lxc: pull in important patches

These are important enough that the LXD team picks them into their snap

Closes #16918

srcpkgs/lxc/patches/3dd7829433f63b2ec1323a1f237efa7d67ea6e2b.patch

@@ -0,0 +1,91 @@
+From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Fri, 26 Jul 2019 08:20:02 +0200
+Subject: [PATCH] network: restore ability to move nl80211 devices
+
+Closes #3105.
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/network.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git src/lxc/network.c src/lxc/network.c
+index 9755116ba1..7684f95918 100644
+--- src/lxc/network.c
++++ src/lxc/network.c
+@@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old,
+ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
+ 				const char *newname)
+ {
+-	char *cmd;
++	__do_free char *cmd = NULL;
+ 	pid_t fpid;
+-	int err = -1;
+ 
+ 	/* Move phyN into the container.  TODO - do this using netlink.
+ 	 * However, IIUC this involves a bit more complicated work to talk to
+ 	 * the 80211 module, so for now just call out to iw.
+ 	 */
+ 	cmd = on_path("iw", NULL);
+-	if (!cmd)
+-		goto out1;
+-	free(cmd);
++	if (!cmd) {
++		return -1;
++	}
+ 
+ 	fpid = fork();
+ 	if (fpid < 0)
+-		goto out1;
++		return -1;
+ 
+ 	if (fpid == 0) {
+ 		char pidstr[30];
+@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
+ 	}
+ 
+ 	if (wait_for_pid(fpid))
+-		goto out1;
++		return -1;
+ 
+-	err = 0;
+ 	if (newname)
+-		err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
++		return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
+ 
+-out1:
+-	free(physname);
+-	return err;
++	return 0;
+ }
+ 
+ int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname)
+ {
++	__do_free char *physname = NULL;
+ 	int index;
+-	char *physname;
+ 
+ 	if (!ifname)
+ 		return -EINVAL;
+@@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler)
+ 		return 0;
+ 
+ 	lxc_list_for_each(iterator, network) {
++		__do_free char *physname = NULL;
+ 		int ret;
+ 		struct lxc_netdev *netdev = iterator->elem;
+ 
+ 		if (!netdev->ifindex)
+ 			continue;
+ 
+-		ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
++		if (netdev->type == LXC_NET_PHYS)
++			physname = is_wlan(netdev->link);
++
++		if (physname)
++			ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL);
++		else
++			ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
+ 		if (ret) {
+ 			errno = -ret;
+ 			SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d",

srcpkgs/lxc/patches/6453ba565ed7e3be9b3c9fa74ac07cf8e06b9afc.patch

@@ -0,0 +1,42 @@
+From 6453ba565ed7e3be9b3c9fa74ac07cf8e06b9afc Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Tue, 23 Jul 2019 16:41:46 +0200
+Subject: [PATCH] tree-wide: initialize all auto-cleanup variables
+
+Closes: #3101.
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cgroups/cgfsng.c | 2 +-
+ src/lxc/confile.c        | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git src/lxc/cgroups/cgfsng.c src/lxc/cgroups/cgfsng.c
+index 87e12d2ddd..7b8fe6736f 100644
+--- src/lxc/cgroups/cgfsng.c
++++ src/lxc/cgroups/cgfsng.c
+@@ -1260,7 +1260,7 @@ static int mkdir_eexist_on_last(const char *dir, mode_t mode)
+ 
+ 	orig_len = strlen(dir);
+ 	do {
+-		__do_free char *makeme;
++		__do_free char *makeme = NULL;
+ 		int ret;
+ 		size_t cur_len;
+ 
+diff --git src/lxc/confile.c src/lxc/confile.c
+index 36d62cbcac..c0cba7c547 100644
+--- src/lxc/confile.c
++++ src/lxc/confile.c
+@@ -909,9 +909,9 @@ static int set_config_net_ipv6_gateway(const char *key, const char *value,
+ static int set_config_net_veth_ipv6_route(const char *key, const char *value,
+ 				       struct lxc_conf *lxc_conf, void *data)
+ {
+-	__do_free char *valdup;
+-	__do_free struct lxc_inet6dev *inet6dev;
+-	__do_free struct lxc_list *list;
++	__do_free char *valdup = NULL;
++	__do_free struct lxc_inet6dev *inet6dev = NULL;
++	__do_free struct lxc_list *list = NULL;
+ 	int ret;
+ 	char *netmask, *slash;
+ 	struct lxc_netdev *netdev = data;

