git.ipfire.org Git - thirdparty/systemd.git/commit

author	Ryan Wilson <ryantimwilson@meta.com>
	Fri, 18 Oct 2024 18:41:09 +0000 (11:41 -0700)
committer	Ryan Wilson <ryantimwilson@meta.com>
	Mon, 28 Oct 2024 15:37:36 +0000 (08:37 -0700)
commit	cd58b5a13537fc89b669ff9232ba2206214c9fa1
tree	e5dd41b7cf691378b2023deb37042721dba70cfd	tree \| snapshot
parent	5fe29238289104855fa00cbebd71742d504d6a9f	commit \| diff

cgroup: Add support for ProtectControlGroups= private and strict

This commit adds two settings private and strict to
the ProtectControlGroups= property. Private will unshare the cgroup
namespace and mount a read-write private cgroup2 filesystem at /sys/fs/cgroup.
Strict does the same except the mount is read-only. Since the unit is
running in a cgroup namespace, the new root of /sys/fs/cgroup is the unit's
own cgroup.

We also add a new dbus property ProtectControlGroupsEx which accepts strings
instead of boolean. This will allow users to use private/strict via dbus
and systemd-run in addition to service files.

Note private and strict fall back to no and yes respectively if the kernel
doesn't support cgroup2 or system is not using unified hierarchy.

Fixes: #34634

man/org.freedesktop.systemd1.xml		diff \| blob \| blame \| history
man/systemd.exec.xml		diff \| blob \| blame \| history
src/core/dbus-execute.c		diff \| blob \| blame \| history
src/core/exec-invoke.c		diff \| blob \| blame \| history
src/core/execute.c		diff \| blob \| blame \| history
src/core/execute.h		diff \| blob \| blame \| history
src/core/namespace.c		diff \| blob \| blame \| history
src/core/namespace.h		diff \| blob \| blame \| history
src/shared/bus-unit-util.c		diff \| blob \| blame \| history
test/units/TEST-07-PID1.protect-control-groups.sh	[new file with mode: 0755]	blob