As we call "lxc_add_state_client(fd, handler, (lxc_state_t *)req->data)"
which supposes that the last parameter is a table of MAX_STATE
entries when calling memcpy():
memcpy(newclient->states, states, sizeof(newclient->states))
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
If we call lxc-freeze multiple times for an already frozen container, LXC
triggers useless freezing by writing into the "freezer.state" cgroup file.
This is the same when we call lxc-unfreeze multiple times.
Checking the current state with a LXC_CMD_GET_STATE
(calling c->state) would permit to check if the container is FROZEN
or not.
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
This reverts commit f1bcfc796e.
The reverted branch breaks starting all seccomp confined containers. Not
even a containers with our standard seccomp profile starts correctly.
This is strong evidence that these changes have never been tested even
with a standard workload. That is unacceptable!
We are still happy to merge that feature but going forward we want tests
that verify that standard workloads and new features work correctly.
seccomp is a crucial part of our security story and I will not let the
be compromised by missing tests!
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
If the architecture is specified in the seccomp configuration, like:
```
2
whitelist errno 1
[x86_64]
accept allow
accept4 allow
```
We shoud add rules only for amd64 instead of add rules for
x32/i386/amd64.
1. If the [arch] was not specified in seccomp config, add seccomp rules
for all all compat architectures.
2. If the [arch] specified in seccomp config irrelevant to native host
arch, the rules will be ignored.
3. If specified [all] in seccomp config, add seccomp rules for all
compat architectures.
4. If specified [arch] as same as native host arch, add seccomp rules
for the native host arch.
5. If specified [arch] was not native host arch, but compat to host
arch, add seccomp rules for the specified arch only, NOT add seccomp
rules for native arch.
Signed-off-by: LiFeng <lifeng68@huawei.com>
This reverts commit 51a922baf7.
The above commit confuses the mountall unit of privileged
Ubuntu 14.04 containers at startup so that they cannot
finish booting.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
If cgroup namespaces are not supported we should just record it in the
log and move on.
Cc: Ondrej Kubik <ondrej.kubik@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This adds the lxc.seccomp.allow_nesting api extension. If
lxc.seccomp.allow_nesting is set to 1 then seccomp profiles will be
stacked. This way nested containers can load their own seccomp policy on
top of the policy that the outer container might have applied.
Cc: Simon Fels <simon.fels@canonical.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
We need to strip the prefix from the container's source path before
trying to update the file.
Closes#2380.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
SIGWINCH is handled in lxc_terminal_signalfd_cb().
I cannot for the life of me figure out what this is supposed to do.
Afaict, it scans a global list that is totally unnecessary and also
let's say you have 100 ttys and for a single one SIGWINCH is sent. In
that case the whole list is walked and two ioctl()s are performed: one
to get window size one to set window size. For 99 of them the window
size hasn't changed.
If we see issues we can revert!
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
