Otherwise musl's getmntent_r() parser will fail.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Since liblxc is completely in control of the mount entry file we should
only consider a parse successful when EOF is reached.

Closes #2798.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Add template-options to help output

Avoid hardcoded string length

Use strlen() on "state" variable instead of harcoded
value 6.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Avoid risk of "too far memory read"

Avoid double lxc-freeze/unfreeze

As we call "lxc_add_state_client(fd, handler, (lxc_state_t *)req->data)"
which supposes that the last parameter is a table of MAX_STATE
entries when calling memcpy():
memcpy(newclient->states, states, sizeof(newclient->states))
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Update freezer.c

If we call lxc-freeze multiple times for an already frozen container, LXC
triggers useless freezing by writing into the "freezer.state" cgroup file.
This is the same when we call lxc-unfreeze multiple times.
Checking the current state with a LXC_CMD_GET_STATE
(calling c->state) would permit to check if the container is FROZEN
or not.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Suppressed hard coded values for state and array's maximum index.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Revert "seccomp: add rules for specified architecture only"

This reverts commit f1bcfc79.

The reverted branch breaks starting all seccomp confined containers. Not
even a containers with our standard seccomp profile starts correctly.
This is strong evidence that these changes have never been tested even
with a standard workload. That is unacceptable!

We are still happy to merge that feature but going forward we want tests
that verify that standard workloads and new features work correctly.
seccomp is a crucial part of our security story and I will not let the
be compromised by missing tests!
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

seccomp: add rules for specified architecture only 

If the architecture is specified in the seccomp configuration, like:
```
2
whitelist errno 1
[x86_64]
accept allow
accept4 allow
```
We shoud add rules only for amd64 instead of add rules for
x32/i386/amd64.

1. If the [arch] was not specified in seccomp config, add seccomp rules
for all all compat architectures.
2. If the [arch] specified in seccomp config irrelevant to native host
arch, the rules will be ignored.
3. If specified [all] in seccomp config, add seccomp rules for all
compat architectures.
4. If specified [arch] as same as native host arch, add seccomp rules
for the native host arch.
5. If specified [arch] was not native host arch, but compat to host
arch, add seccomp rules for the specified arch only, NOT add seccomp
rules for native arch.
Signed-off-by: LiFeng <lifeng68@huawei.com>

Fixing hooks functionality Android where 'sh' is placed under /system

Handle alternative loop device location on Android

Signed-off-by: ondra <ondrak@localhost.localdomain>

Signed-off-by: ondra <ondrak@localhost.localdomain>

conf.c: fix memory leak and mount error

Fix memory leak in cgroup_exit

Add free memory pointed by struct cgroup_ops *ops
Signed-off-by: LiFeng <lifeng68@huawei.com>

1. cleanup namespace memory
2. fix bug when ro mount not setted, mount propagation will be skipped.
Signed-off-by: t00416110 <tanyifeng1@huawei.com>

start: __lxc_start return -1 when start fails

Signed-off-by: LiFeng <lifeng68@huawei.com>

network: prefix veth interface name with uid info

Signed-off-by: Hajo Noerenberg <hajo-github@noerenberg.de>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: handle missing CLONE_NEWCGROUP

If cgroup namespaces are not supported we should just record it in the
log and move on.

Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: try to handle layouts with no cgroups

Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixing compile error when compiling for android

Signed-off-by: Ondrej Kubik <ondrej.kubik@canonical.com>

trivial fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' char

fix: unprivileged veth devices (e.g. vethFWABHX) never contain 'Z' character in the randomly generated device name part because for modulo one does not need to substract 1 from strlen().
Signed-off-by: Hajo Noerenberg <hajo-github@noerenberg.de>

terminal: remove sigwinch command

storage: do not destroy pre-existing rootfs

cgfsng: do not free container_full_path on error

lxccontainer: fix container copy

confile: add lxc.seccomp.allow_nesting