It is not necessary to unlink the abstract socket pathname when
we have finished using the socket. The abstract name is automatically
removed when the socket is closed.
Signed-off-by: Long Wang <w@laoqinren.net>
This patch allows users to start containers in AppArmor namespaces.
Users can define their own profiles for their containers, but
lxc-start must be allowed to change to a namespace.
A container configuration file can wrap a container in an AppArmor
profile using lxc.aa_profile.
A process in an AppArmor namespace is restricted to view
or manage only the profiles belonging to this namespace, as if no
other profiles existed. A namespace can be created as follow:
sudo mkdir /sys/kernel/security/apparmor/policy/namespaces/$NAMESPACE
AppArmor can stack profiles so that the contained process is bound
by the intersection of all profiles of the stack. This is achieved
using the '//&' operator as follow:
lxc.aa_profile = $PROFILE//&:$NAMESPACE://unconfined
In this case, even the guest process appears unconfined in the
namespace, it is still confined by $PROFILE.
A guest allowed to access "/sys/kernel/security/apparmor/** rwklix,"
will be able to manage its own profile set, while still being
enclosed in the topmost profile $PROFILE:
Different guests can be assigned the same namespace or different
namespaces. In the first case, they will share their profiles.
In the second case, they will have distinct sets of profiles.
This is validated on privileged containers.
Signed-off-by: Frédéric Dalleau <frederic.dalleau@collabora.com>
This patch mainly update the message format to:
* upper the first letter
* end without a dot
all changes are relate to `lxc-init`
Signed-off-by: Long Wang <w@laoqinren.net>
use cppcheck tools `cppcheck --enable=warning .` on lxc source directory.
This patch fix the following warnning
```
[src/lxc/cgroups/cgfs.c:794]: (warning) %ld in format string (no. 3) requires 'long' but the argument type is 'unsigned long'.
[src/lxc/confile.c:4441]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'.
[src/lxc/confile.c:4502]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'.
[src/lxc/confile_legacy.c:921]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'.
[src/lxc/confile_legacy.c:938]: (warning) %d in format string (no. 2) requires 'int' but the argument type is 'unsigned int'.
[src/lxc/lxclock.c:63]: (warning) %zd in format string (no. 1) requires 'ssize_t' but the argument type is 'size_t {aka unsigned long}'.
[src/lxc/tools/lxc_info.c:118]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_info.c:118]: (warning) %u in format string (no. 2) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_info.c:123]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_info.c:127]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_info.c:130]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:212]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:212]: (warning) %u in format string (no. 2) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:217]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:221]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
[src/lxc/tools/lxc_top.c:224]: (warning) %u in format string (no. 1) requires 'unsigned int' but the argument type is 'signed int'.
```
Signed-off-by: Long Wang <w@laoqinren.net>
