lxc: uprev from 3.2.1 to 4.0.1

Update to the just released 4.0.1. And drop some patches contained
in this released.

Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

5 files changed, 3 insertions, 639 deletions

diff --git a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch b/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
deleted file mode 100644
index 0da1be08..00000000
--- a/recipes-containers/lxc/files/0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch
+++ /dev/null
@@ -1,275 +0,0 @@
-From 5dc7de13feab41e3847fed72fa0d0d9bed21fea5 Mon Sep 17 00:00:00 2001
-From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
-Date: Wed, 29 Jan 2020 17:09:50 +0100
-Subject: [PATCH 2/3] container.conf: Add option to set keyring SELinux context
-
-lxc set's up a new session keyring for every container by default.
-If executed on an SELinux enabled system, by default, the keyring
-inherits the label of the creating process. If executed with the
-currently available SELinux policy, this means that the keyring
-is labeled with the lxc_t type. Applications inside the container,
-however, might expect that the keyring is labeled with a certain
-context (and will fail to access the keyring if it's not explicitly
-allowed in the global policy). This patch introduces the config
-option lxc.selinux.context.keyring which enables to specify the
-label of the newly created keyring. That is, the keyring can be
-labeled with the label expected by the started application.
-
-Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
----
- config/selinux/lxc.te |  3 +++
- src/lxc/conf.c        | 10 +++++++++-
- src/lxc/conf.h        |  1 +
- src/lxc/confile.c     | 24 ++++++++++++++++++++++++
- src/lxc/lsm/lsm.c     | 13 +++++++++++++
- src/lxc/lsm/lsm.h     |  2 ++
- src/lxc/lsm/selinux.c | 13 +++++++++++++
- src/lxc/utils.c       |  9 ++++++++-
- src/lxc/utils.h       |  2 +-
- 9 files changed, 74 insertions(+), 3 deletions(-)
-
-diff --git a/config/selinux/lxc.te b/config/selinux/lxc.te
-index bb4bfe3a8..d3f78d80b 100644
---- a/config/selinux/lxc.te
-+++ b/config/selinux/lxc.te
-@@ -84,5 +84,8 @@ allow lxc_t self:packet_socket create_socket_perms;
- allow lxc_t self:rawip_socket create_socket_perms;
- allow lxc_t self:netlink_route_socket create_netlink_socket_perms;
- 
-+# Needed to set label that the keyring will be created with
-+allow lxc_t self:process { setkeycreate };
-+
- dontaudit lxc_t sysctl_kernel_t:file write;
- dontaudit lxc_t sysctl_modprobe_t:file write;
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index 0f8b3c928..b06fbf047 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -2758,6 +2758,7 @@ struct lxc_conf *lxc_conf_init(void)
-        new->lsm_aa_profile = NULL;
-        lxc_list_init(&new->lsm_aa_raw);
-        new->lsm_se_context = NULL;
-+       new->lsm_se_keyring_context = NULL;
-        new->tmp_umount_proc = false;
-        new->tmp_umount_proc = 0;
-        new->shmount.path_host = NULL;
-@@ -3549,6 +3550,7 @@ int lxc_setup(struct lxc_handler *handler)
-        int ret;
-        const char *lxcpath = handler->lxcpath, *name = handler->name;
-        struct lxc_conf *lxc_conf = handler->conf;
-+       char *keyring_context = NULL;
- 
-        ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath);
-        if (ret < 0) {
-@@ -3564,7 +3566,13 @@ int lxc_setup(struct lxc_handler *handler)
-                }
-        }
- 
--       ret = lxc_setup_keyring();
-+       if (lxc_conf->lsm_se_keyring_context) {
-+               keyring_context = lxc_conf->lsm_se_keyring_context;
-+       } else if (lxc_conf->lsm_se_context) {
-+               keyring_context = lxc_conf->lsm_se_context;
-+       }
-+
-+       ret = lxc_setup_keyring(keyring_context);
-        if (ret < 0)
-                return -1;
- 
-diff --git a/src/lxc/conf.h b/src/lxc/conf.h
-index 2664a1527..bb47b720e 100644
---- a/src/lxc/conf.h
-+++ b/src/lxc/conf.h
-@@ -295,6 +295,7 @@ struct lxc_conf {
-        unsigned int lsm_aa_allow_incomplete;
-        struct lxc_list lsm_aa_raw;
-        char *lsm_se_context;
-+       char *lsm_se_keyring_context;
