Hello community, here is the log from the commit of package lxc for openSUSE:Factory checked in at 2020-05-13 22:56:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lxc (Old) and /work/SRC/openSUSE:Factory/.lxc.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxc" Wed May 13 22:56:00 2020 rev:94 rq:803969 version:4.0.2 Changes: -------- --- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2020-05-11 13:43:40.677415393 +0200 +++ /work/SRC/openSUSE:Factory/.lxc.new.2738/lxc.changes 2020-05-13 22:56:00.995001313 +0200 @@ -1,0 +2,6 @@ +Tue May 12 19:39:38 UTC 2020 - Pavol Cupka <[email protected]> + +- Update to LXC 4.0.2 + - https://discuss.linuxcontainers.org/t/lxc-4-0-2-lts-has-been-released/7449 + +------------------------------------------------------------------- Old: ---- lxc-4.0.1.tar.gz lxc-4.0.1.tar.gz.asc New: ---- lxc-4.0.2.tar.gz lxc-4.0.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ --- /var/tmp/diff_new_pack.jqaOQP/_old 2020-05-13 22:56:01.695002679 +0200 +++ /var/tmp/diff_new_pack.jqaOQP/_new 2020-05-13 22:56:01.699002686 +0200 @@ -35,7 +35,7 @@ %define shlib_version 1 Name: lxc -Version: 4.0.1 +Version: 4.0.2 Release: 0 URL: http://linuxcontainers.org/ Summary: Userspace tools for Linux kernel containers ++++++ lxc-4.0.1.tar.gz -> lxc-4.0.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/config/apparmor/Makefile.in new/lxc-4.0.2/config/apparmor/Makefile.in --- old/lxc-4.0.1/config/apparmor/Makefile.in 2020-04-06 21:15:30.000000000 +0200 +++ new/lxc-4.0.2/config/apparmor/Makefile.in 2020-04-16 20:17:22.000000000 +0200 @@ -431,8 +431,8 @@ maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@ENABLE_APPARMOR_FALSE@uninstall-local: @ENABLE_APPARMOR_FALSE@install-data-local: +@ENABLE_APPARMOR_FALSE@uninstall-local: clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/config/ltmain.sh new/lxc-4.0.2/config/ltmain.sh --- old/lxc-4.0.1/config/ltmain.sh 2020-02-16 13:06:34.000000000 +0100 +++ new/lxc-4.0.2/config/ltmain.sh 2020-03-02 10:35:42.000000000 +0100 @@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-13" +VERSION="2.4.6 Debian-2.4.6-14" package_revision=2.4.6 @@ -2141,7 +2141,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion Debian-2.4.6-13 + version: $progname $scriptversion Debian-2.4.6-14 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/configure new/lxc-4.0.2/configure --- old/lxc-4.0.1/configure 2020-04-06 21:15:29.000000000 +0200 +++ new/lxc-4.0.2/configure 2020-04-16 20:17:21.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for lxc 4.0.1. +# Generated by GNU Autoconf 2.69 for lxc 4.0.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='lxc' PACKAGE_TARNAME='lxc' -PACKAGE_VERSION='4.0.1' -PACKAGE_STRING='lxc 4.0.1' +PACKAGE_VERSION='4.0.2' +PACKAGE_STRING='lxc 4.0.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -639,6 +639,8 @@ DLOG_CFLAGS ENABLE_DLOG_FALSE ENABLE_DLOG_TRUE +ENABLE_COVERITY_BUILD_FALSE +ENABLE_COVERITY_BUILD_TRUE ENFORCE_THREAD_SAFETY_FALSE ENFORCE_THREAD_SAFETY_TRUE PTHREAD_CFLAGS @@ -938,6 +940,7 @@ enable_pam with_pamdir enable_thread_safety +enable_coverity_build enable_dlog enable_memfd_rexec ' @@ -1511,7 +1514,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures lxc 4.0.1 to adapt to many kinds of systems. +\`configure' configures lxc 4.0.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1582,7 +1585,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of lxc 4.0.1:";; + short | recursive ) echo "Configuration of lxc 4.0.2:";; esac cat <<\_ACEOF @@ -1624,6 +1627,7 @@ --enable-pam enable pam module [default=no] --enable-thread-safety enforce thread-safety otherwise fail the build [default=yes] + --enable-coverity-build build for use with Coverity [default=no] --enable-dlog enable dlog support [default=no] --enable-memfd-rexec enforce liblxc as a memfd to protect against certain symlink attacks [default=yes] @@ -1756,7 +1760,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -lxc configure 4.0.1 +lxc configure 4.0.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2221,7 +2225,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by lxc $as_me 4.0.1, which was +It was created by lxc $as_me 4.0.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2692,7 +2696,7 @@ fi fi -LXC_VERSION_BASE=4.0.1 +LXC_VERSION_BASE=4.0.2 @@ -2700,9 +2704,9 @@ LXC_VERSION_MINOR=0 -LXC_VERSION_MICRO=1 +LXC_VERSION_MICRO=2 -LXC_VERSION=4.0.1 +LXC_VERSION=4.0.2 LXC_DEVEL=0 @@ -3234,7 +3238,7 @@ # Define the identity of the package. PACKAGE='lxc' - VERSION='4.0.1' + VERSION='4.0.2' cat >>confdefs.h <<_ACEOF @@ -17984,6 +17988,42 @@ ENFORCE_THREAD_SAFETY_FALSE= fi +if test "x$enable_thread_safety" = "xyes"; then + +$as_echo "#define ENFORCE_THREAD_SAFETY 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + +# Check whether --enable-coverity-build was given. +if test "${enable_coverity_build+set}" = set; then : + enableval=$enable_coverity_build; enable_coverity_build=$enableval +else + enable_coverity_build=no +fi + + if test "x$enable_coverity_build" = "xyes"; then + ENABLE_COVERITY_BUILD_TRUE= + ENABLE_COVERITY_BUILD_FALSE='#' +else + ENABLE_COVERITY_BUILD_TRUE='#' + ENABLE_COVERITY_BUILD_FALSE= +fi + +if test "x$enable_coverity_build" = "xyes"; then + +$as_echo "#define ENABLE_COVERITY_BUILD 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi # Check whether --enable-dlog was given. if test "${enable_dlog+set}" = set; then : @@ -18564,6 +18604,10 @@ as_fn_error $? "conditional \"ENFORCE_THREAD_SAFETY\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_COVERITY_BUILD_TRUE}" && test -z "${ENABLE_COVERITY_BUILD_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_COVERITY_BUILD\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${ENABLE_DLOG_TRUE}" && test -z "${ENABLE_DLOG_FALSE}"; then as_fn_error $? "conditional \"ENABLE_DLOG\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18969,7 +19013,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by lxc $as_me 4.0.1, which was +This file was extended by lxc $as_me 4.0.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19039,7 +19083,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -lxc config.status 4.0.1 +lxc config.status 4.0.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -20984,9 +21028,10 @@ - user documentation: $enable_doc Debugging: - - tests: $enable_tests - ASAN: $enable_asan + - Coverity: $enable_coverity_build - mutex debugging: $enable_mutex_debugging + - tests: $enable_tests Paths: - Logs in configpath: $enable_configpath_log diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/configure.ac new/lxc-4.0.2/configure.ac --- old/lxc-4.0.1/configure.ac 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/configure.ac 2020-04-16 20:17:13.000000000 +0200 @@ -3,7 +3,7 @@ m4_define([lxc_devel], 0) m4_define([lxc_version_major], 4) m4_define([lxc_version_minor], 0) -m4_define([lxc_version_micro], 1) +m4_define([lxc_version_micro], 2) m4_define([lxc_version_beta], []) m4_define([lxc_abi_major], 1) @@ -766,6 +766,23 @@ [AS_HELP_STRING([--enable-thread-safety], [enforce thread-safety otherwise fail the build [default=yes]])], [enable_thread_safety=$enableval], [enable_thread_safety=yes]) AM_CONDITIONAL([ENFORCE_THREAD_SAFETY], [test "x$enable_thread_safety" = "xyes"]) +if test "x$enable_thread_safety" = "xyes"; then + AC_DEFINE([ENFORCE_THREAD_SAFETY], 1, [enforce thread-safety otherwise fail the build]) + AC_MSG_RESULT([yes]) +else + AC_MSG_RESULT([no]) +fi + +AC_ARG_ENABLE([coverity-build], + [AS_HELP_STRING([--enable-coverity-build], [build for use with Coverity [default=no]])], + [enable_coverity_build=$enableval], [enable_coverity_build=no]) +AM_CONDITIONAL([ENABLE_COVERITY_BUILD], [test "x$enable_coverity_build" = "xyes"]) +if test "x$enable_coverity_build" = "xyes"; then + AC_DEFINE([ENABLE_COVERITY_BUILD], 1, [build for use with Coverity]) + AC_MSG_RESULT([yes]) +else + AC_MSG_RESULT([no]) +fi AC_ARG_ENABLE([dlog], [AS_HELP_STRING([--enable-dlog], [enable dlog support [default=no]])], @@ -1037,9 +1054,10 @@ - user documentation: $enable_doc Debugging: - - tests: $enable_tests - ASAN: $enable_asan + - Coverity: $enable_coverity_build - mutex debugging: $enable_mutex_debugging + - tests: $enable_tests Paths: - Logs in configpath: $enable_configpath_log diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/lxc.spec new/lxc-4.0.2/lxc.spec --- old/lxc-4.0.1/lxc.spec 2020-04-06 21:15:41.000000000 +0200 +++ new/lxc-4.0.2/lxc.spec 2020-04-16 20:17:32.000000000 +0200 @@ -57,7 +57,7 @@ %endif Name: lxc -Version: 4.0.1 +Version: 4.0.2 Release: %{?beta_rel:0.1.%{beta_rel}}%{?!beta_rel:%{norm_rel}}%{?dist} URL: http://linuxcontainers.org Source: http://linuxcontainers.org/downloads/%{name}-%{version}%{?beta_dot}.tar.gz diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/config.h.in new/lxc-4.0.2/src/config.h.in --- old/lxc-4.0.1/src/config.h.in 2020-04-06 21:15:28.000000000 +0200 +++ new/lxc-4.0.2/src/config.h.in 2020-04-16 20:17:21.000000000 +0200 @@ -3,9 +3,15 @@ /* "Prefix for shared files." */ #undef DATADIR +/* build for use with Coverity */ +#undef ENABLE_COVERITY_BUILD + /* Rexec liblxc as memfd */ #undef ENFORCE_MEMFD_REXEC +/* enforce thread-safety otherwise fail the build */ +#undef ENFORCE_THREAD_SAFETY + /* Define to 1 if you have the `confstr' function. */ #undef HAVE_CONFSTR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/af_unix.c new/lxc-4.0.2/src/lxc/af_unix.c --- old/lxc-4.0.1/src/lxc/af_unix.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/af_unix.c 2020-04-16 20:17:13.000000000 +0200 @@ -189,7 +189,7 @@ msg.msg_iovlen = iovlen; do { - ret = recvmsg(fd, &msg, 0); + ret = recvmsg(fd, &msg, MSG_CMSG_CLOEXEC); } while (ret < 0 && errno == EINTR); if (ret < 0 || ret == 0) return ret; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/attach.c new/lxc-4.0.2/src/lxc/attach.c --- old/lxc-4.0.1/src/lxc/attach.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/attach.c 2020-04-16 20:17:13.000000000 +0200 @@ -1018,6 +1018,8 @@ } } conf = init_ctx->container->lxc_conf; + if (!conf) + return log_error_errno(-EINVAL, EINVAL, "Missing container confifg"); if (!fetch_seccomp(init_ctx->container, options)) WARN("Failed to get seccomp policy"); @@ -1275,7 +1277,7 @@ TRACE("Sent LSM label file descriptor %d to child", labelfd); } - if (conf && conf->seccomp.seccomp) { + if (conf->seccomp.seccomp) { ret = lxc_seccomp_recv_notifier_fd(&conf->seccomp, ipc_sockets[0]); if (ret < 0) goto close_mainloop; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/cgroups/cgfsng.c new/lxc-4.0.2/src/lxc/cgroups/cgfsng.c --- old/lxc-4.0.1/src/lxc/cgroups/cgfsng.