From: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Date: Tue, 2 Apr 2024 12:55:46 +0000 (+0200)
Subject: fix: cgroupv2_subtree_control_recursive(): test before writing
X-Git-Tag: v3.2.0~118
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73a8992e9f61f2a85ff78a38a8e51fe45f1711cc;p=thirdparty%2Flibcgroup.git

fix: cgroupv2_subtree_control_recursive(): test before writing

cgroupv2_subtree_control_recursive() writes to subtree_control
files in the cgroup tree, starting at the root cgroup. As the
root cgroup is managed by SystemD, its control files belong to the
root user.
This new check ensures that we only attempt to write to subtree_control
if the desired controller is not already active (e.g., because we're
using SystemD Delegation mechanisms), thus better enabling cgroup
manipulations for non-root users.

Signed-off-by: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Reviewed-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
---

diff --git a/src/api.c b/src/api.c
index 526bda8a..09f04783 100644
--- a/src/api.c
+++ b/src/api.c
@@ -2625,7 +2625,7 @@ static int test_and_set_ctrl_mnt_path(const char * const mount_path, const char
 STATIC int cgroupv2_subtree_control_recursive(char *path, const char *ctrl_name, bool enable)
 {
 	char *path_copy, *tmp_path, *stok_buff = NULL;
-	bool found_mount = false;
+	bool found_mount = false, controller_enabled = false;
 	size_t mount_len;
 	int i, error = 0;
 
@@ -2679,6 +2679,12 @@ STATIC int cgroupv2_subtree_control_recursive(char *path, const char *ctrl_name,
 		if (error)
 			goto out;
 
+		error = cgroupv2_get_subtree_control(path_copy, ctrl_name, &controller_enabled);
+		if (controller_enabled)
+			continue;
+		if (error != ECGROUPNOTMOUNTED)
+			goto out;
+
 		error = cgroupv2_subtree_control(path_copy, ctrl_name, enable);
 		if (error)
 			goto out;