-        bool tmp_umount_proc;
-        struct lxc_seccomp seccomp;
-        int maincmd_fd;
-diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index 36d62cbca..df184af73 100644
---- a/src/lxc/confile.c
-+++ b/src/lxc/confile.c
-@@ -157,6 +157,7 @@ lxc_config_define(seccomp_allow_nesting);
- lxc_config_define(seccomp_notify_cookie);
- lxc_config_define(seccomp_notify_proxy);
- lxc_config_define(selinux_context);
-+lxc_config_define(selinux_context_keyring);
- lxc_config_define(signal_halt);
- lxc_config_define(signal_reboot);
- lxc_config_define(signal_stop);
-@@ -253,6 +254,7 @@ static struct lxc_config_t config_jump_table[] = {
-        { "lxc.seccomp.notify.proxy",      set_config_seccomp_notify_proxy,        get_config_seccomp_notify_proxy,        clr_config_seccomp_notify_proxy,      },
-        { "lxc.seccomp.profile",           set_config_seccomp_profile,             get_config_seccomp_profile,             clr_config_seccomp_profile,           },
-        { "lxc.selinux.context",           set_config_selinux_context,             get_config_selinux_context,             clr_config_selinux_context,           },
-+       { "lxc.selinux.context.keyring",   set_config_selinux_context_keyring,     get_config_selinux_context_keyring,     clr_config_selinux_context_keyring    },
-        { "lxc.signal.halt",               set_config_signal_halt,                 get_config_signal_halt,                 clr_config_signal_halt,               },
-        { "lxc.signal.reboot",             set_config_signal_reboot,               get_config_signal_reboot,               clr_config_signal_reboot,             },
-        { "lxc.signal.stop",               set_config_signal_stop,                 get_config_signal_stop,                 clr_config_signal_stop,               },
-@@ -1489,6 +1491,12 @@ static int set_config_selinux_context(const char *key, const char *value,
-        return set_config_string_item(&lxc_conf->lsm_se_context, value);
- }
- 
-+static int set_config_selinux_context_keyring(const char *key, const char *value,
-+                                             struct lxc_conf *lxc_conf, void *data)
-+{
-+       return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
-+}
-+
- static int set_config_log_file(const char *key, const char *value,
-                              struct lxc_conf *c, void *data)
- {
-@@ -3545,6 +3553,13 @@ static int get_config_selinux_context(const char *key, char *retv, int inlen,
-        return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
- }
- 
-+static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen,
-+                                             struct lxc_conf *c, void *data)
-+{
-+       return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
-+}
-+
-+
- /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
-  * just the value(s) will be printed. Since there still could be more than one,
-  * it is newline-separated.
-@@ -4405,6 +4420,14 @@ static inline int clr_config_selinux_context(const char *key,
-        return 0;
- }
- 
-+static inline int clr_config_selinux_context_keyring(const char *key,
-+                                                    struct lxc_conf *c, void *data)
-+{
-+       free(c->lsm_se_keyring_context);
-+       c->lsm_se_keyring_context = NULL;
-+       return 0;
-+}
-+
- static inline int clr_config_cgroup_controller(const char *key,
-                                               struct lxc_conf *c, void *data)
- {
-@@ -5944,6 +5967,7 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
-                strprint(retv, inlen, "dir\n");
-        } else if (!strcmp(key, "lxc.selinux")) {
-                strprint(retv, inlen, "context\n");
-+               strprint(retv, inlen, "context.keyring\n");
-        } else if (!strcmp(key, "lxc.mount")) {
-                strprint(retv, inlen, "auto\n");
-                strprint(retv, inlen, "entry\n");
-diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
-index 5538c9e84..48c22b700 100644
---- a/src/lxc/lsm/lsm.c
-+++ b/src/lxc/lsm/lsm.c
-@@ -214,3 +214,16 @@ void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath)
