From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 24 Jan 2024 21:40:04 +0000 (+0100)
Subject: cgroup: don't enable bpf pseudo-controllers when doing a wildcard delegation
X-Git-Tag: v256-rc1~1044
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=677e6c14b199c1fa637b7c4c8cae39c31213a79d;p=thirdparty%2Fsystemd.git

cgroup: don't enable bpf pseudo-controllers when doing a wildcard delegation

We can only delegate actual controllers, not the BPF pseudo-controllers
we defined as there's imply no concept for that. Hence, when users set
Delegate=yes to do a wildcard delegation, only delegate the regular
controllers.

This means that we won't bother with BPF stuff for such units where it's
entirelly unnecessary.
---

diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index be97258d168..f62b26458d4 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -67,10 +67,13 @@ typedef enum CGroupMask {
         /* All real cgroup v2 controllers */
         CGROUP_MASK_V2 = CGROUP_MASK_CPU|CGROUP_MASK_CPUSET|CGROUP_MASK_IO|CGROUP_MASK_MEMORY|CGROUP_MASK_PIDS,
 
+        /* All controllers we want to delegate in case of Delegate=yes. Which are prety much the v2 controllers only, as delegation on v1 is not safe, and bpf stuff isn't a real controller */
+        CGROUP_MASK_DELEGATE = CGROUP_MASK_V2,
+
         /* All cgroup v2 BPF pseudo-controllers */
         CGROUP_MASK_BPF = CGROUP_MASK_BPF_FIREWALL|CGROUP_MASK_BPF_DEVICES|CGROUP_MASK_BPF_FOREIGN|CGROUP_MASK_BPF_SOCKET_BIND|CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES,
 
-        _CGROUP_MASK_ALL = CGROUP_CONTROLLER_TO_MASK(_CGROUP_CONTROLLER_MAX) - 1
+        _CGROUP_MASK_ALL = CGROUP_CONTROLLER_TO_MASK(_CGROUP_CONTROLLER_MAX) - 1,
 } CGroupMask;
 
 static inline CGroupMask CGROUP_MASK_EXTEND_JOINED(CGroupMask mask) {
diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c
index 4c0b3ddf9c2..bba38bddc9b 100644
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@@ -542,7 +542,7 @@ static int bus_cgroup_set_transient_property(
 
                 if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
                         c->delegate = b;
-                        c->delegate_controllers = b ? _CGROUP_MASK_ALL : 0;
+                        c->delegate_controllers = b ? CGROUP_MASK_DELEGATE : 0;
 
                         unit_write_settingf(u, flags, name, "Delegate=%s", yes_no(b));
                 }
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 6fc6bb36098..5f4e642e545 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -4036,7 +4036,7 @@ int config_parse_delegate(
 
         } else if (r > 0) {
                 c->delegate = true;
-                c->delegate_controllers = _CGROUP_MASK_ALL;
+                c->delegate_controllers = CGROUP_MASK_DELEGATE;
         } else {
                 c->delegate = false;
                 c->delegate_controllers = 0;