From c948657b04506f18a572ce525cd2dbce8e84afca Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 20 Jan 2018 12:57:12 +0100 Subject: [PATCH 01/13] attach: init struct Signed-off-by: Christian Brauner --- src/lxc/attach.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 34bdf9145..2d167d63e 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -1269,6 +1269,8 @@ int lxc_attach(const char *name, const char *lxcpath, } pty.log_fd = options->log_fd; + } else { + lxc_pty_init(&pty); } /* Create a socket pair for IPC communication; set SOCK_CLOEXEC in order From ce4a1a11c9d0ff0378a94ed91196c6e47f8a9f20 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 20 Jan 2018 14:04:15 +0100 Subject: [PATCH 02/13] tools: non-functional changes Signed-off-by: Christian Brauner --- src/lxc/tools/lxc_execute.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/lxc/tools/lxc_execute.c b/src/lxc/tools/lxc_execute.c index 98f846fc2..28e457292 100644 --- a/src/lxc/tools/lxc_execute.c +++ b/src/lxc/tools/lxc_execute.c @@ -21,24 +21,25 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ #define _GNU_SOURCE -#include -#include #include #include +#include +#include #include #include -#include -#include -#include #include +#include +#include + +#include -#include "caps.h" -#include "lxc.h" -#include "log.h" -#include "conf.h" -#include "confile.h" #include "arguments.h" +#include "caps.h" +#include "conf.h" #include "config.h" +#include "confile.h" +#include "log.h" +#include "lxc.h" #include "start.h" #include "utils.h" From 0072887d775b18015f82637637769d390b743e56 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 20 Jan 2018 14:05:01 +0100 Subject: [PATCH 03/13] tools: fix android Signed-off-by: Christian Brauner --- src/lxc/tools/lxc_execute.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lxc/tools/lxc_execute.c b/src/lxc/tools/lxc_execute.c index 28e457292..3348d7c1c 100644 --- a/src/lxc/tools/lxc_execute.c +++ b/src/lxc/tools/lxc_execute.c @@ -30,6 +30,7 @@ #include #include #include +#include #include From 4d078b3c256816e4493398d1820f0e7d4df43a6f Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 20 Jan 2018 21:26:33 +0100 Subject: [PATCH 04/13] coverity: #1427668 Signed-off-by: Christian Brauner --- src/lxc/lxc_init.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c index 29394c80d..c44982726 100644 --- a/src/lxc/lxc_init.c +++ b/src/lxc/lxc_init.c @@ -197,23 +197,25 @@ static void kill_children(pid_t pid) static void remove_self(void) { - char path[PATH_MAX]; + int ret; ssize_t n; + char path[MAXPATHLEN] = {0}; n = readlink("/proc/self/exe", path, sizeof(path)); - if (n < 0) { + if (n < 0 || n >= MAXPATHLEN) { SYSERROR("Failed to readlink \"/proc/self/exe\""); return; } + path[n] = '\0'; - path[n] = 0; - - if (umount2(path, MNT_DETACH) < 0) { + ret = umount2(path, MNT_DETACH); + if (ret < 0) { SYSERROR("Failed to unmount \"%s\"", path); return; } - if (unlink(path) < 0) { + ret = unlink(path); + if (ret < 0) { SYSERROR("Failed to unlink \"%s\"", path); return; } From 358b8c818bea4df683c05647fa7b165037a29776 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 20 Jan 2018 21:30:17 +0100 Subject: [PATCH 05/13] coverity: #1427639 remove logically dead code Signed-off-by: Christian Brauner --- src/lxc/utils.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index a20e4b715..0b8841630 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -2415,12 +2415,8 @@ int parse_byte_size_string(const char *s, int64_t *converted) if (suffix_len > 0 && (end - 2) == dup && !isdigit(*(end - 2))) return -EINVAL; - if (suffix_len > 0 && isalpha(*(end - 2))) { - if (suffix_len == 1) - suffix_len++; - else - return -EINVAL; - } + if (suffix_len > 0 && isalpha(*(end - 2))) + suffix_len++; if (suffix_len > 0) { memcpy(suffix, end - suffix_len, suffix_len); From b21da190ec9a0d11f19d4e2c0d1fda9dd668d02f Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 20 Jan 2018 21:35:35 +0100 Subject: [PATCH 06/13] coverity: #1427638 avoid (however unlikely) double free Signed-off-by: Christian Brauner --- src/lxc/attach.