- 
-        drv->cleanup(conf, lxcpath);
- }
-+
-+int lsm_keyring_label_set(char *label) {
-+
-+       if (!drv) {
-+               ERROR("LSM driver not inited");
-+               return -1;
-+       }
-+
-+       if (!drv->keyring_label_set)
-+               return 0;
-+
-+       return drv->keyring_label_set(label);
-+}
-diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
-index dda740b3d..a645a2fa0 100644
---- a/src/lxc/lsm/lsm.h
-+++ b/src/lxc/lsm/lsm.h
-@@ -38,6 +38,7 @@ struct lsm_drv {
-        char *(*process_label_get)(pid_t pid);
-        int (*process_label_set)(const char *label, struct lxc_conf *conf,
-                                 bool on_exec);
-+       int (*keyring_label_set)(char* label);
-        int (*prepare)(struct lxc_conf *conf, const char *lxcpath);
-        void (*cleanup)(struct lxc_conf *conf, const char *lxcpath);
- };
-@@ -53,5 +54,6 @@ extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
- extern int lsm_process_label_set_at(int label_fd, const char *label,
-                                    bool on_exec);
- extern void lsm_process_cleanup(struct lxc_conf *conf, const char *lxcpath);
-+extern int lsm_keyring_label_set(char *label);
- 
- #endif /* __LXC_LSM_H */
-diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
-index 625bcae90..b3d95c310 100644
---- a/src/lxc/lsm/selinux.c
-+++ b/src/lxc/lsm/selinux.c
-@@ -106,11 +106,24 @@ static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
-        return 0;
- }
- 
-+/*
-+ * selinux_keyring_label_set: Set SELinux context that will be assigned to the keyring
-+ *
-+ * @label   : label string
-+ *
-+ * Returns 0 on success, < 0 on failure
-+ */
-+static int selinux_keyring_label_set(char *label)
-+{
-+       return setkeycreatecon_raw(label);
-+};
-+
- static struct lsm_drv selinux_drv = {
-        .name = "SELinux",
-        .enabled           = is_selinux_enabled,
-        .process_label_get = selinux_process_label_get,
-        .process_label_set = selinux_process_label_set,
-+       .keyring_label_set = selinux_keyring_label_set,
- };
- 
- struct lsm_drv *lsm_selinux_drv_init(void)
-diff --git a/src/lxc/utils.c b/src/lxc/utils.c
-index bf4a9c2cb..90852eb87 100644
---- a/src/lxc/utils.c
-+++ b/src/lxc/utils.c
-@@ -48,6 +48,7 @@
- 
- #include "config.h"
- #include "log.h"
-+#include "lsm/lsm.h"
- #include "lxclock.h"
- #include "memory_utils.h"
- #include "namespace.h"
-@@ -1832,11 +1833,17 @@ int recursive_destroy(char *dirname)
-        return r;
- }
- 
--int lxc_setup_keyring(void)
-+int lxc_setup_keyring(char *keyring_label)
- {
-        key_serial_t keyring;
-        int ret = 0;
- 
-+       if (keyring_label) {
-+               if (lsm_keyring_label_set(keyring_label) < 0) {
-+                       ERROR("Couldn't set keyring label");
-+               }
-+       }
-+
-        /* Try to allocate a new session keyring for the container to prevent
-         * information leaks.
-         */
-diff --git a/src/lxc/utils.h b/src/lxc/utils.h
-index dd6404f0b..7560711b7 100644
---- a/src/lxc/utils.h
-+++ b/src/lxc/utils.h
-@@ -259,6 +259,6 @@ extern uint64_t lxc_find_next_power2(uint64_t n);
- extern int lxc_set_death_signal(int signal, pid_t parent);
- extern int fd_cloexec(int fd, bool cloexec);
- extern int recursive_destroy(char *dirname);
--extern int lxc_setup_keyring(void);
-+extern int lxc_setup_keyring(char *keyring_label);
- 
- #endif /* __LXC_UTILS_H */
--- 
-2.24.1
-
diff --git a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch b/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
deleted file mode 100644
index 9d5b5b8a..00000000
--- a/recipes-containers/lxc/files/0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From b1694cccddadc8b084cd9eb502d9e86e0728709b Mon Sep 17 00:00:00 2001
-From: Patrick Havelange <patrick.havelange@essensium.com>
-Date: Tue, 22 Oct 2019 12:29:54 +0200
-Subject: [PATCH v2] syscall_wrappers: rename internal memfd_create to
- memfd_create_lxc
-
-In case the internal memfd_create has to be used, make sure we don't
-clash with the already existing memfd_create function from glibc.