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/cgroups/cgfsng.c 2020-04-16 20:17:13.000000000 +0200 @@ -672,7 +672,7 @@ if (!dup) return NULL; - lxc_iterate_parts (tok, dup, sep) + lxc_iterate_parts(tok, dup, sep) must_append_controller(klist, nlist, &aret, tok); } *p2 = ' '; @@ -2605,6 +2605,9 @@ return ret_set_errno(-1, EINVAL); } + if (!mode) + return ret_errno(EINVAL); + if (device_cgroup_parse_access(device, mode) < 0) return -1; @@ -2709,6 +2712,9 @@ if (!ops->hierarchies) return ret_set_errno(false, EINVAL); + if (pure_unified_layout(ops)) + return log_warn_errno(true, EINVAL, "Ignoring legacy cgroup limits on pure cgroup2 system"); + sorted_cgroup_settings = sort_cgroup_settings(cgroup_settings); if (!sorted_cgroup_settings) return false; @@ -3009,7 +3015,7 @@ return; } - lxc_iterate_parts (token, buf, " \t\n") { + lxc_iterate_parts(token, buf, " \t\n") { /* * We always need to chown this for both cgroup and * cgroup2. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/cgroups/cgroup.c new/lxc-4.0.2/src/lxc/cgroups/cgroup.c --- old/lxc-4.0.1/src/lxc/cgroups/cgroup.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/cgroups/cgroup.c 2020-04-16 20:17:13.000000000 +0200 @@ -79,7 +79,7 @@ free((*it)->container_base_path); free((*it)->container_full_path); free((*it)->monitor_full_path); - if ((*it)->cgfd_mon >= 0) + if ((*it)->cgfd_con >= 0) close((*it)->cgfd_con); if ((*it)->cgfd_mon >= 0) close((*it)->cgfd_mon); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/cgroups/cgroup2_devices.c new/lxc-4.0.2/src/lxc/cgroups/cgroup2_devices.c --- old/lxc-4.0.1/src/lxc/cgroups/cgroup2_devices.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/cgroups/cgroup2_devices.c 2020-04-16 20:17:13.000000000 +0200 @@ -167,7 +167,7 @@ { __do_free struct bpf_program *prog = NULL; - prog = calloc(1, sizeof(struct bpf_program)); + prog = zalloc(sizeof(struct bpf_program)); if (!prog) return NULL; @@ -183,9 +183,6 @@ int bpf_program_init(struct bpf_program *prog) { - if (!prog) - return ret_set_errno(-1, EINVAL); - const struct bpf_insn pre_insn[] = { /* load device type to r2 */ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, offsetof(struct bpf_cgroup_dev_ctx, access_type)), @@ -202,19 +199,17 @@ BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1, offsetof(struct bpf_cgroup_dev_ctx, minor)), }; + if (!prog) + return ret_set_errno(-1, EINVAL); + return bpf_program_add_instructions(prog, pre_insn, ARRAY_SIZE(pre_insn)); } int bpf_program_append_device(struct bpf_program *prog, struct device_item *device) { - int ret; int jump_nr = 1; - struct bpf_insn bpf_access_decision[] = { - BPF_MOV64_IMM(BPF_REG_0, device->allow), - BPF_EXIT_INSN(), - }; - int access_mask; - int device_type; + int access_mask, device_type, ret; + struct bpf_insn bpf_access_decision[2]; if (!prog || !device) return ret_set_errno(-1, EINVAL); @@ -285,6 +280,8 @@ return log_error_errno(-1, errno, "Failed to add instructions to bpf cgroup program"); } + bpf_access_decision[0] = BPF_MOV64_IMM(BPF_REG_0, device->allow); + bpf_access_decision[1] = BPF_EXIT_INSN(); ret = bpf_program_add_instructions(prog, bpf_access_decision, ARRAY_SIZE(bpf_access_decision)); if (ret) @@ -295,10 +292,7 @@ int bpf_program_finalize(struct bpf_program *prog) { - struct bpf_insn ins[] = { - BPF_MOV64_IMM(BPF_REG_0, prog->device_list_type), - BPF_EXIT_INSN(), - }; + struct bpf_insn ins[2]; if (!prog) return ret_set_errno(-1, EINVAL); @@ -307,6 +301,9 @@ prog->device_list_type == LXC_BPF_DEVICE_CGROUP_BLACKLIST ? "blacklist" : "whitelist"); + + ins[0] = BPF_MOV64_IMM(BPF_REG_0, prog->device_list_type); + ins[1] = BPF_EXIT_INSN(); return bpf_program_add_instructions(prog, ins, ARRAY_SIZE(ins)); } @@ -340,12 +337,12 @@ int bpf_program_cgroup_attach(struct bpf_program *prog, int type, const char *path, uint32_t flags) { - __do_free char *copy = NULL; __do_close int fd = -EBADF; + __do_free char *copy = NULL; union bpf_attr attr; int ret; - if (!prog) + if (!path || !prog) return ret_set_errno(-1, EINVAL); if (flags & ~(BPF_F_ALLOW_OVERRIDE | BPF_F_ALLOW_MULTI)) @@ -395,8 +392,8 @@ int bpf_program_cgroup_detach(struct bpf_program *prog) { - int ret; __do_close int fd = -EBADF; + int ret; if (!prog) return 0; @@ -444,6 +441,9 @@ __do_free struct device_item *new_device = NULL; struct lxc_list *it; + if (!conf || !device) + return ret_errno(EINVAL); + lxc_list_for_each(it, &conf->devices) { struct device_item *cur = it->elem; @@ -502,12 +502,11 @@ bool bpf_devices_cgroup_supported(void) { + __do_bpf_program_free struct bpf_program *prog = NULL; const struct bpf_insn dummy[] = { BPF_MOV64_IMM(BPF_REG_0, 1), BPF_EXIT_INSN(), }; - - __do_bpf_program_free struct bpf_program *prog = NULL; int ret; if (geteuid() != 0) @@ -515,7 +514,7 @@ "The bpf device cgroup requires real root"); prog = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE); - if (prog < 0) + if (!prog) return log_trace(false, "Failed to allocate new