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 2d167d63e..06e4af566 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -840,8 +840,10 @@ static void lxc_put_attach_clone_payload(struct attach_clone_payload *p) p->pty_fd = -EBADF; } - if (p->init_ctx) + if (p->init_ctx) { lxc_proc_put_context_info(p->init_ctx); + p->init_ctx = NULL; + } } static int attach_child_main(struct attach_clone_payload *payload) From 2388737b2a78af3df2f45e931607a3c0e809d05b Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 8 Jan 2018 18:24:41 +0100 Subject: [PATCH 07/13] coverity: #1427191 Signed-off-by: Christian Brauner --- src/lxc/conf.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index f5bcb9d24..d08cfad8e 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2657,15 +2657,17 @@ int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, return -1; } - buflen = sizeof("deny\n") - 1; - errno = 0; - ret = lxc_write_nointr(fd, "deny\n", buflen); - if (ret != buflen) { - SYSERROR("Failed to write \"deny\" to \"/proc/%d/setgroups\"", pid); + if (fd >= 0) { + buflen = sizeof("deny\n") - 1; + errno = 0; + ret = lxc_write_nointr(fd, "deny\n", buflen); + if (ret != buflen) { + SYSERROR("Failed to write \"deny\" to \"/proc/%d/setgroups\"", pid); + close(fd); + return -1; + } close(fd); - return -1; } - close(fd); } ret = snprintf(path, MAXPATHLEN, "/proc/%d/%cid_map", pid, From a49cad59f833e57f647eb5358c9163147f075a39 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Mon, 8 Jan 2018 18:25:56 +0100 Subject: [PATCH 08/13] coverity: #1427190 Signed-off-by: Christian Brauner --- src/lxc/cgroups/cgfsng.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c index 2d1ad4ebb..5350ddcda 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -1221,9 +1221,6 @@ static int recursive_destroy(char *dirname) char *pathname; struct stat mystat; - if (!direntp) - break; - if (!strcmp(direntp->d_name, ".") || !strcmp(direntp->d_name, "..")) continue; From c8dcf77824ed41857f0e86f98f59038eadc7d6c0 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 20 Jan 2018 21:44:50 +0100 Subject: [PATCH 09/13] coverity: #1426734 do not call close on bad fd Signed-off-by: Christian Brauner --- src/lxc/monitor.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/src/lxc/monitor.c b/src/lxc/monitor.c index 6dcdd340d..644d2a52f 100644 --- a/src/lxc/monitor.c +++ b/src/lxc/monitor.c @@ -209,7 +209,6 @@ int lxc_monitor_open(const char *lxcpath) int fd; size_t retry; size_t len; - int ret = -1; int backoff_ms[] = {10, 50, 100}; if (lxc_monitor_sock_name(lxcpath, &addr) < 0) @@ -218,16 +217,16 @@ int lxc_monitor_open(const char *lxcpath) fd = socket(PF_UNIX, SOCK_STREAM, 0); if (fd < 0) { ERROR("Failed to create socket: %s.", strerror(errno)); - return -errno; + return -1; } len = strlen(&addr.sun_path[1]); DEBUG("opening monitor socket %s with len %zu", &addr.sun_path[1], len); if (len >= sizeof(addr.sun_path) - 1) { errno = ENAMETOOLONG; - ret = -errno; ERROR("name of monitor socket too long (%zu bytes): %s", len, strerror(errno)); - goto on_error; + close(fd); + return -1; } for (retry = 0; retry < sizeof(backoff_ms) / sizeof(backoff_ms[0]); retry++) { @@ -239,16 +238,12 @@ int lxc_monitor_open(const char *lxcpath) } if (fd < 0) { - ret = -errno; ERROR("Failed to connect to monitor socket: %s.", strerror(errno)); - goto on_error; + close(fd); + return -1; } return fd; - -on_error: - close(fd); - return ret; } int lxc_monitor_read_fdset(struct pollfd *fds, nfds_t nfds, struct lxc_msg *msg, From d7af33e24ea644eededb3f3be21cc7687e80bdb6 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sat, 20 Jan 2018 21:46:31 +0100 Subject: [PATCH 10/13] coverity: #1426694 remove logically dead code Signed-off-by: Christian Brauner --- src/lxc/lxc_init.