LXC is being very clever and sometimes maps the caller's uid into the
child userns. This means that the caller can technically write fscaps
that are valid in the ancestor userns (which can be a security issue in
some scenarios) so newer kernels require CAP_SETFCAP to do this. Until
newuidmap/newgidmap are updated to account for this simply write the
mapping directly in this case.
Cc: stable-4.0
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Introduce LXC_ATTACH_DETECT_PERSONALITY to make it explicit what is
happening instead of using -1.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
In a moment of idioticity I switch -1 with 0xffffffff in the header
definition but we use -1 to autodetect.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Fix architecture parsing. So far we couldn't really differ between "want
default architecture" and "failed to parse requested architecture"
because the -1 return value means both. Fix this by using the return
value only to indicate success or failure and return the parsed
personality in a return argument.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Use the dedicated LXC_ARCH_UNCHANGED macro everywhere instead of relying
on -1 being correct.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Now that we have the infra to make personality handling unconitional
remove the ifndefs everywhere.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
There's no need to making personality handling conditional as it has
been around for such a long time that only weird systems wouldn't have
support for it. And especially if the user requested a specific
personality to be set but the system doesn't support the personality
syscall we should loudly fail instead of moving on.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
We don't build any packages there so it seems we don't need
those packages any more. Apart from that, it should make the
script work on Ubuntu Hirsute where dh-systemd was merged into
debhelper and is no longer available.
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
When we attach to an old server the server can return ENOSYS instead of
ENOCGROUP2 which causes LXC to abort the attach unnecessary. Fix this!
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
With lto=thin the fuzzers fail as soon as they start with
```
ERROR: The size of coverage PC tables does not match the
number of instrumented PCs. This might be a compiler bug,
please contact the libFuzzer developers.
Also check https://bugs.llvm.org/show_bug.cgi?id=34636
for possible workarounds (tl;dr: don't use the old GNU ld)
```
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
Setting up a detached idmapped mount is a privileged operation, mounting
it doesn't have to be.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