bpf device cgroup program"); ret = bpf_program_add_instructions(prog, dummy, ARRAY_SIZE(dummy)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/cmd/lxc-update-config.in new/lxc-4.0.2/src/lxc/cmd/lxc-update-config.in --- old/lxc-4.0.1/src/lxc/cmd/lxc-update-config.in 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/cmd/lxc-update-config.in 2020-04-16 20:17:13.000000000 +0200 @@ -74,7 +74,7 @@ -e 's/\([[:blank:]*]\|#*\)\(lxc\.stopsignal\)\([[:blank:]*]\|=\)/\1lxc\.signal\.stop\3/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.syslog\)\([[:blank:]*]\|=\)/\1lxc\.log\.syslog\3/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.loglevel\)\([[:blank:]*]\|=\)/\1lxc\.log\.level\3/g' \ --e 's/\([[:blank:]*]\|#*\)\(lxc\.logfile\)\([[:blank:]*]\|=\)/1lxc\.log\.file\3/g' \ +-e 's/\([[:blank:]*]\|#*\)\(lxc\.logfile\)\([[:blank:]*]\|=\)/\1lxc\.log\.file\3/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.init_cmd\)\([[:blank:]*]\|=\)/\1lxc\.init\.cmd\3/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.init_uid\)\([[:blank:]*]\|=\)/\1lxc\.init\.uid\3/g' \ -e 's/\([[:blank:]*]\|#*\)\(lxc\.init_gid\)\([[:blank:]*]\|=\)/\1lxc\.init\.gid\3/g' \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/cmd/lxc_user_nic.c new/lxc-4.0.2/src/lxc/cmd/lxc_user_nic.c --- old/lxc-4.0.1/src/lxc/cmd/lxc_user_nic.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/cmd/lxc_user_nic.c 2020-04-16 20:17:13.000000000 +0200 @@ -133,26 +133,14 @@ return strdup(pwent.pw_name); } -static void free_groupnames(char **groupnames) -{ - int i; - - if (!groupnames) - return; - - for (i = 0; groupnames[i]; i++) - free(groupnames[i]); - - free(groupnames); -} static char **get_groupnames(void) { __do_free char *buf = NULL; __do_free gid_t *group_ids = NULL; + __do_free_string_list char **groupnames = NULL; int ngroups; int ret, i; - char **groupnames; struct group grent; struct group *grentp = NULL; size_t bufsize; @@ -161,10 +149,11 @@ if (ngroups < 0) { CMD_SYSERROR("Failed to get number of groups the user belongs to\n"); return NULL; - } else if (ngroups == 0) { - return NULL; } + if (ngroups == 0) + return NULL; + group_ids = malloc(sizeof(gid_t) * ngroups); if (!group_ids) { CMD_SYSERROR("Failed to allocate memory while getting groups the user belongs to\n"); @@ -177,66 +166,53 @@ return NULL; } - groupnames = malloc(sizeof(char *) * (ngroups + 1)); + groupnames = zalloc(sizeof(char *) * (ngroups + 1)); if (!groupnames) { CMD_SYSERROR("Failed to allocate memory while getting group names\n"); return NULL; } - memset(groupnames, 0, sizeof(char *) * (ngroups + 1)); - bufsize = sysconf(_SC_GETGR_R_SIZE_MAX); if (bufsize == -1) bufsize = 1024; buf = malloc(bufsize); if (!buf) { - free_groupnames(groupnames); CMD_SYSERROR("Failed to allocate memory while getting group names\n"); return NULL; } for (i = 0; i < ngroups; i++) { while ((ret = getgrgid_r(group_ids[i], &grent, buf, bufsize, &grentp)) == ERANGE) { + char *new_buf; + bufsize <<= 1; if (bufsize > MAX_GRBUF_SIZE) { - usernic_error("Failed to get group members: %u\n", - group_ids[i]); - free(buf); - free(group_ids); - free_groupnames(groupnames); + usernic_error("Failed to get group members: %u\n", group_ids[i]); return NULL; } - char *new_buf = realloc(buf, bufsize); + + new_buf = realloc(buf, bufsize); if (!new_buf) { - usernic_error("Failed to allocate memory while getting group " - "names: %s\n", + usernic_error("Failed to allocate memory while getting group names: %s\n", strerror(errno)); - free(buf); - free(group_ids); - free_groupnames(groupnames); return NULL; } buf = new_buf; } - if (!grentp) { - if (ret == 0) - usernic_error("%s", "Could not find matched group record\n"); - CMD_SYSERROR("Failed to get group name: %u\n", group_ids[i]); - free_groupnames(groupnames); - return NULL; - } + /* If a group is not found, just ignore it. */ + if (!grentp) + continue; groupnames[i] = strdup(grent.gr_name); if (!groupnames[i]) { usernic_error("Failed to copy group name \"%s\"", grent.gr_name); - free_groupnames(groupnames); return NULL; } } - return groupnames; + return move_ptr(groupnames); } static bool name_is_in_groupnames(char *name, char **groupnames) @@ -325,9 +301,9 @@ { __do_free char *line = NULL; __do_fclose FILE *fin = NULL; + __do_free_string_list char **groups = NULL; int n, ret; char name[100], type[100], br[100]; - char **groups; int count = 0; size_t len = 0; @@ -379,8 +355,6 @@ count += n; } - free_groupnames(groups); - /* Now return the total number of nics that this user can create. */ return count; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/commands_utils.c new/lxc-4.0.2/src/lxc/commands_utils.c --- old/lxc-4.0.1/src/lxc/commands_utils.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/commands_utils.c 2020-04-16 20:17:13.000000000 +0200 @@ -62,11 +62,14 @@ ret = lxc_cmd_add_state_client(name, lxcpath, states, &state_client_fd); if (ret < 0) - return -1; + return ret_errno(EINVAL); if (ret < MAX_STATE) return ret; + if (state_client_fd < 0) + return ret_errno(EBADF); + return lxc_cmd_sock_rcv_state(state_client_fd, timeout); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/conf.c new/lxc-4.0.2/src/lxc/conf.c --- old/lxc-4.0.1/src/lxc/conf.