The problem here is that lxc-init runs *inside* the container. So if a
person has the log file set to /home/$USER/foo, lxc-init ends up making a
directory /home/$USER/foo inside the container to put the log file in. What
we really want are the logs to be propagated from inside the container to
the outside. We accomplish this by passing an fd without O_CLOEXEC, and
telling lxc-init to log to that file.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

Use after free
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

coverity

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

There's no need to do string comparisons.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

If they aren't available fallback to BSD flock()s.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Argument cannot be negative
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Unchecked return value
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Resource leak
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Resource leak
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Unchecked return value
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Time of check time of use
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Unchecked return value
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Unused value
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Logically dead code
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

do_lxcapi_create: set umask

Fix tool_utils.c build when HAVE_SETNS is unset

Add inline setns() function to tool_utils.h. Without it
tool_utils.c can't be build when HAVE_SETNS is unset.
Signed-off-by: Serj Kalichev <serj.kalichev@gmail.com>

Fix memory leak in list_active_containers

Signed-off-by: LiFeng <lifeng68@huawei.com>

Signed-off-by: LiFeng <lifeng68@huawei.com>

Fix the memory leak in cgfsng_attach

Also pass action scripts to CRIU on checkpointing

Signed-off-by: Daniel Selifonov <ds@thyth.com>

pam-cgfs: ignore the system umask when creating the cgroup hierarchy

Fixes: #2277
Signed-off-by: Jonathan Calmels <jcalmels@nvidia.com>

lxc/tools/lxc_monitor: include missing <stddef.h>

lxc_monitor.c uses offsetof(), so it should include
<stddef.h>. Otherwise the build fails with the musl C library:

tools/lxc_monitor.c: In function ‘lxc_abstract_unix_connect’:
tools/lxc_monitor.c:324:9: warning: implicit declaration of function ‘offsetof’ [-Wimplicit-function-declaration]
         offsetof(struct sockaddr_un, sun_path) + len + 1);
         ^~~~~~~~
tools/lxc_monitor.c:324:18: error: expected expression before ‘struct’
         offsetof(struct sockaddr_un, sun_path) + len + 1);
                  ^~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

lxc-oci: mkdir the download directory

Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

seccomp: handle arch inversion - The Architecture Strikes Back

LXC generates and loads the seccomp-bpf filter in the host/container which
spawn the new container. In other words, userspace N is responsible for
generating and loading the seccomp-bpf filter which restricts userspace N + 1.
Assume 64bit kernel and 32bit userspace running a 64bit container. In this case
the 32-bit x86 userspace is used to create a seccomp-bpf filter for a 64-bit
userspace. Unless one explicitly adds the 64-bit ABI to the libseccomp filter,
or adjusts the default behavior for "BAD_ARCH", *all* 64-bit x86 syscalls will
be blocked.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Paul Moore <paul@paul-moore.com>