srcpkgs/lxc/patches/7c3d3976fa4036fe5c260ca3a68376360e98e260.patch

@@ -0,0 +1,74 @@
+From 7c3d3976fa4036fe5c260ca3a68376360e98e260 Mon Sep 17 00:00:00 2001
+From: Julio Faracco <jcfaracco@gmail.com>
+Date: Sat, 3 Aug 2019 02:16:13 -0300
+Subject: [PATCH] utils: Fix wrong integer of a function parameter.
+
+If SSL is enabled, utils will include function `do_sha1_hash()` to
+generate a sha1 encrypted buffer. Last function argument of
+`EVP_DigestFinal_ex()` requires a `unsigned int` but the current
+parameter is an `integer` type.
+
+See error:
+utils.c:350:38: error: passing 'int *' to parameter of type 'unsigned int *' converts between pointers to integer types with different sign
+      [-Werror,-Wpointer-sign]
+        EVP_DigestFinal_ex(mdctx, md_value, md_len);
+                                            ^~~~~~
+/usr/include/openssl/evp.h:549:49: note: passing argument to parameter 's' here
+                                  unsigned int *s);
+
+Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
+---
+ src/lxc/lxccontainer.c | 3 ++-
+ src/lxc/utils.c        | 4 ++--
+ src/lxc/utils.h        | 2 +-
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git src/lxc/lxccontainer.c src/lxc/lxccontainer.c
+index 52c38fd330..09d427a491 100644
+--- src/lxc/lxccontainer.c
++++ src/lxc/lxccontainer.c
+@@ -1660,7 +1660,8 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[])
+ 	FILE *f;
+ 	int ret = -1;
+ #if HAVE_OPENSSL
+-	int i, md_len = 0;
++	int i;
++	unsigned int md_len = 0;
+ 	unsigned char md_value[EVP_MAX_MD_SIZE];
+ 	char *tpath;
+ #endif
+diff --git src/lxc/utils.c src/lxc/utils.c
+index bf4a9c2cbd..9ddbabfc85 100644
+--- src/lxc/utils.c
++++ src/lxc/utils.c
+@@ -333,7 +333,7 @@ int lxc_wait_for_pid_status(pid_t pid)
+ #ifdef HAVE_OPENSSL
+ #include <openssl/evp.h>
+ 
+-static int do_sha1_hash(const char *buf, int buflen, unsigned char *md_value, int *md_len)
++static int do_sha1_hash(const char *buf, int buflen, unsigned char *md_value, unsigned int *md_len)
+ {
+ 	EVP_MD_CTX *mdctx;
+ 	const EVP_MD *md;
+@@ -353,7 +353,7 @@ static int do_sha1_hash(const char *buf, int buflen, unsigned char *md_value, in
+ 	return 0;
+ }
+ 
+-int sha1sum_file(char *fnam, unsigned char *digest, int *md_len)
++int sha1sum_file(char *fnam, unsigned char *digest, unsigned int *md_len)
+ {
+ 	char *buf;
+ 	int ret;
+diff --git src/lxc/utils.h src/lxc/utils.h
+index dd6404f0b3..c1667e8c4c 100644
+--- src/lxc/utils.h
++++ src/lxc/utils.h
+@@ -99,7 +99,7 @@ extern int wait_for_pid(pid_t pid);
+ extern int lxc_wait_for_pid_status(pid_t pid);
+ 
+ #if HAVE_OPENSSL
+-extern int sha1sum_file(char *fnam, unsigned char *md_value, int *md_len);
++extern int sha1sum_file(char *fnam, unsigned char *md_value, unsigned int *md_len);
+ #endif
+ 
+ /* initialize rand with urandom */