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/conf.c 2020-04-16 20:17:13.000000000 +0200 @@ -901,11 +901,13 @@ return 0; } +define_cleanup_function(struct lxc_tty_info *, lxc_delete_tty); + int lxc_allocate_ttys(struct lxc_conf *conf) { - __do_free struct lxc_terminal_info *tty_new = NULL; + struct lxc_terminal_info *tty_new = NULL; int ret; - struct lxc_tty_info *ttys = &conf->ttys; + call_cleaner(lxc_delete_tty) struct lxc_tty_info *ttys = &conf->ttys; /* no tty in the configuration */ if (ttys->max == 0) @@ -924,14 +926,12 @@ ret = openpty(&tty->master, &tty->slave, NULL, NULL, NULL); if (ret < 0) { ttys->max = i; - lxc_delete_tty(ttys); return log_error_errno(-ENOTTY, ENOTTY, "Failed to create tty %zu", i); } ret = ttyname_r(tty->slave, tty->name, sizeof(tty->name)); if (ret < 0) { ttys->max = i; - lxc_delete_tty(ttys); return log_error_errno(-ENOTTY, ENOTTY, "Failed to retrieve name of tty %zu slave", i); } @@ -953,7 +953,7 @@ } INFO("Finished creating %zu tty devices", ttys->max); - ttys->tty = move_ptr(tty_new); + move_ptr(ttys); return 0; } @@ -2679,19 +2679,10 @@ struct id_map *map; struct lxc_list *iterator; enum idtype type; - /* strlen("new@idmap") = 9 - * + - * strlen(" ") = 1 - * + - * INTTYPE_TO_STRLEN(uint32_t) - * + - * strlen(" ") = 1 - * - * We add some additional space to make sure that we really have - * LXC_IDMAPLEN bytes available for our the {g,u]id mapping. - */ int ret = 0, gidmap = 0, uidmap = 0; - char mapbuf[9 + 1 + INTTYPE_TO_STRLEN(uint32_t) + 1 + LXC_IDMAPLEN] = {0}; + char mapbuf[STRLITERALLEN("new@idmap") + STRLITERALLEN(" ") + + INTTYPE_TO_STRLEN(pid_t) + STRLITERALLEN(" ") + + LXC_IDMAPLEN] = {0}; bool had_entry = false, use_shadow = false; int hostuid, hostgid; @@ -3488,7 +3479,7 @@ { struct lxc_list *it, *next; - lxc_list_for_each_safe (it, id_map, next) { + lxc_list_for_each_safe(it, id_map, next) { lxc_list_del(it); free(it->elem); free(it); @@ -3924,18 +3915,19 @@ /* Reuse existing mapping. */ tmp = find_mapped_hostid_entry(conf, id, type); - if (tmp) - return memcpy(entry, tmp, sizeof(*entry)); - - /* Find new mapping. */ - hostid_mapped = find_unmapped_nsid(conf, type); - if (hostid_mapped < 0) - return log_debug(NULL, "Failed to find free mapping for id %d", id); - - entry->idtype = type; - entry->nsid = hostid_mapped; - entry->hostid = (unsigned long)id; - entry->range = 1; + if (tmp) { + memcpy(entry, tmp, sizeof(*entry)); + } else { + /* Find new mapping. */ + hostid_mapped = find_unmapped_nsid(conf, type); + if (hostid_mapped < 0) + return log_debug(NULL, "Failed to find free mapping for id %d", id); + + entry->idtype = type; + entry->nsid = hostid_mapped; + entry->hostid = (unsigned long)id; + entry->range = 1; + } return move_ptr(entry); } @@ -3959,7 +3951,7 @@ euid = geteuid(); if (euid >= container_root_uid->hostid && euid < (container_root_uid->hostid + container_root_uid->range)) - host_uid_map = container_root_uid; + host_uid_map = move_ptr(container_root_uid); container_root_gid = mapped_nsid_add(conf, nsgid, ID_TYPE_GID); if (!container_root_gid) @@ -3967,7 +3959,7 @@ egid = getegid(); if (egid >= container_root_gid->hostid && egid < (container_root_gid->hostid + container_root_gid->range)) - host_gid_map = container_root_gid; + host_gid_map = move_ptr(container_root_gid); /* Check whether the {g,u}id of the user has a mapping. */ if (!host_uid_map) @@ -3990,45 +3982,35 @@ tmplist = malloc(sizeof(*tmplist)); if (!tmplist) return NULL; - lxc_list_add_elem(tmplist, container_root_uid); + /* idmap will now keep track of that memory. */ + lxc_list_add_elem(tmplist, move_ptr(host_uid_map)); lxc_list_add_tail(idmap, tmplist); - if (host_uid_map && (host_uid_map != container_root_uid)) { - /* idmap will now keep track of that memory. */ - move_ptr(container_root_uid); - + if (container_root_uid) { /* Add container root to the map. */ tmplist = malloc(sizeof(*tmplist)); if (!tmplist) return NULL; - lxc_list_add_elem(tmplist, host_uid_map); + /* idmap will now keep track of that memory. */ + lxc_list_add_elem(tmplist, move_ptr(container_root_uid)); lxc_list_add_tail(idmap, tmplist); } - /* idmap will now keep track of that memory. */ - move_ptr(container_root_uid); - /* idmap will now keep track of that memory. */ - move_ptr(host_uid_map); tmplist = malloc(sizeof(*tmplist)); if (!tmplist) return NULL; - lxc_list_add_elem(tmplist, container_root_gid); + /* idmap will now keep track of that memory. */ + lxc_list_add_elem(tmplist, move_ptr(host_gid_map)); lxc_list_add_tail(idmap, tmplist); - if (host_gid_map && (host_gid_map != container_root_gid)) { - /* idmap will now keep track of that memory. */ - move_ptr(container_root_gid); - + if (container_root_gid) { tmplist = malloc(sizeof(*tmplist)); if (!tmplist) return NULL; - lxc_list_add_elem(tmplist, host_gid_map); + /* idmap will now keep track of that memory. */ + lxc_list_add_elem(tmplist, move_ptr(container_root_gid)); lxc_list_add_tail(idmap, tmplist); } - /* idmap will now keep track of that memory. */ - move_ptr(container_root_gid); - /* idmap will now keep track of that memory. */ - move_ptr(host_gid_map); TRACE("Allocated minimal idmapping for ns uid %d and ns gid %d", nsuid, nsgid); @@ -4057,9 +4039,13 @@ call_cleaner(lxc_free_idmap) struct lxc_list *idmap = NULL; int ret = -1, status = -1; char c = '1'; + struct userns_fn_data d = { + .arg = data, + .fn = fn, + .fn_name = fn_name, + }; pid_t pid; int pipe_fds[2]; - struct userns_fn_data d; if (!conf) return -EINVAL; @@ -4072,9 +4058,6 @@ if (ret < 0) return -errno; - d.fn = fn; - d.fn_name = fn_name; - d.arg = data; d.p[0] = pipe_fds[0]; d.p[1] = pipe_fds[1]; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/criu.c new/lxc-4.0.2/src/lxc/criu.c --- old/lxc-4.0.1/src/lxc/criu.