Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

In case the lxc command socket is hashed and the socket was created for a
different path than the one we're currently querying
lxc_cmd_get_{lxcpath,name}() can return NULL. The command socket path is hashed
when len(lxcpath) > sizeof(sun_path) - 2.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lxc_cmd_get_lxcpath() and lxc_cmd_get_name() both pass a nil pointer to
fill_sock_name(). Make sure that they are not dereferenced.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

These functions define pointer to their key shifted by a
number and guard access to it later via another variable.
Let's make this more explicit (and additionally have the
pointer be NULL in the case where it is not supposed to be
used).
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

Signed-off-by: Jakob Gillich <jakob@gillich.me>

Some "/sys" entries exceeds buffer size.
This results to some statistics loss ('BlkIO' in particular):

 wc -c /sys/fs/cgroup/blkio/lxc/alt/blkio.throttle.io_service_bytes
 318 /sys/fs/cgroup/blkio/lxc/alt/blkio.throttle.io_service_bytes
Signed-off-by: Denis Pynkin <dans@altlinux.org>

stable-1.0: backport fixes for CVE-2016-10124

Prevent an endless loop while executing lxc-attach in the background:

The kernel might fire SIGTTOU while an ioctl() in tcsetattr()
is executed. When the ioctl() is resumed and retries,
the signal handler interrupts it again.

We can't configure the TTY to stop sending
the signals in the first place since that
is a modification/write to the TTY already.

Still we clear the TOSTOP flag to prevent further signals.

Command to reproduce the hang:
----------------------------
cat > lxc_hang.sh << EOF
/usr/bin/timeout 5s /usr/bin/lxc-attach -n SOMECONTAINER -- /bin/true
EOF
sh lxc_hang.sh    # hangs
----------------------------
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>

Previous versions of lxc-attach simply attached to the specified namespaces of
a container and ran a shell or the specified command without first allocating a
pseudo terminal. This made them vulnerable to input faking via a TIOCSTI ioctl
call after switching between userspace execution contexts with different
privilege levels. Newer versions of lxc-attach will try to allocate a pseudo
terminal master/slave pair on the host and attach any standard file descriptors
which refer to a terminal to the slave side of the pseudo terminal before
executing a shell or command. Note, that if none of the standard file
descriptors refer to a  terminal lxc-attach will not try to allocate a pseudo
terminal. Instead it will simply attach to the containers namespaces and run a
shell or the specified command.

(This is a backport of a series of patches fixing CVE-2016-10124.)
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

- Make escape sequence to exit tty optional since we want to reuse
  lxc_console_cb_tty_stdin() in lxc_attach.c.
- Export the following functions since they can be reused in other modules:
  - lxc_console_cb_tty_stdin()
  - lxc_console_cb_tty_master()
  - lxc_setup_tios(int fd, struct termios *oldtios);
  - lxc_console_winsz(int srcfd, int dstfd);
  - lxc_console_cb_sigwinch_fd(int fd, uint32_t events, void *cbdata, struct lxc_epoll_descr *descr);
  - lxc_tty_state *lxc_console_sigwinch_init(int srcfd, int dstfd);
  - lxc_console_sigwinch_fini(struct lxc_tty_state *ts);
- rewrite lxc_console_set_stdfds()
  - Make lxc_console_set_stdfds useable by other callers that do not have
    access to lxc_handler.
- Use ssh settings for ptys.
- Remove all asserts from console.{c,h}.
- Adapt start.c to changes.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Fixing the typo making `suggest_default_idmap` open `subuidfile`
instead of `subgidfile` to read subgid information.
Signed-off-by: Pochang Chen <johnchen902@gmail.com>

We waste a lot of time waiting for Ubuntu containers to cleanly stop
right before we destroy them anyway.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Tai Kedzierski <dch.tai@gmail.com>

Signed-off-by: Tai Kedzierski <dch.tai@gmail.com>

Checks if DOWNLOAD_KEYSERVER has already been set in the environment before setting a value
Signed-off-by: Tai Kedzierski <dch.tai@gmail.com>

Closes #1466
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Serge Hallyn <serge@hallyn.com>

Newer libseccomp has a flag called SCMP_FLTATR_ATL_TSKIP which
allows syscall '-1' (nop) to be executed.  Without that flag,
debuggers cannot skip system calls inside containers.  For reference,
see the seccomp(2) manpage, which says:

	The tracer can skip the system call by changing the system call  number  to  -1.

and see the seccomp issue #80
Signed-off-by: Serge Hallyn <serge@hallyn.com>

Signed-off-by: Evgeni Golov <evgeni@debian.org>

Without this patch, x32 guests (and no others) worked "natively" with x32
host lxc, but not on regular amd64 hosts.  That was especially problematic
as a number of ioctls such as those needed by netfilter don't work in such
scenarios, thus you want to run amd64 on the host.