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c index c44982726..594b00094 100644 --- a/src/lxc/lxc_init.c +++ b/src/lxc/lxc_init.c @@ -155,8 +155,6 @@ static void prevent_forking(void) } on_error: - if (fd >= 0) - close(fd); free(line); fclose(f); } From 42b09f9429eb6b17c8245176c05ba1325f642fe3 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sun, 21 Jan 2018 13:55:42 +0100 Subject: [PATCH 11/13] start: fix mainloop cleanup goto statements Signed-off-by: Christian Brauner --- src/lxc/start.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/lxc/start.c b/src/lxc/start.c index 41442a162..40c5d2d2f 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -545,22 +545,21 @@ int lxc_poll(const char *name, struct lxc_handler *handler) close(descr.epfd); descr.epfd = -EBADF; if (ret < 0 || !handler->init_died) - goto out_mainloop; + goto out_mainloop_console; if (has_console) ret = lxc_mainloop(&descr_console, 0); - -out_mainloop: - lxc_mainloop_close(&descr); - TRACE("Closed mainloop"); - out_mainloop_console: if (has_console) { lxc_mainloop_close(&descr_console); TRACE("Closed console mainloop"); } +out_mainloop: + lxc_mainloop_close(&descr); + TRACE("Closed mainloop"); + out_sigfd: close(handler->sigfd); TRACE("Closed signal file descriptor %d", handler->sigfd); From bb2ada6f4d1f2e813976b79bd128c59c6f273275 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sun, 21 Jan 2018 15:20:19 +0100 Subject: [PATCH 12/13] attach: setup /proc limits Signed-off-by: Christian Brauner --- src/lxc/attach.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 06e4af566..63e000195 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -1354,6 +1354,13 @@ int lxc_attach(const char *name, const char *lxcpath, "cgroups", pid); } + /* Setup /proc limits */ + if (!lxc_list_empty(&init_ctx->container->lxc_conf->procs)) { + ret = setup_proc_filesystem(&init_ctx->container->lxc_conf->procs, pid); + if (ret < 0) + goto on_error; + } + /* Setup resource limits */ if (!lxc_list_empty(&init_ctx->container->lxc_conf->limits)) { ret = setup_resource_limits(&init_ctx->container->lxc_conf->limits, pid); From 1cce35e649874b489b84a4223e096d681842cca9 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Sun, 21 Jan 2018 15:23:20 +0100 Subject: [PATCH 13/13] attach: non-functional changes Signed-off-by: Christian Brauner --- src/lxc/attach.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/lxc/attach.c b/src/lxc/attach.c index 63e000195..8444eaf12 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -1145,6 +1145,7 @@ int lxc_attach(const char *name, const char *lxcpath, pid_t attached_pid, init_pid, pid; struct lxc_proc_context_info *init_ctx; struct lxc_console pty; + struct lxc_conf *conf; struct attach_clone_payload payload = {0}; ret = access("/proc/self/ns", X_OK); @@ -1189,6 +1190,7 @@ int lxc_attach(const char *name, const char *lxcpath, return -ENOMEM; } } + conf = init_ctx->container->lxc_conf; if (!fetch_seccomp(init_ctx->container, options)) WARN("Failed to get seccomp policy."); @@ -1262,7 +1264,7 @@ int lxc_attach(const char *name, const char *lxcpath, } if (options->attach_flags & LXC_ATTACH_ALLOCATE_PTY) { - ret = lxc_attach_pty(init_ctx->container->lxc_conf, &pty); + ret = lxc_attach_pty(conf, &pty); if (ret < 0) { ERROR("Failed to allocate pty"); free(cwd); @@ -1355,15 +1357,15 @@ int lxc_attach(const char *name, const char *lxcpath, } /* Setup /proc limits */ - if (!lxc_list_empty(&init_ctx->container->lxc_conf->procs)) { - ret = setup_proc_filesystem(&init_ctx->container->lxc_conf->procs, pid); + if (!lxc_list_empty(&conf->procs)) { + ret = setup_proc_filesystem(&conf->procs, pid); if (ret < 0) goto on_error; } /* Setup resource limits */ - if (!lxc_list_empty(&init_ctx->container->lxc_conf->limits)) { - ret = setup_resource_limits(&init_ctx->container->lxc_conf->limits, pid); + if (!lxc_list_empty(&conf->limits)) { + ret = setup_resource_limits(&conf->limits, pid); if (ret < 0) goto on_error; }