shutdown() affects sockets even across forked processes. The
attached child process doesn't have any interest in using the
IPC socket, so just close it in the child process and let the
intermediate process handle shutting it down.
This fixes a bug seen with lxc exec in crbug.com/884244
Signed-off-by: Stephen Barber <smbarber@chromium.org>
The extra bind-mount is not required. To succesfully remount read-only
we just need MS_REMOUNT|MS_RDONLY.
Closes#2602.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Serge Hallyn <serge@hallyn.com>
For setup, switch to the most privileged ids we can find. That is either
nsuid 0 if a mapping has been established if not switch to the ids the
init running in the container was started with.
After setup, switch to the actual requested ids.
Closes#2591.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Fix#2592 by defining -Wvla -std=gnu11 even if --disable-werror is set
As -std=gnu11 is always set, bump requirement on gcc from 4.6 to 4.7
(see https://gcc.gnu.org/projects/cxx-status.html#cxx11)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
If caller passed the size of array not string length, it is possible to be accessed out of bounds.
Reorder conditions can prevent access invalid index of array.
Signed-off-by: 2xsec <dh48.jeong@samsung.com>
This reverts commit 2fb7cf0b32.
The problem wasn't caused by the reverted commit and was fixed in
commit 0c9b1f826d ("macro: calculate buffer lengths correctly")
The full explanation can be taken from the following irc excerpt from
the #lxc-dev channel:
│19:54:47 brauner | there was a bug in one of the standard macros we used
│19:55:01 brauner | and the changes by INTTYPE_TO_STRLEN() caused the issue to surface
│19:55:03 brauner | which is good
│19:55:16 brauner | i sent a branch and stgraber merged it that fixes it
│19:57:56 Blub\0 | so...
│19:58:31 Blub\0 | still doesn't explain how it was the sizeof() patch
│20:07:14 brauner | Blub\0: so here's the long explanation
│20:07:35 brauner | Blub\0: stgraber bumped pid_max on our jenkins test builders
│20:07:53 brauner | Blub\0: because we're running *a lot* of containers
│20:07:56 brauner | in any case
│20:08:06 brauner | there was a buffer
│20:08:12 brauner | LXC_LSMATTRLEN
│20:08:59 brauner | it used to be
│20:09:03 brauner | -/* /proc/pid-to-str/attr/current = (5 + INTTYPE_TO_STRLEN(pid_t) + 7 + 1) */
│20:09:03 brauner | -#define LXC_LSMATTRLEN (5 + INTTYPE_TO_STRLEN(pid_t) + 7 + 1)
│20:09:14 brauner | which one can see is wrong
│20:09:21 brauner | before the INTTYPE patchset
│20:09:40 brauner | INTTYPE_TO_STRLEN(pid_t) was LXC_NUMSTRLEN64
│20:09:45 brauner | which gave you 21 chars
│20:09:57 brauner | so it accounted for the missing parts
│20:10:03 brauner | because the correct macro should've been
│20:10:17 brauner | +/* /proc/ = 6
│20:10:17 brauner | + * +
│20:10:17 brauner | + * <pid-as-str> = INTTYPE_TO_STRLEN(pid_t)
│20:10:17 brauner | + * +
│20:10:17 brauner | + * /attr/ = 6
│20:10:17 brauner | + * +
│20:10:17 brauner | + * /current = 8
│20:10:17 brauner | + * +
│20:10:17 brauner | + * \0 = 1
│20:10:17 brauner | + */
│20:10:17 brauner | +#define LXC_LSMATTRLEN (6 + INTTYPE_TO_STRLEN(pid_t) + 6 + 8 + 1)
│20:10:24 Blub\0 | still
│20:10:31 brauner | the issue was only seen
│20:10:39 brauner | when the pid number hit a specific maximum
│20:10:50 Blub\0 | the sizeof patch only changed instances of actual char buf[A_FIXED_NUMBER] + snprintf(buf, A_FIXED_NUMBER, ...)
│20:10:54 brauner | aka exceeded the newly shortened buffer
│20:11:42 brauner | your patch was a red herring
│20:12:03 Blub\0 | I guess
│20:12:06 brauner | it didn't cause it
│20:12:14 brauner | it just surfaced at the same time it was merged
│20:12:25 Blub\0 | so we can revert the revert then? :)
│20:12:35 brauner | yes, that was th eplan all along
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