-
-This can happen if this glibc function is a stub. In this case, at
-./configure time, the test for this function will return false, however
-the declaration of that function is still available. This leads to
-compilation errors.
-
-Upstream-Status: Backport [lxc-3.2.1 https://github.com/lxc/lxc/pull/3168]
-
-Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
-(cherry picked from commit 40b06c78773dfd5e12e568a576b1abb133f61b71)
-Signed-off-by: Oleksii Kurochko <olkuroch@cisco.com>
----
- v2: added Upstream-Status
-
- src/lxc/syscall_wrappers.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/lxc/syscall_wrappers.h b/src/lxc/syscall_wrappers.h
-index ce67da5b5308..b7edba63f5d7 100644
---- a/src/lxc/syscall_wrappers.h
-+++ b/src/lxc/syscall_wrappers.h
-@@ -74,7 +74,7 @@ static inline long __keyctl(int cmd, unsigned long arg2, unsigned long arg3,
- #endif
- 
- #ifndef HAVE_MEMFD_CREATE
--static inline int memfd_create(const char *name, unsigned int flags) {
-+static inline int memfd_create_lxc(const char *name, unsigned int flags) {
-        #ifndef __NR_memfd_create
-                #if defined __i386__
-                        #define __NR_memfd_create 356
-@@ -113,6 +113,7 @@ static inline int memfd_create(const char *name, unsigned int flags) {
-        return -1;
-        #endif
- }
-+#define memfd_create memfd_create_lxc
- #else
- extern int memfd_create(const char *name, unsigned int flags);
- #endif
diff --git a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch b/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
deleted file mode 100644
index 34647c80..00000000
--- a/recipes-containers/lxc/files/0002-container.conf-Add-option-to-disable-session-keyring.patch
+++ /dev/null
@@ -1,217 +0,0 @@
-From 8164190b19a0a9070c7e531c9be84f4317f10193 Mon Sep 17 00:00:00 2001
-From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
-Date: Thu, 30 Jan 2020 19:21:10 +0100
-Subject: [PATCH 3/3] container.conf: Add option to disable session keyring
- creation
-
-lxc set's up a new session keyring for every container by default.
-There might be valid use-cases where this is not wanted / needed
-(e.g. systemd by default creates a new session keyring anyway).
-
-Signed-off-by: Maximilian Blenk <Maximilian.Blenk@bmw.de>
----
- src/lxc/conf.c          | 19 ++++++++++--------
- src/lxc/conf.h          |  1 +
- src/lxc/confile.c       | 44 ++++++++++++++++++++++-------------------
- src/lxc/confile_utils.c | 24 ++++++++++++++++++++++
- src/lxc/confile_utils.h |  2 ++
- 5 files changed, 62 insertions(+), 28 deletions(-)
-
-diff --git a/src/lxc/conf.c b/src/lxc/conf.c
-index b06fbf047..be4761a54 100644
---- a/src/lxc/conf.c
-+++ b/src/lxc/conf.c
-@@ -2759,6 +2759,7 @@ struct lxc_conf *lxc_conf_init(void)
-        lxc_list_init(&new->lsm_aa_raw);
-        new->lsm_se_context = NULL;
-        new->lsm_se_keyring_context = NULL;
-+       new->keyring_disable_session = false;
-        new->tmp_umount_proc = false;
-        new->tmp_umount_proc = 0;
-        new->shmount.path_host = NULL;
-@@ -3566,15 +3567,17 @@ int lxc_setup(struct lxc_handler *handler)
-                }
-        }
- 
--       if (lxc_conf->lsm_se_keyring_context) {
--               keyring_context = lxc_conf->lsm_se_keyring_context;
--       } else if (lxc_conf->lsm_se_context) {
--               keyring_context = lxc_conf->lsm_se_context;
--       }
-+       if (!lxc_conf->keyring_disable_session) {
-+               if (lxc_conf->lsm_se_keyring_context) {
-+                       keyring_context = lxc_conf->lsm_se_keyring_context;
-+               } else if (lxc_conf->lsm_se_context) {
-+                       keyring_context = lxc_conf->lsm_se_context;
-+               }
- 
--       ret = lxc_setup_keyring(keyring_context);
--       if (ret < 0)
--               return -1;
-+               ret = lxc_setup_keyring(keyring_context);
-+               if (ret < 0)
-+                       return -1;
-+       }
- 
-        if (handler->ns_clone_flags & CLONE_NEWNET) {
