Fixes it to actually single-quote.

Signed-off-by: Thomas Parrott <[email protected]>
(cherry picked from commit 6433705)
(cherry picked from commit 60d9d27)

This avoids potential shell expansion of the strings should some special
characters manage to make it through.

Signed-off-by: Rory McNamara <[email protected]>
(cherry picked from commit 0e0cf45ecdcc902a6f319f11971ed27df81bd29f)
Signed-off-by: Thomas Parrott <[email protected]>
License: Apache-2.0
(cherry picked from commit dbc1323)
(cherry picked from commit 8f07a1d)

Signed-off-by: Thomas Parrott <[email protected]>
(cherry picked from commit 24fc892)
(cherry picked from commit 6787086)

…t variables

LXC doesn't currently have a syntax to hold a multi-line environment
variable in its configuration. The use of multi-line environment
variables leads to a corrupted configuration file and to a security
issue where additional lines may be added by an unprivileged user to
escalate their privileges.

This fixes CVE-2026-23953.

Reported-by: Rory McNamara <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
(cherry picked from commit cdf037409fbb35ab0f9fdc4e0e8cc706adbca99e)
Signed-off-by: Thomas Parrott <[email protected]>
License: Apache-2.0
(cherry picked from commit a53d166)
(cherry picked from commit 5e57e2c)
Signed-off-by: Thomas Parrott <[email protected]>

Signed-off-by: Thomas Parrott <[email protected]>
(cherry picked from commit 7d5a13b)
(cherry picked from commit 77d5190)

…targets

This fixes three security issues related to file templates:

 - The template target path could be made to be relative or gothrough
   symlinks in a way that could lead to arbitrary write to the host
   filesystem.

 - The template directory could be relative, allowing for arbitrary read
   from the host filesystem.

 - The template file itself could be made relative, allowing for
   arbitrary reads from the host filesystem.

In the case of the template target path, the new logic makes use of the
kernel's openat2 system call which brings a variety of flags that can be
used to restrict path resolution and detect potential issues.

For the template path itself, we now validate that it is a simple local
file and that the template directory isn't a symlink.

This fixes CVE-2026-23954

Reported-by: Rory McNamara <[email protected]>
Signed-off-by: Stéphane Graber <[email protected]>
(cherry picked from commit c1d90bd34a7ccc224276b87644d7c75437f1cb64)
Signed-off-by: Thomas Parrott <[email protected]>
License: Apache-2.0
(cherry picked from commit d1c8ba1)
(cherry picked from commit 29ec347)

…llow error wrapping

Also:
 - Closes rootfs file handle earlier.
 - Handles errors if file handles error when closing.

Signed-off-by: Thomas Parrott <[email protected]>
(cherry picked from commit c981c47)
(cherry picked from commit 27f35f4)