From 29cd84d8e40d014bebf7a1424d0ccbe32341af40 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Sun, 1 Mar 2026 23:13:17 +0900
Subject: [PATCH 1/6] Add description for unprivileged containers to Japanese
 man page

Update for f085a8c

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
---
 doc/ja/lxc.sgml.in | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/doc/ja/lxc.sgml.in b/doc/ja/lxc.sgml.in
index 735b485e3e..ad68d2eff7 100644
--- a/doc/ja/lxc.sgml.in
+++ b/doc/ja/lxc.sgml.in
@@ -306,6 +306,24 @@ rootfs
       で説明しています。
     </refsect2>
 
+    <refsect2>
+      <title><!-- Unprivileged containers -->非特権コンテナ</title>
+      <para>
+        <!--
+        Unprivileged LXC containers run without root host-level privileges in a 
+        user namespace, mapping container UID 0 to a non-root host ID, which 
+        strictly limits the accessible devices and filesystems of the 
+        container. In order to mount a rootfs in an unprivileged container, the 
+        mapped host user must have execute permissions for all directories 
+        along the path to and including the rootfs. Additionally, all files and 
+        directories under the rootfs must be owned by the correct user ID and 
+        group ID. The correct user ID and group ID are the host IDs mapped to 
+        the container root(UID 0) in lxc.idmap.
+        -->
+        非特権 LXC コンテナは、ユーザ名前空間内で root のホストレベルの特権がない状態で実行されます。コンテナの UID 0 は、root ではないホストの ID にマッピングされ、コンテナのアクセス可能なデバイスとファイルシステムが厳密に制限されます。非特権コンテナ内で rootfs をマウントするためには、マッピングされたホストのユーザが、rootfs ディレクトリ自身を含む、rootfs までのパス上にあるすべてのディレクトリに対して実行権限を持っている必要があります。さらに、rootfs 以下のすべてのファイルとディレクトリは、正しいユーザ ID とグループ ID が所有している必要があります。正しいユーザ ID とグループ ID とは、lxc.idmap でコンテナの root（UID 0）にマッピングされているホストの ID です。
+      </para>
+    </refsect2>
+
     <refsect2>
       <title><!-- Creating / Destroying containers -->コンテナの作成と削除</title>
       <para>

From a01f7b4aca9f12a926d3acfab5b146965a67e950 Mon Sep 17 00:00:00 2001
From: KATOH Yasufumi <karma@jazz.email.ne.jp>
Date: Sun, 1 Mar 2026 23:40:26 +0900
Subject: [PATCH 2/6] Add --rbuser to Japanese lxc-create(1)

Update for 9799eba

Signed-off-by: KATOH Yasufumi <karma@jazz.email.ne.jp>
---
 doc/ja/lxc-create.sgml.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/ja/lxc-create.sgml.in b/doc/ja/lxc-create.sgml.in
index 5e086202e6..738177be7e 100644
--- a/doc/ja/lxc-create.sgml.in
+++ b/doc/ja/lxc-create.sgml.in
@@ -185,10 +185,12 @@
 		 You can specify the following options :
 		 <replaceable>&#045;&#045;rbdname RBDNAME</replaceable> will create a blockdevice named RBDNAME rather than the default, which is the container name.
 		 <replaceable>&#045;&#045;rbdpool POOL</replaceable> will create the blockdevice in the pool named POOL, rather than the default, which is 'lxc'.
+		<replaceable>\-\-rbduser RBDUSER</replaceable> will specify the ceph user RBDUSER creating the blockdevice, rather than the default, which is 'admin'.
 		 -->
 		 backingstore が 'rbd' の場合、<filename>ceph.conf</filename> に有効な設定がされており、<filename>ceph.client.admin.keyring</filename> が定義されている必要があります。
 		 <replaceable>--rbdname RBDNAME</replaceable> を指定すると、RBDNAME という名前のブロックデバイスを作成します。このオプションを指定しない場合のデフォルトのブロックデバイス名はコンテナ名です。
 		 <replaceable>--rbdpool POOL</replaceable> を指定すると、POOL という名前のプール内にブロックデバイスを作成します。このオプションを指定しない場合のデフォルトのプール名は 'lxc' です。
+		 <replaceable>--rbduser RBDUSER</replaceable> を指定すると、RBDUSER という ceph ユーザを指定してブロックデバイスを作成します。このオプションを指定しない場合のデフォルトのユーザ名は 'admin' です。
 	  </para>
 	  <para>
             <!--

From e4d847bd02f9f6982aa83eacf93a88f0a213b83b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 2 Mar 2026 14:08:40 +0000
Subject: [PATCH 3/6] build(deps): bump actions/upload-artifact from 6 to 7

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/builds.yml  | 2 +-
 .github/workflows/fuzzing.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml
index 4978c8f54d..fcc620b007 100644
--- a/.github/workflows/builds.yml
+++ b/.github/workflows/builds.yml
@@ -86,7 +86,7 @@ jobs:
           mv ../lxc_* out/
 
