From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 4 May 2023 15:43:10 +0000 (+0000)
Subject: cgroups: Don't create groups in system root for unprivileged users
X-Git-Tag: 0.9.29~164
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31d7e29a423d3eef5b70964863ba4b1cf09e8301;p=pakfire.git

cgroups: Don't create groups in system root for unprivileged users

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/cgroup.c b/src/libpakfire/cgroup.c
index 22b6ba83c..57dda52bd 100644
--- a/src/libpakfire/cgroup.c
+++ b/src/libpakfire/cgroup.c
@@ -30,7 +30,6 @@
 #include <pakfire/string.h>
 #include <pakfire/util.h>
 
-#define ROOT				"/sys/fs/cgroup"
 #define BUFFER_SIZE			64 * 1024
 
 enum pakfire_cgroup_controllers {
@@ -50,6 +49,9 @@ struct pakfire_cgroup {
 	struct pakfire* pakfire;
 	int nrefs;
 
+	// Store the root path
+	char root[PATH_MAX];
+
 	// Flags
 	int flags;
 
@@ -69,6 +71,29 @@ static int pakfire_cgroup_has_flag(struct pakfire_cgroup* cgroup, int flag) {
 	return cgroup->flags & flag;
 }
 
+static int pakfire_cgroup_set_root(struct pakfire_cgroup* cgroup) {
+	int r;
+
+	// Find the current UID
+	const uid_t uid = getuid();
+
+	switch (uid) {
+		// root
+		case 0:
+			r = pakfire_string_set(cgroup->root, "/sys/fs/cgroup");
+
+		// unprivileged users
+		default:
+			r = pakfire_string_format(cgroup->root,
+				"/sys/fs/cgroup/user.slice/user-%d.slice/user@%d.service", uid, uid);
+	}
+
+	if (r)
+		ERROR(cgroup->pakfire, "Could not determine cgroup root: %m\n");
+
+	return r;
+}
+
 static const char* pakfire_cgroup_name(struct pakfire_cgroup* cgroup) {
 	if (pakfire_cgroup_is_root(cgroup))
 		return "(root)";
@@ -156,9 +181,9 @@ static void pakfire_cgroup_free(struct pakfire_cgroup* cgroup) {
 }
 
 static int pakfire_cgroup_open_root(struct pakfire_cgroup* cgroup) {
-	int fd = open(ROOT, O_DIRECTORY|O_PATH|O_CLOEXEC);
+	int fd = open(cgroup->root, O_DIRECTORY|O_PATH|O_CLOEXEC);
 	if (fd < 0) {
-		ERROR(cgroup->pakfire, "Could not open %s: %m\n", ROOT);
+		ERROR(cgroup->pakfire, "Could not open %s: %m\n", cgroup->root);
 		return -1;
 	}
 
@@ -172,7 +197,7 @@ static int __pakfire_cgroup_create(struct pakfire_cgroup* cgroup) {
 	DEBUG(cgroup->pakfire, "Trying to create cgroup %s\n", pakfire_cgroup_name(cgroup));
 
 	// Compose the absolute path
-	r = pakfire_path_join(path, ROOT, cgroup->path);
+	r = pakfire_path_join(path, cgroup->root, cgroup->path);
 	if (r)
 		return 1;
 
@@ -485,6 +510,11 @@ int pakfire_cgroup_open(struct pakfire_cgroup** cgroup,
 	// Initialize reference counter
 	c->nrefs = 1;
 
+	// Find the root
+	r = pakfire_cgroup_set_root(c);
+	if (r)
+		goto ERROR;
+
 	// Copy path
 	pakfire_string_set(c->path, path);