-                ret = lxc_setup_network_in_child_namespaces(lxc_conf,
-diff --git a/src/lxc/conf.h b/src/lxc/conf.h
-index bb47b720e..b81786838 100644
---- a/src/lxc/conf.h
-+++ b/src/lxc/conf.h
-@@ -296,6 +296,7 @@ struct lxc_conf {
-        struct lxc_list lsm_aa_raw;
-        char *lsm_se_context;
-        char *lsm_se_keyring_context;
-+       bool keyring_disable_session;
-        bool tmp_umount_proc;
-        struct lxc_seccomp seccomp;
-        int maincmd_fd;
-diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index df184af73..fd8b3aaba 100644
---- a/src/lxc/confile.c
-+++ b/src/lxc/confile.c
-@@ -110,6 +110,7 @@ lxc_config_define(init_cmd);
- lxc_config_define(init_cwd);
- lxc_config_define(init_gid);
- lxc_config_define(init_uid);
-+lxc_config_define(keyring_session);
- lxc_config_define(log_file);
- lxc_config_define(log_level);
- lxc_config_define(log_syslog);
-@@ -208,6 +209,7 @@ static struct lxc_config_t config_jump_table[] = {
-        { "lxc.init.gid",                  set_config_init_gid,                    get_config_init_gid,                    clr_config_init_gid,                  },
-        { "lxc.init.uid",                  set_config_init_uid,                    get_config_init_uid,                    clr_config_init_uid,                  },
-        { "lxc.init.cwd",                  set_config_init_cwd,                    get_config_init_cwd,                    clr_config_init_cwd,                  },
-+       { "lxc.keyring.session",           set_config_keyring_session,             get_config_keyring_session,             clr_config_keyring_session            },
-        { "lxc.log.file",                  set_config_log_file,                    get_config_log_file,                    clr_config_log_file,                  },
-        { "lxc.log.level",                 set_config_log_level,                   get_config_log_level,                   clr_config_log_level,                 },
-        { "lxc.log.syslog",                set_config_log_syslog,                  get_config_log_syslog,                  clr_config_log_syslog,                },
-@@ -1497,6 +1499,12 @@ static int set_config_selinux_context_keyring(const char *key, const char *value
-        return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
- }
- 
-+static int set_config_keyring_session(const char *key, const char *value,
-+                                     struct lxc_conf *lxc_conf, void *data)
-+{
-+       return set_config_bool_item(&lxc_conf->keyring_disable_session, value, false);
-+}
-+
- static int set_config_log_file(const char *key, const char *value,
-                              struct lxc_conf *c, void *data)
- {
-@@ -2553,26 +2561,7 @@ static int set_config_rootfs_path(const char *key, const char *value,
- static int set_config_rootfs_managed(const char *key, const char *value,
-                                     struct lxc_conf *lxc_conf, void *data)
- {
--       unsigned int val = 0;
--
--       if (lxc_config_value_empty(value)) {
--               lxc_conf->rootfs.managed = true;
--               return 0;
--       }
--
--       if (lxc_safe_uint(value, &val) < 0)
--               return -EINVAL;
--
--       switch (val) {
--       case 0:
--               lxc_conf->rootfs.managed = false;
--               return 0;
--       case 1:
--               lxc_conf->rootfs.managed = true;
--               return 0;
--       }
--
--       return -EINVAL;
-+       return set_config_bool_item(&lxc_conf->rootfs.managed, value, true);
- }
- 
- static int set_config_rootfs_mount(const char *key, const char *value,
-@@ -3559,6 +3548,12 @@ static int get_config_selinux_context_keyring(const char *key, char *retv, int i
-        return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
- }
- 
-+static int get_config_keyring_session(const char *key, char *retv, int inlen,
-+                                     struct lxc_conf *c, void *data)
-+{
-+       return lxc_get_conf_bool(c, retv, inlen, c->keyring_disable_session);
-+}
-+
- 
