fix: cgroupv2_subtree_control_recursive(): test before writing

cgroupv2_subtree_control_recursive() writes to subtree_control
files in the cgroup tree, starting at the root cgroup. As the
root cgroup is managed by SystemD, its control files belong to the
root user.
This new check ensures that we only attempt to write to subtree_control
if the desired controller is not already active (e.g., because we're
using SystemD Delegation mechanisms), thus better enabling cgroup
manipulations for non-root users.

Signed-off-by: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Reviewed-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>

diff --git a/src/api.c b/src/api.c
index 526bda8ac322486ffd3fd2e62def883bfe705eda..09f047832928595689f972101c56d4b4b1975e2c 100644 (file)
--- a/src/api.c
+++ b/src/api.c
@@ -2625,7 +2625,7 @@ static int test_and_set_ctrl_mnt_path(const char * const mount_path, const char
 STATIC int cgroupv2_subtree_control_recursive(char *path, const char *ctrl_name, bool enable)
 {
        char *path_copy, *tmp_path, *stok_buff = NULL;
-       bool found_mount = false;
+       bool found_mount = false, controller_enabled = false;
        size_t mount_len;
        int i, error = 0;
 
@@ -2679,6 +2679,12 @@ STATIC int cgroupv2_subtree_control_recursive(char *path, const char *ctrl_name,
                if (error)
                        goto out;
 
+               error = cgroupv2_get_subtree_control(path_copy, ctrl_name, &controller_enabled);
+               if (controller_enabled)
+                       continue;
+               if (error != ECGROUPNOTMOUNTED)
+                       goto out;
+
                error = cgroupv2_subtree_control(path_copy, ctrl_name, enable);
                if (error)
                        goto out;