LXC is being very clever and sometimes maps the caller's uid into the
child userns. This means that the caller can technically write fscaps
that are valid in the ancestor userns (which can be a security issue in
some scenarios) so newer kernels require CAP_SETFCAP to do this. Until
newuidmap/newgidmap are updated to account for this simply write the
mapping directly in this case.
Cc: stable-4.0
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Introduce LXC_ATTACH_DETECT_PERSONALITY to make it explicit what is
happening instead of using -1.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
In a moment of idioticity I switch -1 with 0xffffffff in the header
definition but we use -1 to autodetect.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Fix architecture parsing. So far we couldn't really differ between "want
default architecture" and "failed to parse requested architecture"
because the -1 return value means both. Fix this by using the return
value only to indicate success or failure and return the parsed
personality in a return argument.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Use the dedicated LXC_ARCH_UNCHANGED macro everywhere instead of relying
on -1 being correct.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Now that we have the infra to make personality handling unconitional
remove the ifndefs everywhere.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
There's no need to making personality handling conditional as it has
been around for such a long time that only weird systems wouldn't have
support for it. And especially if the user requested a specific
personality to be set but the system doesn't support the personality
syscall we should loudly fail instead of moving on.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
by getting rid of stpncpy
Tested with gcc (GCC) 11.1.1 20210428 (Red Hat 11.1.1-1)
Closes https://github.com/lxc/lxc/issues/3752
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
We don't build any packages there so it seems we don't need
those packages any more. Apart from that, it should make the
script work on Ubuntu Hirsute where dh-systemd was merged into
debhelper and is no longer available.
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
The tool is effectively unused with current master so removing the log
should be ok by now. Let's remove the log to avoid issues such as #3747.
Fixes#3747
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
When we attach to an old server the server can return ENOSYS instead of
ENOCGROUP2 which causes LXC to abort the attach unnecessary. Fix this!
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