- /* If you ask for a specific cgroup value, i.e. lxc.cgroup.devices.list, then
-  * just the value(s) will be printed. Since there still could be more than one,
-@@ -4428,6 +4423,13 @@ static inline int clr_config_selinux_context_keyring(const char *key,
-        return 0;
- }
- 
-+static inline int clr_config_keyring_session(const char *key,
-+                                            struct lxc_conf *c, void *data)
-+{
-+       c->keyring_disable_session = false;
-+       return 0;
-+}
-+
- static inline int clr_config_cgroup_controller(const char *key,
-                                               struct lxc_conf *c, void *data)
- {
-@@ -6007,6 +6009,8 @@ int lxc_list_subkeys(struct lxc_conf *conf, const char *key, char *retv,
-                strprint(retv, inlen, "order\n");
-        } else if (!strcmp(key, "lxc.monitor")) {
-                strprint(retv, inlen, "unshare\n");
-+       } else if (!strcmp(key, "lxc.keyring")) {
-+               strprint(retv, inlen, "session\n");
-        } else {
-                fulllen = -1;
-        }
-diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
-index 6941f4026..02e48454b 100644
---- a/src/lxc/confile_utils.c
-+++ b/src/lxc/confile_utils.c
-@@ -666,6 +666,30 @@ int set_config_path_item(char **conf_item, const char *value)
-        return set_config_string_item_max(conf_item, value, PATH_MAX);
- }
- 
-+int set_config_bool_item(bool *conf_item, const char *value, bool empty_conf_action)
-+{
-+       unsigned int val = 0;
-+
-+       if (lxc_config_value_empty(value)) {
-+               *conf_item = empty_conf_action;
-+               return 0;
-+       }
-+
-+       if (lxc_safe_uint(value, &val) < 0)
-+               return -EINVAL;
-+
-+       switch (val) {
-+       case 0:
-+               *conf_item = false;
-+               return 0;
-+       case 1:
-+               *conf_item = true;
-+               return 0;
-+       }
-+
-+       return -EINVAL;
-+}
-+
- int config_ip_prefix(struct in_addr *addr)
- {
-        if (IN_CLASSA(addr->s_addr))
-diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
-index f68f9604f..83d49bace 100644
---- a/src/lxc/confile_utils.h
-+++ b/src/lxc/confile_utils.h
-@@ -68,6 +68,8 @@ extern int set_config_string_item(char **conf_item, const char *value);
- extern int set_config_string_item_max(char **conf_item, const char *value,
-                                      size_t max);
- extern int set_config_path_item(char **conf_item, const char *value);
-+extern int set_config_bool_item(bool *conf_item, const char *value,
-+                                bool empty_conf_action);
- extern int config_ip_prefix(struct in_addr *addr);
- extern int network_ifname(char *valuep, const char *value, size_t size);
- extern void rand_complete_hwaddr(char *hwaddr);
--- 
-2.24.1
-
diff --git a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch b/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
deleted file mode 100644
index aa1aecd4..00000000
--- a/recipes-containers/lxc/files/network-restore-ability-to-move-nl80211-devices.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 3dd7829433f63b2ec1323a1f237efa7d67ea6e2b Mon Sep 17 00:00:00 2001
-From: Christian Brauner <christian.brauner@ubuntu.com>
-Date: Fri, 26 Jul 2019 08:20:02 +0200
-Subject: [PATCH] network: restore ability to move nl80211 devices
-
-Closes #3105.
-Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
----
- src/lxc/network.c | 31 +++++++++++++++++--------------
- 1 file changed, 17 insertions(+), 14 deletions(-)
-
-diff --git a/src/lxc/network.c b/src/lxc/network.c
-index 9755116..7684f95 100644
---- a/src/lxc/network.c
-+++ b/src/lxc/network.c
-@@ -1248,22 +1248,21 @@ static int lxc_netdev_rename_by_name_in_netns(pid_t pid, const char *old,
- static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
-                                const char *newname)
- {
--       char *cmd;
-+       __do_free char *cmd = NULL;
-        pid_t fpid;
--       int err = -1;
- 
-        /* Move phyN into the container.  TODO - do this using netlink.
