attach: unshare cgroupns if possible

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
Changelog 20160104: only try if kernel supports cgns.

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 13989e863d79ccf4f60826f5d7eb73e4600431e9..2dc9a0725cbeb1817370b0d71f8248b0e3bdfd46 100644 (file)
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -957,6 +957,13 @@ int lxc_attach(const char* name, const char* lxcpath, lxc_attach_exec_t exec_fun
                WARN("could not change directory to '%s'", new_cwd);
        free(cwd);
 
+       if (options->attach_flags & LXC_ATTACH_MOVE_TO_CGROUP && cgns_supported()) {
+               if (unshare(CLONE_NEWCGROUP) != 0) {
+                       SYSERROR("cgroupns unshare: permission denied");
+                       rexit(-1);
+               }
+       }
+
        /* now create the real child process */
        {
                struct attach_clone_payload payload = {