srcpkgs/lxc/patches/9c579205669cce54944e2c4f115e69ef18475bbe.patch

@@ -0,0 +1,30 @@
+From 9c579205669cce54944e2c4f115e69ef18475bbe Mon Sep 17 00:00:00 2001
+From: Tycho Andersen <tycho@tycho.ws>
+Date: Tue, 23 Jul 2019 09:40:14 -0600
+Subject: [PATCH] pidfds: don't print a scary warning on ENOSYS
+
+Most kernels don't have this functionality yet, and so the warning is
+printed a lot. Our people are scared of warnings, so let's make it INFO
+instead in this case.
+
+Signed-off-by: Tycho Andersen <tycho@tycho.ws>
+---
+ src/lxc/start.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git src/lxc/start.c src/lxc/start.c
+index e3f32f4cb8..e6544ea19c 100644
+--- src/lxc/start.c
++++ src/lxc/start.c
+@@ -1641,7 +1641,10 @@ static int proc_pidfd_open(pid_t pid)
+ 
+ 	/* Test whether we can send signals. */
+ 	if (lxc_raw_pidfd_send_signal(proc_pidfd, 0, NULL, 0)) {
+-		SYSERROR("Failed to send signal through pidfd");
++		if (errno != ENOSYS)
++			SYSERROR("Failed to send signal through pidfd");
++		else
++			INFO("Sending signals through pidfds not supported on this kernel");
+ 		return -1;
+ 	}
+ 

srcpkgs/lxc/patches/cpuset.patch

@@ -0,0 +1,33 @@
+From b31d62b847a3ee013613795094cce4acc12345ef Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Sun, 28 Jul 2019 23:13:26 +0200
+Subject: [PATCH] cgroups: initialize cpuset properly
+
+Closes #3108.
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cgroups/cgfsng.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
+index 7b8fe6736f..c29c0958e9 100644
+--- src/lxc/cgroups/cgfsng.c
++++ src/lxc/cgroups/cgfsng.c
+@@ -496,12 +496,12 @@ static bool cg_legacy_filter_and_set_cpus(char *path, bool am_initialized)
+ 	}
+ 
+ 	if (!flipped_bit) {
+-		DEBUG("No isolated or offline cpus present in cpuset");
+-		return true;
++		cpulist = lxc_cpumask_to_cpulist(possmask, maxposs);
++		TRACE("No isolated or offline cpus present in cpuset");
++	} else {
++		cpulist = move_ptr(posscpus);
++		TRACE("Removed isolated or offline cpus from cpuset");
+ 	}
+-	DEBUG("Removed isolated or offline cpus from cpuset");
+-
+-	cpulist = lxc_cpumask_to_cpulist(possmask, maxposs);
+ 	if (!cpulist) {
+ 		ERROR("Failed to create cpu list");
+ 		return false;