       - name: Upload resulting build
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         continue-on-error: true
         with:
           name: ${{ matrix.os }}
diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
index efd074feb9..a747524ac0 100644
--- a/.github/workflows/fuzzing.yml
+++ b/.github/workflows/fuzzing.yml
@@ -37,7 +37,7 @@ jobs:
           sanitizer: ${{ matrix.sanitizer }}
 
       - name: Upload Crash
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         if: failure() && steps.build.outcome == 'success'
         with:
           name: ${{ matrix.sanitizer }}-artifacts

From 589981f4f1330d23585cc3b1fda66aa1c816e09e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Tue, 10 Mar 2026 10:43:57 -0400
Subject: [PATCH 4/6] utils: Add quotes around exec arguments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported-by: Korantin Auguste
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 src/lxc/utils.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 1e41d642a1..0c3104192e 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -617,9 +617,9 @@ int run_script_argv(const char *name, unsigned int hook_version,
 		return -ENOMEM;
 
 	if (hook_version == 0)
-		buf_pos = strnprintf(buffer, size, "exec %s %s %s %s", script, name, section, hookname);
+		buf_pos = strnprintf(buffer, size, "exec '%s' '%s' '%s' '%s'", script, name, section, hookname);
 	else
-		buf_pos = strnprintf(buffer, size, "exec %s", script);
+		buf_pos = strnprintf(buffer, size, "exec '%s'", script);
 	if (buf_pos < 0)
 		return log_error_errno(-1, errno, "Failed to create command line for script \"%s\"", script);
 
@@ -712,7 +712,7 @@ int run_script(const char *name, const char *section, const char *script, ...)
 		return -1;
 
 	buffer = must_realloc(NULL, size);
-	ret = strnprintf(buffer, size, "exec %s %s %s", script, name, section);
+	ret = strnprintf(buffer, size, "exec '%s' '%s' '%s'", script, name, section);
 	if (ret < 0)
 		return -1;
 

From 7174f2e2a474bddc37e8e98794422b4714f84738 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Tue, 10 Mar 2026 14:44:22 -0400
Subject: [PATCH 5/6] utils: Update buffer size to account for quotes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 src/lxc/utils.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 0c3104192e..c106bfc68e 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -593,20 +593,20 @@ int run_script_argv(const char *name, unsigned int hook_version,
 	size += STRLITERALLEN("exec");
 	size++;
 	size += strlen(script);
-	size++;
+	size += 3;
 
 	if (size > INT_MAX)
 		return -EFBIG;
 
 	if (hook_version == 0) {
 		size += strlen(hookname);
-		size++;
+		size += 3;
 
 		size += strlen(name);
-		size++;
+		size += 3;
 
 		size += strlen(section);
-		size++;
+		size += 3;
 
 		if (size > INT_MAX)
 			return -EFBIG;
@@ -706,7 +706,7 @@ int run_script(const char *name, const char *section, const char *script, ...)
 	size += strlen(script);
 	size += strlen(name);
 	size += strlen(section);
-	size += 4;
+	size += 10;
 
 	if (size > INT_MAX)
 		return -1;

From 2bc6bac9cf2fa29dcce53a4fc810e12fdbfca809 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Tue, 10 Mar 2026 14:55:24 -0400
Subject: [PATCH 6/6] utils: Only single quote our own arguments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The user provided hook command may contain its own quoting, so keep that
one as is and only put quotes around the extra arguments that we control
ourselves.

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 src/lxc/utils.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index c106bfc68e..cab8e893bd 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -593,7 +593,7 @@ int run_script_argv(const char *name, unsigned int hook_version,
 	size += STRLITERALLEN("exec");
 	size++;
 	size += strlen(script);
-	size += 3;
+	size++;
 
 	if (size > INT_MAX)
 		return -EFBIG;
@@ -617,9 +617,9 @@ int run_script_argv(const char *name, unsigned int hook_version,
 		return -ENOMEM;
 
 	if (hook_version == 0)
-		buf_pos = strnprintf(buffer, size, "exec '%s' '%s' '%s' '%s'", script, name, section, hookname);
+		buf_pos = strnprintf(buffer, size, "exec %s '%s' '%s' '%s'", script, name, section, hookname);
 	else
-		buf_pos = strnprintf(buffer, size, "exec '%s'", script);
+		buf_pos = strnprintf(buffer, size, "exec %s", script);
 	if (buf_pos < 0)
 		return log_error_errno(-1, errno, "Failed to create command line for script \"%s\"", script);
 
@@ -706,13 +706,13 @@ int run_script(const char *name, const char *section, const char *script, ...)
 	size += strlen(script);
 	size += strlen(name);
 	size += strlen(section);
-	size += 10;
+	size += 8;
 
 	if (size > INT_MAX)
 		return -1;
 
 	buffer = must_realloc(NULL, size);
-	ret = strnprintf(buffer, size, "exec '%s' '%s' '%s'", script, name, section);
+	ret = strnprintf(buffer, size, "exec %s '%s' '%s'", script, name, section);
 	if (ret < 0)
 		return -1;