-         * However, IIUC this involves a bit more complicated work to talk to
-         * the 80211 module, so for now just call out to iw.
-         */
-        cmd = on_path("iw", NULL);
--       if (!cmd)
--               goto out1;
--       free(cmd);
-+       if (!cmd) {
-+               return -1;
-+       }
- 
-        fpid = fork();
-        if (fpid < 0)
--               goto out1;
-+               return -1;
- 
-        if (fpid == 0) {
-                char pidstr[30];
-@@ -1274,21 +1273,18 @@ static int lxc_netdev_move_wlan(char *physname, const char *ifname, pid_t pid,
-        }
- 
-        if (wait_for_pid(fpid))
--               goto out1;
-+               return -1;
- 
--       err = 0;
-        if (newname)
--               err = lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
-+               return lxc_netdev_rename_by_name_in_netns(pid, ifname, newname);
- 
--out1:
--       free(physname);
--       return err;
-+       return 0;
- }
- 
- int lxc_netdev_move_by_name(const char *ifname, pid_t pid, const char* newname)
- {
-+       __do_free char *physname = NULL;
-        int index;
--       char *physname;
- 
-        if (!ifname)
-                return -EINVAL;
-@@ -3279,13 +3275,20 @@ int lxc_network_move_created_netdev_priv(struct lxc_handler *handler)
-                return 0;
- 
-        lxc_list_for_each(iterator, network) {
-+               __do_free char *physname = NULL;
-                int ret;
-                struct lxc_netdev *netdev = iterator->elem;
- 
-                if (!netdev->ifindex)
-                        continue;
- 
--               ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
-+               if (netdev->type == LXC_NET_PHYS)
-+                       physname = is_wlan(netdev->link);
-+
-+               if (physname)
-+                       ret = lxc_netdev_move_wlan(physname, netdev->link, pid, NULL);
-+               else
-+                       ret = lxc_netdev_move_by_index(netdev->ifindex, pid, NULL);
-                if (ret) {
-                        errno = -ret;
-                        SYSERROR("Failed to move network device \"%s\" with ifindex %d to network namespace %d",
--- 
-2.7.4
-
diff --git a/recipes-containers/lxc/lxc_3.2.1.bb b/recipes-containers/lxc/lxc_4.0.1.bb
index 9592dd9b..a3de38ef 100644
--- a/recipes-containers/lxc/lxc_3.2.1.bb
+++ b/recipes-containers/lxc/lxc_4.0.1.bb
@@ -1,7 +1,7 @@
 DESCRIPTION = "lxc aims to use these new functionnalities to provide an userspace container object"
 SECTION = "console/utils"
 LICENSE = "LGPLv2.1"
-LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 DEPENDS = "libxml2 libcap"
 RDEPENDS_${PN} = " \
                 rsync \
@@ -44,16 +44,12 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
         file://templates-use-curl-instead-of-wget.patch \
         file://tests-our-init-is-not-busybox.patch \
         file://tests-add-no-validate-when-using-download-template.patch \
-        file://network-restore-ability-to-move-nl80211-devices.patch \
-        file://0001-container.conf-Add-option-to-set-keyring-SELinux-con.patch \
-        file://0002-container.conf-Add-option-to-disable-session-keyring.patch \
         file://dnsmasq.conf \
         file://lxc-net \
-        file://0001-syscall_wrappers-rename-internal-memfd_create-to-mem.patch \
         "
 
-SRC_URI[md5sum] = "4886c8d1c8e221fe526eefcb47857b85"
-SRC_URI[sha256sum] = "5f903986a4b17d607eea28c0aa56bf1e76e8707747b1aa07d31680338b1cc3d4"
+SRC_URI[md5sum] = "5f19f13eafdde24c75ba459fc6c28156"
+SRC_URI[sha256sum] = "70bbaac1df097f32ee5493a5e67a52365f7cdda28529f40197d6160bbec4139d"
 
 S = "${WORKDIR}/${BPN}-${PV}"