srcpkgs/lxc/patches/e4103cf63f3e24667680544303e7c7230b3d508c.patch

@@ -0,0 +1,122 @@
+From e4103cf63f3e24667680544303e7c7230b3d508c Mon Sep 17 00:00:00 2001
+From: Thomas Parrott <thomas.parrott@canonical.com>
+Date: Fri, 26 Jul 2019 16:14:18 +0100
+Subject: [PATCH] lxccontainer: do_lxcapi_detach_interface to support detaching
+ wlan devices
+
+Signed-off-by: Thomas Parrott <thomas.parrott@canonical.com>
+---
+ src/lxc/attach.c       |  2 +-
+ src/lxc/attach.h       |  2 ++
+ src/lxc/lxccontainer.c | 23 ++++++++++++++++++++++-
+ src/lxc/network.c      |  4 ++--
+ src/lxc/network.h      |  4 ++++
+ 5 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git src/lxc/attach.c src/lxc/attach.c
+index 867aa91c0d..f63331edec 100644
+--- src/lxc/attach.c
++++ src/lxc/attach.c
+@@ -213,7 +213,7 @@ static int lxc_attach_to_ns(pid_t pid, struct lxc_proc_context_info *ctx)
+ 	return 0;
+ }
+ 
+-static int lxc_attach_remount_sys_proc(void)
++int lxc_attach_remount_sys_proc(void)
+ {
+ 	int ret;
+ 
+diff --git src/lxc/attach.h src/lxc/attach.h
+index c576aa9fca..ce7c461b33 100644
+--- src/lxc/attach.h
++++ src/lxc/attach.h
+@@ -45,4 +45,6 @@ extern int lxc_attach(struct lxc_container *container,
+ 		      lxc_attach_exec_t exec_function, void *exec_payload,
+ 		      lxc_attach_options_t *options, pid_t *attached_process);
+ 
++extern int lxc_attach_remount_sys_proc(void);
++
+ #endif /* __LXC_ATTACH_H */
+diff --git src/lxc/lxccontainer.c src/lxc/lxccontainer.c
+index d8efdc41c6..52c38fd330 100644
+--- src/lxc/lxccontainer.c
++++ src/lxc/lxccontainer.c
+@@ -4793,6 +4793,7 @@ static bool do_lxcapi_detach_interface(struct lxc_container *c,
+ {
+ 	int ret;
+ 	pid_t pid, pid_outside;
++	__do_free char *physname = NULL;
+ 
+ 	/*
+ 	 * TODO - if this is a physical device, then we need am_host_unpriv.
+@@ -4828,6 +4829,19 @@ static bool do_lxcapi_detach_interface(struct lxc_container *c,
+ 			_exit(EXIT_FAILURE);
+ 		}
+ 
++		/* create new mount namespace for use with remounting /sys and is_wlan() below. */
++		ret = unshare(CLONE_NEWNS);
++		if (ret < 0) {
++			ERROR("Failed to unshare mount namespace");
++			_exit(EXIT_FAILURE);
++		}
++
++		/* set / recursively as private so that mount propagation doesn't affect us.  */
++		if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, 0) < 0) {
++			ERROR("Failed to recursively set / as private in mount namespace");
++			_exit(EXIT_FAILURE);
++		}
++
+ 		ret = lxc_netdev_isup(ifname);
+ 		if (ret < 0) {
+ 			ERROR("Failed to determine whether network device \"%s\" is up", ifname);
+@@ -4843,7 +4857,14 @@ static bool do_lxcapi_detach_interface(struct lxc_container *c,
+ 			}
+ 		}
+ 
+-		ret = lxc_netdev_move_by_name(ifname, pid_outside, dst_ifname);
++		/* remount /sys so is_wlan() can check if this device is a wlan device. */
++		lxc_attach_remount_sys_proc();
++		physname = is_wlan(ifname);
++		if (physname)
++			ret = lxc_netdev_move_wlan(physname, ifname, pid_outside, dst_ifname);
++		else
++			ret = lxc_netdev_move_by_name(ifname, pid_outside, dst_ifname);
++
+ 		/* -EINVAL means there is no netdev named as ifname. */
+ 		if (ret < 0) {
+ 			if (ret == -EINVAL)
+diff --git src/lxc/network.c src/lxc/network.c
+index 7684f95918..65727f6b5a 100644
+--- src/lxc/network.c
++++ src/lxc/network.c
+@@ -1172,7 +1172,7 @@ int lxc_netdev_move_by_index(int ifindex, pid_t pid, const char *ifname)
+  * will be passed to lxc_netdev_move_wlan() which will free it when done.
+  */
+ #define PHYSNAME "/sys/class/net/%s/phy80211/name"
+-static char *is_wlan(const char *ifname)
++char *is_wlan(const char *ifname)
+ {
+ 	__do_free char *path = NULL;
+ 	int i, ret;
+@@ -1245,7 +1245,7 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old,
+ 	_exit(lxc_netdev_rename_by_name(old, new));
+ }
+ 
+-static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
++int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
+ 				const char *newname)
+ {
+ 	__do_free char *cmd = NULL;
+diff --git src/lxc/network.h src/lxc/network.h
+index acfd8a0532..8a86768d9e 100644
+--- src/lxc/network.h
++++ src/lxc/network.h
+@@ -293,4 +293,8 @@ extern int lxc_netns_set_nsid(int netns_fd);
+ extern int lxc_netns_get_nsid(__s32 fd);
+ extern int lxc_create_network(struct lxc_handler *handler);
+ 
++extern char *is_wlan(const char *ifname);
++extern int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
++				const char *newname);
++
+ #endif /* __LXC_NETWORK_H */

srcpkgs/lxc/template

@@ -3,7 +3,7 @@ _desc="Linux Containers"
 
 pkgname=lxc
 version=3.2.1
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--enable-doc --enable-seccomp
  --enable-capabilities --enable-apparmor --with-distro=none