With the patch, you can use all three ABIs: i386 x32 amd64 on amd64 hosts.

Despite x32 being little used, there's no reason to deny it by default:
the admin needs to compile their own kernel with CONFIG_X86_X32=y or (on
Debian) boot with syscall.x32=y.  If they've done so, it is a reasonable
assumption they want x32 guests.
Signed-off-by: Adam Borowski <kilobyte@angband.pl>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Before this commit, lxc-user-nic could potentially have been tricked into
operating on a network namespace over which the caller did not hold privilege.

This commit ensures that the caller is privileged over the network namespace by
temporarily dropping privilege.

Launchpad: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1654676Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

On Ubuntu 12.04 LTS with Python 3.2, `lxc-start-ephemeral` breaks as
follows:

    Traceback (most recent call last):
      File "/usr/bin/lxc-start-ephemeral", line 371, in attach_as_user
      File "/usr/lib/python3.2/subprocess.py", line 515, in check_output
      File "/usr/lib/python3.2/subprocess.py", line 732, in __init__
    LookupError: unknown encoding: ANSI_X3.4-1968

This is because `universal_newlines=True` causes `subprocess` to use
`io.TextIOWrapper`, and in versions of Python earlier than 3.3 that
fetched the preferred encoding using `locale.getpreferredencoding()`
rather than `locale.getpreferredencoding(False)`, thereby changing the
locale and causing codecs to be reloaded.  However, `attach_as_user`
runs inside the container and thus can't rely on having access to the
same Python standard library on disk.

The workaround is to decode by hand instead, avoiding the temporary
change of locale.
Signed-off-by: Colin Watson <cjwatson@ubuntu.com>

Before the change build failed on Gentoo as:

  bdev/lxclvm.c: In function 'lvm_detect':
  bdev/lxclvm.c:140:4: error: implicit declaration of function 'major' [-Werror=implicit-function-declaration]
    major(statbuf.st_rdev), minor(statbuf.st_rdev));
    ^~~~~
  bdev/lxclvm.c:140:28: error: implicit declaration of function 'minor' [-Werror=implicit-function-declaration]
    major(statbuf.st_rdev), minor(statbuf.st_rdev));
                            ^~~~~

glibc plans to remove <sys/sysmacros.h> from glibc's <sys/types.h>:
    https://sourceware.org/ml/libc-alpha/2015-11/msg00253.html

Gentoo already applied glibc patch to experimental glibc-2.24
to start preparingfor the change.

Autoconf has AC_HEADER_MAJOR to find out which header defines
reqiured macros:
    https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Headers.html

This change should also increase portability across other libcs.

Bug: https://bugs.gentoo.org/604360Signed-off-by: Sergei Trofimovich <siarheit@google.com>

This mainly affects Trusty. The 3.13 kernel has a broken overlay module which
does not handle symlinks correctly. This is a problem for containers that use
an overlay based rootfs since safe_mount() uses /proc/<pid>/fd/<fd-number> in
its calls to mount().
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Previously HAVE_LIBGNUTLS was never set in config.h even if gnutls was
detected as AC_CHECK_LIB default action-if-found was overriden by
enable_gnutls=yes
This patch adds an --enable-gnutls option and will call AC_CHECK_LIB
with the default action to write HAVE_LIBGNUTLS in config.h
Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>

Given commit 330ae3d3:

    lxccontainer: detect if we should send SIGRTMIN+3

    This is required by systemd to cleanly shutdown. Other init systems should not
    have SIGRTMIN+3 in the blocked signals set.

we should stop poking around with sigpwr.target for systemd.
Signed-off-by: Evgeni Golov <evgeni@debian.org>

it might not even be there…
Signed-off-by: Evgeni Golov <evgeni@debian.org>

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Signed-off-by: Santiago Ruano Rincón <santiago@debian.org>
Signed-off-by: Evgeni Golov <evgeni@debian.org>

Signed-off-by: Santiago Ruano Rincón <santiago@debian.org>
Signed-off-by: Evgeni Golov <evgeni@debian.org>

Save errno across some calls to close() since it can be
interrupted.
Signed-off-by: Wolfgang Bumiller <wry.git@bumiller.com>

attach: close lsm label file descriptor

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>