the central place for all process management helpers. This also
removes raw_syscalls.{c,h}.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

They are offset by 1024.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

otherwise weird things might happen.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Disable and enable syslog around lxc_check_inherited().
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We need to make sure we don't overwrite values when they have already been set.

Closes: #3405.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

which will allow us to catch more oob accesses.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixes: Coverity 1461742.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

This depends on the new mount api.

Closes #3164.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

to avoid the overhead of calling to lxc-usernsexec whenever we can.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>