Sync and fix new features from upstream

.github/workflows/code-test.yml

@@ -45,6 +45,7 @@ jobs:
             -Dopenssl=false \
             -Ddbus=false \
             -Dandroid-log=true \
+            -Dlandlock-monitor=true \
             --cross-file aarch64-android-api30.txt
 
         meson compile -C build

.github/workflows/main.yml

@@ -23,7 +23,7 @@ jobs:
         sudo apt-get install -y -qq build-essential pipx python3-venv pkg-config cmake docbook2x \
         python3-pip pipx jq
         sudo npm install -g conventional-changelog-cli
-        conventional-changelog -i CHANGELOG.md -s
+        conventional-changelog -o CHANGELOG.md -r 2
         pipx ensurepath
         pipx install meson==0.61
         pipx install ninja
@@ -74,6 +74,7 @@ jobs:
             -Dopenssl=true \
             -Ddbus=false \
             -Dandroid-log=true \
+            -Dlandlock-monitor=true \
             --cross-file aarch64-android-api30.txt
 
         meson compile -C build

.gitignore

@@ -6,4 +6,3 @@
 
 # Release tarballs.
 lxc-*.tar.gz*
-/.github/workflows

meson.build

@@ -497,8 +497,7 @@ if have
     endif
 endif
 
-## NDK doesn't implement thread_setcancelstate functions, and is only used as a placeholder here
-have = cc.has_function('pthread_kill', prefix: '#include <pthread.h>')
+have = cc.has_function('pthread_setcancelstate', prefix: '#include <pthread.h>')
 srcconf.set10('HAVE_PTHREAD_SETCANCELSTATE', have)
 
 have = cc.has_function('rand_r')

src/include/getgrgid_r.c

@@ -56,23 +56,9 @@
 
 #define FIX(x) (gr->gr_##x = gr->gr_##x - line + buf)
 
-#define SIG_CANCEL_SIGNAL SIGUSR1
-#define PTHREAD_CANCEL_ENABLE 1
-#define PTHREAD_CANCEL_DISABLE 0
-
-static int pthread_setcancelstate(int state, int *oldstate) {
-	sigset_t   new, old;
-	int ret;
-	sigemptyset (&new);
-	sigaddset (&new, SIG_CANCEL_SIGNAL);
-
-	ret = pthread_sigmask(state == PTHREAD_CANCEL_ENABLE ? SIG_BLOCK : SIG_UNBLOCK, &new , &old);
-	if(oldstate != NULL)
-	{
-		*oldstate =sigismember(&old,SIG_CANCEL_SIGNAL) == 0 ? PTHREAD_CANCEL_DISABLE : PTHREAD_CANCEL_ENABLE;
-	}
-	return ret;
-}
+#if !HAVE_PTHREAD_SETCANCELSTATE
+#include <pthread_ext.h>
+#endif
 
 static unsigned atou(char **s)
 {

src/include/meson.build

@@ -44,3 +44,9 @@ if srcconf.get('HAVE_HASMNTOPT') == 0
         'hasmntopt.c',
         'hasmntopt.h')
 endif
+
+if srcconf.get('HAVE_PTHREAD_SETCANCELSTATE') == 0
+    include_sources += files(
+        'pthread_setcancelstate.c',
+        'pthread_ext.h')
+endif

src/include/pthread_ext.h

@@ -0,0 +1,18 @@
+/* liblxcapi
+ *
+ * SPDX-License-Identifier: LGPL-2.1+ *
+ *
+ */
+
+#ifndef _PTHREAD_EXT_H
+#define _PTHREAD_EXT_H
+
+#include "../lxc/compiler.h"
+
+#ifndef PTHREAD_CANCELED
+#define PTHREAD_CANCELED ((void *)-1)
+#endif
+
+__hidden extern int pthread_setcancelstate(int, int *);
+
+#endif

src/include/pthread_setcancelstate.c

@@ -0,0 +1,29 @@
+/* liblxcapi
+ *
+ * SPDX-License-Identifier: LGPL-2.1+ *
+ *
+ * This is not a standard implementation.
+ * It only protects getgrgid_r().
+ */
+
+#include <pthread.h>
+#include "pthread_ext.h"
+
+static const int signals[] = {
+	SIGINT,
+	SIGTERM,
+	SIGQUIT,
+};
+
+int pthread_setcancelstate(int state, int *oldstate) 
+{
+	sigset_t signal_set;
+	sigset_t old_mask;
+	sigemptyset(&signal_set);
+
+	for (size_t i = 0; i < sizeof(signals)/sizeof(signals[0]); i++)
+		sigaddset(&signal_set, signals[i]);
+
+	int operation = (state == 1) ? SIG_UNBLOCK : SIG_BLOCK;
+	return pthread_sigmask(operation, &signal_set, &old_mask);
+}

src/lxc/start.c

@@ -68,6 +68,10 @@
 #include "strlcpy.h"
 #endif
 
+#if IS_BIONIC
+#include <pthread_ext.h>
+#endif
+
 #if HAVE_LANDLOCK_MONITOR
 #ifndef landlock_create_ruleset
 static inline int
@@ -729,10 +733,13 @@ int lxc_handler_mainloop(struct lxc_async_descr *descr, struct lxc_handler *hand
 	pthread_t thread;
 
 	/* Skip protection if a seccomp proxy is setup. */
+#if HAVE_DECL_SECCOMP_NOTIFY_FD
 	if (!handler || !handler->conf || handler->conf->seccomp.notifier.proxy_fd > 0) {
 		/* Landlock not supported when seccomp notify is in use. */
 		SYSERROR("Skipping Landlock due to seccomp notify");
-
+#else
+	if (!handler || !handler->conf) {
+#endif
 		/* We don't need to use thread then */
 		return lxc_mainloop(descr, -1);
 	}