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/criu.c 2020-04-16 20:17:13.000000000 +0200 @@ -1011,7 +1011,7 @@ } if (mount(rootfs->path, rootfs->mount, NULL, MS_BIND, NULL) < 0) { - rmdir(rootfs->mount); + (void)rmdir(rootfs->mount); goto out_fini_handler; } } @@ -1046,7 +1046,7 @@ /* exec_criu() returning is an error */ exec_criu(cgroup_ops, c->lxc_conf, &os); umount(rootfs->mount); - rmdir(rootfs->mount); + (void)rmdir(rootfs->mount); goto out_fini_handler; } else { char title[2048]; @@ -1323,7 +1323,7 @@ fail: close(criuout[0]); close(criuout[1]); - rmdir(opts->directory); + (void)rmdir(opts->directory); free(criu_version); return false; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/log.c new/lxc-4.0.2/src/lxc/log.c --- old/lxc-4.0.1/src/lxc/log.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/log.c 2020-04-16 20:17:13.000000000 +0200 @@ -485,10 +485,9 @@ *p = '\0'; ret = lxc_unpriv(mkdir(n, 0755)); + *p = '/'; if (ret && errno != EEXIST) return log_error_errno(-errno, errno, "Failed to create directory \"%s\"", n); - - *p = '/'; } return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/log.h new/lxc-4.0.2/src/lxc/log.h --- old/lxc-4.0.1/src/lxc/log.h 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/log.h 2020-04-16 20:17:13.000000000 +0200 @@ -3,6 +3,9 @@ #ifndef __LXC_LOG_H #define __LXC_LOG_H +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 +#endif #include <errno.h> #include <stdarg.h> #include <stdio.h> @@ -14,6 +17,7 @@ #include <time.h> #include "conf.h" +#include "config.h" #ifndef O_CLOEXEC #define O_CLOEXEC 02000000 @@ -388,7 +392,7 @@ LXC_FATAL(&locinfo, format, ##__VA_ARGS__); \ } while (0) -#if HAVE_M_FORMAT +#if HAVE_M_FORMAT && !ENABLE_COVERITY_BUILD #define SYSTRACE(format, ...) \ TRACE("%m - " format, ##__VA_ARGS__) #else @@ -399,7 +403,7 @@ } while (0) #endif -#if HAVE_M_FORMAT +#if HAVE_M_FORMAT && !ENABLE_COVERITY_BUILD #define SYSDEBUG(format, ...) \ DEBUG("%m - " format, ##__VA_ARGS__) #else @@ -411,7 +415,7 @@ #endif -#if HAVE_M_FORMAT +#if HAVE_M_FORMAT && !ENABLE_COVERITY_BUILD #define SYSINFO(format, ...) \ INFO("%m - " format, ##__VA_ARGS__) #else @@ -422,7 +426,7 @@ } while (0) #endif -#if HAVE_M_FORMAT +#if HAVE_M_FORMAT && !ENABLE_COVERITY_BUILD #define SYSNOTICE(format, ...) \ NOTICE("%m - " format, ##__VA_ARGS__) #else @@ -433,7 +437,7 @@ } while (0) #endif -#if HAVE_M_FORMAT +#if HAVE_M_FORMAT && !ENABLE_COVERITY_BUILD #define SYSWARN(format, ...) \ WARN("%m - " format, ##__VA_ARGS__) #else @@ -444,7 +448,7 @@ } while (0) #endif -#if HAVE_M_FORMAT +#if HAVE_M_FORMAT && !ENABLE_COVERITY_BUILD #define SYSERROR(format, ...) \ ERROR("%m - " format, ##__VA_ARGS__) #else @@ -455,7 +459,7 @@ } while (0) #endif -#if HAVE_M_FORMAT +#if HAVE_M_FORMAT && !ENABLE_COVERITY_BUILD #define CMD_SYSERROR(format, ...) \ fprintf(stderr, "%s: %d: %s - %m - " format "\n", __FILE__, __LINE__, \ __func__, ##__VA_ARGS__); @@ -468,7 +472,7 @@ } while (0) #endif -#if HAVE_M_FORMAT +#if HAVE_M_FORMAT && !ENABLE_COVERITY_BUILD #define CMD_SYSINFO(format, ...) \ printf("%s: %d: %s - %m - " format "\n", __FILE__, __LINE__, __func__, \ ##__VA_ARGS__); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/memory_utils.h new/lxc-4.0.2/src/lxc/memory_utils.h --- old/lxc-4.0.1/src/lxc/memory_utils.h 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/memory_utils.h 2020-04-16 20:17:13.000000000 +0200 @@ -41,10 +41,10 @@ define_cleanup_function(DIR *, closedir); #define __do_closedir call_cleaner(closedir) -#define free_disarm(ptr) \ - ({ \ - free(ptr); \ - move_ptr(ptr); \ +#define free_disarm(ptr) \ + ({ \ + free(ptr); \ + ptr = NULL; \ }) static inline void free_disarm_function(void *ptr) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/network.c new/lxc-4.0.2/src/lxc/network.c --- old/lxc-4.0.1/src/lxc/network.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/network.c 2020-04-16 20:17:13.000000000 +0200 @@ -582,24 +582,21 @@ if (nla_put_string(nlmsg, IFLA_INFO_KIND, "ipvlan")) return ret_errno(EPROTO); - if (mode) { - nest2 = nla_begin_nested(nlmsg, IFLA_INFO_DATA); - if (!nest2) - return ret_errno(EPROTO); - - if (nla_put_u32(nlmsg, IFLA_IPVLAN_MODE, mode)) - return ret_errno(EPROTO); + nest2 = nla_begin_nested(nlmsg, IFLA_INFO_DATA); + if (!nest2) + return ret_errno(EPROTO); - /* if_link.h does not define the isolation flag value for bridge mode so we define it as 0 - * and only send mode if mode >0 as default mode is bridge anyway according to ipvlan docs. - */ - if (isolation > 0 && - nla_put_u16(nlmsg, IFLA_IPVLAN_ISOLATION, isolation)) - return ret_errno(EPROTO); + if (nla_put_u32(nlmsg, IFLA_IPVLAN_MODE, mode)) + return ret_errno(EPROTO); - nla_end_nested(nlmsg, nest2); - } + /* if_link.h does not define the isolation flag value for bridge mode (unlike IPVLAN_F_PRIVATE and + * IPVLAN_F_VEPA) so we define it as 0 and only send mode if mode >0 as default mode is bridge anyway + * according to ipvlan docs. + */ + if (isolation > 0 && nla_put_u16(nlmsg, IFLA_IPVLAN_ISOLATION, isolation)) + return ret_errno(EPROTO); + nla_end_nested(nlmsg, nest2); nla_end_nested(nlmsg, nest); if (nla_put_u32(nlmsg, IFLA_LINK, index)) @@ -2847,6 +2844,9 @@ netdev->ifindex, netdev->link); ret = netdev_deconf[netdev->type](handler, netdev); + if (ret < 0) + WARN("Failed to deconfigure interface with index %d and initial name \"%s\"", + netdev->ifindex, netdev->link); goto clear_ifindices; } @@ -3229,6 +3229,9 @@ } ret = netdev_deconf[netdev->type](handler, netdev); + if (ret < 0) + WARN("Failed to deconfigure interface with index %d and initial name \"%s\"", + netdev->ifindex, netdev->link); goto clear_ifindices; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/rexec.c new/lxc-4.0.2/src/lxc/rexec.c --- old/lxc-4.0.1/src/lxc/rexec.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/rexec.c 2020-04-16 20:17:13.000000000 +0200 @@ -88,7 +88,7 @@ static void lxc_rexec_as_memfd(char **argv, char **envp, const char *memfd_name) { __do_close int execfd = -EBADF, fd = -EBADF, memfd = -EBADF, - tmpfd = -EBADF; + tmpfd = -EBADF; int ret; ssize_t bytes_sent = 0; struct stat st = {0}; @@ -143,7 +143,7 @@ if (fcntl(memfd, F_ADD_SEALS, LXC_MEMFD_REXEC_SEALS)) return; - execfd = memfd; + execfd = move_fd(memfd); } else { char procfd[LXC_PROC_PID_FD_LEN]; @@ -169,13 +169,12 @@ int lxc_rexec(const char *memfd_name) { + __do_free_string_list char **argv = NULL; int ret; - char **argv = NULL; ret = is_memfd(); if (ret < 0 && ret == -ENOTRECOVERABLE) { - fprintf(stderr, - "%s - Failed to determine whether this is a memfd\n", + fprintf(stderr, "%s - Failed to determine whether this is a memfd\n", strerror(errno)); return -1; } else if (ret > 0) { @@ -184,8 +183,7 @@ ret = parse_argv(&argv); if (ret < 0) { - fprintf(stderr, - "%s - Failed to parse command line parameters\n", + fprintf(stderr, "%s - Failed to parse command line parameters\n", strerror(errno)); return -1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/seccomp.c new/lxc-4.0.2/src/lxc/seccomp.c --- old/lxc-4.0.1/src/lxc/seccomp.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/seccomp.c 2020-04-16 20:17:13.000000000 +0200 @@ -1354,6 +1354,7 @@ char *cookie = conf->seccomp.notifier.cookie; uint64_t req_id; + memset(req, 0, sizeof(*req)); ret = seccomp_notify_receive(fd, req); if (ret) { SYSERROR("Failed to read seccomp notification"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/start.c new/lxc-4.0.2/src/lxc/start.c --- old/lxc-4.0.1/src/lxc/start.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/start.c 2020-04-16 20:17:13.000000000 +0200 @@ -1039,14 +1039,13 @@ struct lxc_handler *handler = data; __lxc_unused __do_close int data_sock0 = handler->data_sock[0], data_sock1 = handler->data_sock[1]; - __do_close int status_fd = -EBADF; + __do_close int devnull_fd = -EBADF, status_fd = -EBADF; int ret; uid_t new_uid; gid_t new_gid; struct lxc_list *iterator; uid_t nsuid = 0; gid_t nsgid = 0; - int devnull_fd = -1; lxc_sync_fini_parent(handler); @@ -1401,20 +1400,20 @@ } } - /* After this call, we are in error because this ops should not return + /* + * After this call, we are in error because this ops should not return * as it execs. */ handler->ops->start(handler, handler->data); out_warn_father: - /* We want the parent to know something went wrong, so we return a + /* + * We want the parent to know something went wrong, so we return a * special error code. */ lxc_sync_wake_parent(handler, LXC_SYNC_ERROR); out_error: - close_prot_errno_disarm(devnull_fd); - return -1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/storage/zfs.c new/lxc-4.0.2/src/lxc/storage/zfs.c --- old/lxc-4.0.1/src/lxc/storage/zfs.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/storage/zfs.c 2020-04-16 20:17:13.000000000 +0200 @@ -159,8 +159,8 @@ int zfs_mount(struct lxc_storage *bdev) { + __do_free char *mntdata = NULL; unsigned long mntflags = 0; - char *mntdata = NULL; int ret; size_t oldlen, newlen, totallen; char *tmp; @@ -176,7 +176,6 @@ ret = parse_mntopts(bdev->mntopts, &mntflags, &mntdata); if (ret < 0) { ERROR("Failed to parse mount options"); - free(mntdata); return -22; } @@ -221,7 +220,6 @@ tmp = realloc(mntdata, totallen); if (!tmp) { ERROR("Failed to reallocate memory"); - free(mntdata); return -1; } mntdata = tmp; @@ -229,12 +227,10 @@ ret = snprintf((mntdata + oldlen), newlen, ",zfsutil,mntpoint=%s", src); if (ret < 0 || (size_t)ret >= newlen) { ERROR("Failed to create string"); - free(mntdata); return -1; } ret = mount(src, bdev->dest, "zfs", mntflags, mntdata); - free(mntdata); if (ret < 0 && errno != EBUSY) { SYSERROR("Failed to mount \"%s\" on \"%s\"", src, bdev->dest); return -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/syscall_numbers.h new/lxc-4.0.2/src/lxc/syscall_numbers.h --- old/lxc-4.0.1/src/lxc/syscall_numbers.h 