jail: Create a leaf cgroup

clone3() does not allow to clone into a cgroup that has subtree_control
set. So we need to create a temporary group.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/libpakfire/cgroup.c b/src/libpakfire/cgroup.c
index 2d7d8a3d5a421a083039d461c5f34944fef64782..def656c8b2a8bd3ce111eba3434636b97d98a132 100644 (file)
--- a/src/libpakfire/cgroup.c
+++ b/src/libpakfire/cgroup.c
@@ -528,6 +528,21 @@ struct pakfire_cgroup* pakfire_cgroup_unref(struct pakfire_cgroup* cgroup) {
        return NULL;
 }
 
+// Open a child cgroup
+int pakfire_cgroup_child(struct pakfire_cgroup** child,
+               struct pakfire_cgroup* cgroup, const char* name, int flags) {
+       char path[PATH_MAX];
+       int r;
+
+       // Join paths
+       r = pakfire_path_join(path, cgroup->path, name);
+       if (r < 0)
+               return 1;
+
+       // Open the child group
+       return pakfire_cgroup_open(child, cgroup->pakfire, path, flags);
+}
+
 static int pakfire_cgroup_procs_callback(struct pakfire_cgroup* cgroup,
                int (*callback)(struct pakfire_cgroup* cgroup, pid_t pid, void* data), void* data) {
        int r = 0;

diff --git a/src/libpakfire/include/pakfire/cgroup.h b/src/libpakfire/include/pakfire/cgroup.h
index 20dd0000beaa6c0c2ed2916802ece8c18b91cd0b..1d5251afdac8611456b2bff27fafad2541bd18f2 100644 (file)
--- a/src/libpakfire/include/pakfire/cgroup.h
+++ b/src/libpakfire/include/pakfire/cgroup.h
@@ -37,6 +37,9 @@ int pakfire_cgroup_open(struct pakfire_cgroup** cgroup,
 struct pakfire_cgroup* pakfire_cgroup_ref(struct pakfire_cgroup* cgroup);
 struct pakfire_cgroup* pakfire_cgroup_unref(struct pakfire_cgroup* cgroup);
 
+int pakfire_cgroup_child(struct pakfire_cgroup** child,
+       struct pakfire_cgroup* cgroup, const char* name, int flags);
+
 int pakfire_cgroup_enable_default_controllers(struct pakfire_cgroup* cgroup);
 
 int pakfire_cgroup_destroy(struct pakfire_cgroup* cgroup);

diff --git a/src/libpakfire/jail.c b/src/libpakfire/jail.c
index 3d196623efc0cdce6d90d7e918f682b74ba39b40..92faad6fc0bb2e75b1e5c0424d60d39a01440173 100644 (file)
--- a/src/libpakfire/jail.c
+++ b/src/libpakfire/jail.c
@@ -120,6 +120,8 @@ struct pakfire_jail_exec {
                struct pakfire_log_buffer log_ERROR;
                struct pakfire_log_buffer log_DEBUG;
        } buffers;
+
+       struct pakfire_cgroup* cgroup;
 };
 
 static int clone3(struct clone_args* args, size_t size) {
@@ -1299,12 +1301,21 @@ static int __pakfire_jail_exec(struct pakfire_jail* jail, const char* argv[]) {
                .pidfd = (long long unsigned int)&ctx.pidfd,
        };
 
-       // Launch the process in a cgroup (if requested)
+       // Launch the process in a cgroup that is a leaf of the configured cgroup
        if (jail->cgroup) {
                args.flags |= CLONE_INTO_CGROUP;
 
+#warning TODO randomize the name
+
+               // Create a temporary cgroup
+               r = pakfire_cgroup_child(&ctx.cgroup, jail->cgroup, "jail", 0);
+               if (r) {
+                       ERROR(jail->pakfire, "Could not create cgroup for jail: %m\n");
+                       goto ERROR;
+               }
+
                // Clone into this cgroup
-               args.cgroup = pakfire_cgroup_fd(jail->cgroup);
+               args.cgroup = pakfire_cgroup_fd(ctx.cgroup);
        }
 
        // Fork this process
@@ -1353,6 +1364,12 @@ static int __pakfire_jail_exec(struct pakfire_jail* jail, const char* argv[]) {
        }
 
 ERROR:
+       // Destroy the temporary cgroup (if any)
+       if (ctx.cgroup) {
+               pakfire_cgroup_destroy(ctx.cgroup);
+               pakfire_cgroup_unref(ctx.cgroup);
+       }
+
        // Close any file descriptors
        pakfire_jail_close_pipe(jail, ctx.pipes.stdout);
        pakfire_jail_close_pipe(jail, ctx.pipes.stderr);