Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

Reported-by: Free Ekanayaka <free.ekanayaka@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: t00416110 <tanyifeng1@huawei.com>

None of them seem to support pkg-config themselves, else we could add
them to Requires.private.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>

In privileged mode, the container startup looses a file descriptor for "handler->nsfd[LX_NS_NET]". At line 1782, we preserve the namespaces file descriptor (in privileged mode, the network namespace is also preserved) :
	for (i = 0; i < LXC_NS_MAX; i++)
		if (handler->ns_on_clone_flags & ns_info[i].clone_flag)
			INFO("Cloned %s", ns_info[i].flag_name);

	if (!lxc_try_preserve_namespaces(handler, handler->ns_on_clone_flags, handler->pid)) {
		ERROR("Failed to preserve cloned namespaces for lxc.hook.stop");
		goto out_delete_net;
	}

Then at line 1830, we preserve one more time the network namespace :
		ret = lxc_try_preserve_ns(handler->pid, "net");
		if (ret < 0) {
			if (ret != -EOPNOTSUPP) {
				SYSERROR("Failed to preserve net namespace");
				goto out_delete_net;
			}
The latter overwrites the file descriptor already stored in handler->nsfd[LXC_NS_NET] at line 1786.

So, this fix checks that the entry is not already filled.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Return an error code when the name is invalid instead of pretending that things
are fine.

Closes #3044.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The reason for this is because openssl can be statically linked
against, gnutls cannot.
Signed-off-by: Serge Hallyn <shallyn@cisco.com>

Update for commit 8de90384Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>

The hook string names must not be repeated in the source code to facilitate future changes
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Closes #3027.

BugLink: https://bugs.launchpad.net/bugs/1831258
Cc: Dimitri John Ledkov <xnox@ubuntu.com>
Cc: Scott Moser <smoser@ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Paul Romlow <paul@romlow.com>

/tmp created with "rwxrwxrwt" mode
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: LiFeng <lifeng68@huawei.com>

Signed-off-by: Brian McQueen <bmcqueen@linkedin.com>

Signed-off-by: Alexander Kriventsov <akriventsov@nic.ru>

Signed-off-by: Tycho Andersen <tycho@tycho.ws>

This is the default thread size for glibc, so it is reasonable to match
that when we clone().

Mostly this is a science experiment suggested by brauner, and who doesn't
love science?
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

Signed-off-by: Alexander Kriventsov <akriventsov@nic.ru>

Handle offline cpus in v1 hierarchy.

In addition to isolated cpus we also need to account for offline cpus when our
ancestor cgroup is the root cgroup and we have not been initialized yet.

Closes #2953.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

We have a do_clone(), which just calls a void f(void *) that it gets
passed. We build up a struct consisting of two args that are just the
actual arg and actual function. Let's just have the syscall do this for us.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

We should add a little not about the race in the previous patch.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

There are two problems with this code:

1. The math is wrong. We allocate a char *foo[__LXC_STACK_SIZE]; which
   means it's really sizeof(char *) * __LXC_STACK_SIZE, instead of just
   __LXC_STACK SIZE.

2. We can't actually allocate it on our stack. When we use CLONE_VM (which
   we do in the shared ns case) that means that the new thread is just
   running one page lower on the stack, but anything that allocates a page
   on the stack may clobber data. This is a pretty short race window since
   we just do the shared ns stuff and then do a clone without CLONE_VM.

However, it does point out an interesting possible privilege escalation if
things aren't configured correctly: do_share_ns() sets up namespaces while
it shares the address space of the task that spawned it; once it enters the
pid ns of the thing it's sharing with, the thing it's sharing with can
ptrace it and write stuff into the host's address space. Since the function
that does the clone() is lxc_spawn(), it has a struct cgroup_ops* on the
stack, which itself has function pointers called later in the function, so
it's possible to allocate shellcode in the address space of the host and
run it fairly easily.

ASLR doesn't mitigate this since we know exactly the stack offsets; however
this patch has the kernel allocate a new stack, which will help. Of course,
the attacker could just check /proc/pid/maps to find the location of the
stack, but they'd still have to guess where to write stuff in.

The thing that does prevent this is the default configuration of apparmor.
Since the apparmor profile is set in the second clone, and apparmor
prevents ptracing things under a different profile, attackers confined by
apparmor can't do this. However, if users are using a custom configuration
with shared namespaces, care must be taken to avoid this race.

Shared namespaces aren't widely used now, so perhaps this isn't a problem,
but with the advent of crio-lxc for k8s, this functionality will be used
more.
Signed-off-by: Tycho Andersen <tycho@tycho.ws>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Specifically, refloat function arguments and remove useless comments.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Let lxc_attach() reuse the already initialized container.

Closes https://github.com/lxc/lxd/issues/5755.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Updates lxc_restore_phys_nics_to_netns() to move phys netdevs back to the monitor's network namespace rather than the previously hardcoded PID 1 net ns.

This is to fix instances where LXC is started inside a net ns different from PID 1 and physical devices are moved back to a different net ns when the container is shutdown than the net ns than where the container was started from.
Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

Suppressed error prone semicolon in SYSTRACE() macro.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Use %m under HAVE_M_FORMAT instead of strerror()
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

GLIBC supports %m to avoid calling strerror(). Using it saves some code space.
==> This check will define HAVE_M_FORMAT to be use wherever possible (e.g. log.h)
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>

Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>

Returning -1 in a function with return type bool is the same as
returning true. Change to return false to indicate error properly.

Detected with cppcheck.
Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>

Returning -1 in a function with return type bool is the same as
returning true. Change to return false to indicate error properly.

Detected with cppcheck.
Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>

Since _exit() will terminate, the return statement is dead code. Also,
returning -1 from a function with bool as return type is confusing.

Detected with cppcheck.
Signed-off-by: Rikard Falkeborn <rikard.falkeborn@gmail.com>

CRIU has only 4 levels of verbosity (errors, warnings, info, debug).
Thus, using `-v4` is more appropriate.

https://criu.org/LoggingSigned-off-by: Radostin Stoyanov <rstoyanov1@gmail.com>

As suggested during the review.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>