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/syscall_numbers.h 2020-04-16 20:17:13.000000000 +0200 @@ -35,6 +35,8 @@ #define __NR_keyctl 280 #elif defined __powerpc__ #define __NR_keyctl 271 + #elif defined __riscv + #define __NR_keyctl 219 #elif defined __sparc__ #define __NR_keyctl 283 #elif defined __ia64__ @@ -68,6 +70,8 @@ #define __NR_memfd_create 350 #elif defined __powerpc__ #define __NR_memfd_create 360 + #elif defined __riscv + #define __NR_memfd_create 279 #elif defined __sparc__ #define __NR_memfd_create 348 #elif defined __blackfin__ @@ -103,6 +107,8 @@ #define __NR_pivot_root 217 #elif defined __powerpc__ #define __NR_pivot_root 203 + #elif defined __riscv + #define __NR_pivot_root 41 #elif defined __sparc__ #define __NR_pivot_root 146 #elif defined __ia64__ @@ -136,6 +142,8 @@ #define __NR_setns 339 #elif defined __powerpc__ #define __NR_setns 350 + #elif defined __riscv + #define __NR_setns 268 #elif defined __sparc__ #define __NR_setns 337 #elif defined __ia64__ @@ -169,6 +177,8 @@ #define __NR_sethostname 74 #elif defined __powerpc__ #define __NR_sethostname 74 + #elif defined __riscv + #define __NR_sethostname 161 #elif defined __sparc__ #define __NR_sethostname 88 #elif defined __ia64__ @@ -202,6 +212,8 @@ #define __NR_signalfd 316 #elif defined __powerpc__ #define __NR_signalfd 305 + #elif defined __riscv + #define __NR_signalfd 74 #elif defined __sparc__ #define __NR_signalfd 311 #elif defined __ia64__ @@ -235,6 +247,8 @@ #define __NR_signalfd4 322 #elif defined __powerpc__ #define __NR_signalfd4 313 + #elif defined __riscv + #define __NR_signalfd4 74 #elif defined __sparc__ #define __NR_signalfd4 317 #elif defined __ia64__ @@ -268,6 +282,8 @@ #define __NR_unshare 303 #elif defined __powerpc__ #define __NR_unshare 282 + #elif defined __riscv + #define __NR_unshare 97 #elif defined __sparc__ #define __NR_unshare 299 #elif defined __ia64__ @@ -301,6 +317,8 @@ #define __NR_bpf 351 #elif defined __powerpc__ #define __NR_bpf 361 + #elif defined __riscv + #define __NR_bpf 280 #elif defined __sparc__ #define __NR_bpf 349 #elif defined __ia64__ @@ -334,6 +352,8 @@ #define __NR_faccessat 300 #elif defined __powerpc__ #define __NR_faccessat 298 + #elif defined __riscv + #define __NR_faccessat 48 #elif defined __sparc__ #define __NR_faccessat 296 #elif defined __ia64__ @@ -385,6 +405,8 @@ #define __NR_seccomp 348 #elif defined __powerpc__ #define __NR_seccomp 358 + #elif defined __riscv + #define __NR_seccomp 277 #elif defined __sparc__ #define __NR_seccomp 346 #elif defined __ia64__ @@ -418,6 +440,8 @@ #define __NR_gettid 236 #elif defined __powerpc__ #define __NR_gettid 207 + #elif defined __riscv + #define __NR_gettid 178 #elif defined __sparc__ #define __NR_gettid 143 #elif defined __ia64__ @@ -455,6 +479,8 @@ #define __NR_execveat 354 #elif defined __powerpc__ #define __NR_execveat 362 + #elif defined __riscv + #define __NR_execveat 281 #elif defined __sparc__ #define __NR_execveat 350 #elif defined __ia64__ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/uuid.c new/lxc-4.0.2/src/lxc/uuid.c --- old/lxc-4.0.1/src/lxc/uuid.c 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/uuid.c 2020-04-16 20:17:13.000000000 +0200 @@ -116,7 +116,7 @@ int lxc_id128_write(const char *p, lxc_id128_t id) { - int fd = -1; + __do_close int fd = -EBADF; fd = open(p, O_WRONLY|O_CREAT|O_CLOEXEC|O_NOCTTY|O_TRUNC, 0444); if (fd < 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/lxc/version.h new/lxc-4.0.2/src/lxc/version.h --- old/lxc-4.0.1/src/lxc/version.h 2020-04-06 21:15:47.000000000 +0200 +++ new/lxc-4.0.2/src/lxc/version.h 2020-04-16 20:17:37.000000000 +0200 @@ -6,8 +6,8 @@ #define LXC_DEVEL 0 #define LXC_VERSION_MAJOR 4 #define LXC_VERSION_MINOR 0 -#define LXC_VERSION_MICRO 1 +#define LXC_VERSION_MICRO 2 #define LXC_VERSION_ABI "1.7.0" -#define LXC_VERSION "4.0.1" +#define LXC_VERSION "4.0.2" #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/src/tests/lxc-test-no-new-privs new/lxc-4.0.2/src/tests/lxc-test-no-new-privs --- old/lxc-4.0.1/src/tests/lxc-test-no-new-privs 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/src/tests/lxc-test-no-new-privs 2020-04-16 20:17:13.000000000 +0200 @@ -36,11 +36,13 @@ trap cleanup EXIT SIGHUP SIGINT SIGTERM -mkdir -p /etc/lxc/ -cat > /etc/lxc/default.conf << EOF +if [ ! -d /etc/lxc ]; then + mkdir -p /etc/lxc/ + cat > /etc/lxc/default.conf << EOF lxc.net.0.type = veth lxc.net.0.link = lxcbr0 EOF +fi ARCH=i386 if type dpkg >/dev/null 2>&1; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/lxc-4.0.1/templates/lxc-oci.in new/lxc-4.0.2/templates/lxc-oci.in --- old/lxc-4.0.1/templates/lxc-oci.in 2020-04-06 21:15:17.000000000 +0200 +++ new/lxc-4.0.2/templates/lxc-oci.in 2020-04-16 20:17:13.000000000 +0200 @@ -348,8 +348,7 @@ # shellcheck disable=SC2039 # shellcheck disable=SC2068 umoci --log=error unpack ${umoci_args[@]} --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp" -rmdir "${LXC_ROOTFS}" -mv "${LXC_ROOTFS}.tmp/rootfs" "${LXC_ROOTFS}" +find "${LXC_ROOTFS}.tmp/rootfs" -mindepth 1 -maxdepth 1 -exec mv '{}' "${LXC_ROOTFS}/" \; OCI_CONF_FILE=$(getconfigpath "${DOWNLOAD_TEMP}" latest) LXC_CONF_FILE="${LXC_PATH}/config"
