cgmanager: chmod the container's base directory 775

In order for attach to work, the container owner must be able to
write to the tasks file.  Therefore we make the container's cgroup
owned by the container root group, but the container owner uid.
So for the container root to be allowed to create new cgroups, it
needs group write perms.

With this patch, an unprivileged container with an
lxc.mount.auto = cgroup entry entry can run the cgproxy and pass
all cgmanager tests.

Acls would have been another way to do this, but are not yet being
used/exported by cgmanager.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c
index 4241ca01cfc3e851e56f0d198d0447ca771109fe..60f9cbe986d56554c85d3a8056643f4634fcb96d 100644 (file)
--- a/src/lxc/cgmanager.c
+++ b/src/lxc/cgmanager.c
@@ -264,6 +264,20 @@ static int chown_cgroup_wrapper(void *data)
        return do_chown_cgroup(arg->controller, arg->cgroup_path, arg->origuid);
 }
 
+static bool lxc_cgmanager_chmod(const char *controller,
+               const char *cgroup_path, const char *file, int mode)
+{
+       if (cgmanager_chmod_sync(NULL, cgroup_manager, controller,
+                       cgroup_path, file, mode) != 0) {
+               NihError *nerr;
+               nerr = nih_error_get();
+               ERROR("call to cgmanager_chmod_sync failed: %s", nerr->message);
+               nih_free(nerr);
+               return false;
+       }
+       return true;
+}
+
 static bool chown_cgroup(const char *controller, const char *cgroup_path,
                        struct lxc_conf *conf)
 {
@@ -281,6 +295,14 @@ static bool chown_cgroup(const char *controller, const char *cgroup_path,
                ERROR("Error requesting cgroup chown in new namespace");
                return false;
        }
+
+       /* now chmod 775 the directory else the container cannot create cgroups */
+       if (!lxc_cgmanager_chmod(controller, cgroup_path, "", 0775))
+               return false;
+       if (!lxc_cgmanager_chmod(controller, cgroup_path, "tasks", 0775))
+               return false;
+       if (!lxc_cgmanager_chmod(controller, cgroup_path, "cgroup.procs", 0775))
+               return false;
        return true;
 }