From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sun, 21 Feb 2021 19:03:45 +0000 (+0100)
Subject: cgroups: close dfd_mon but keep dfd_con and dfd_lim open for all cgroup hierarchies
X-Git-Tag: lxc-5.0.0~273^2~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=840eec19c3bd3d26b4bc38fab30339bfc43d0890;p=thirdparty%2Flxc.git

cgroups: close dfd_mon but keep dfd_con and dfd_lim open for all cgroup hierarchies

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 345f5f655..c3363279a 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1364,7 +1364,7 @@ __cgfsng_ops static bool cgfsng_chown(struct cgroup_ops *ops,
 	return true;
 }
 
-__cgfsng_ops static void cgfsng_payload_finalize(struct cgroup_ops *ops)
+__cgfsng_ops static void cgfsng_finalize(struct cgroup_ops *ops)
 {
 	if (!ops)
 		return;
@@ -1372,6 +1372,15 @@ __cgfsng_ops static void cgfsng_payload_finalize(struct cgroup_ops *ops)
 	if (!ops->hierarchies)
 		return;
 
+	for (int i = 0; ops->hierarchies[i]; i++) {
+		struct hierarchy *h = ops->hierarchies[i];
+
+		/* Close all monitor cgroup file descriptors. */
+		close_prot_errno_disarm(h->dfd_mon);
+	}
+	/* Close the cgroup root file descriptor. */
+	close_prot_errno_disarm(ops->dfd_mnt);
+
 	/*
 	 * The checking for freezer support should obviously be done at cgroup
 	 * initialization time but that doesn't work reliable. The freezer
@@ -3313,7 +3322,7 @@ struct cgroup_ops *cgroup_ops_init(struct lxc_conf *conf)
 	cgfsng_ops->payload_delegate_controllers	= cgfsng_payload_delegate_controllers;
 	cgfsng_ops->payload_create			= cgfsng_payload_create;
 	cgfsng_ops->payload_enter			= cgfsng_payload_enter;
-	cgfsng_ops->payload_finalize			= cgfsng_payload_finalize;
+	cgfsng_ops->finalize				= cgfsng_finalize;
 	cgfsng_ops->get_cgroup				= cgfsng_get_cgroup;
 	cgfsng_ops->get					= cgfsng_get;
 	cgfsng_ops->set 				= cgfsng_set;
diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h
index 85ffb260d..7226c7ce5 100644
--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -218,7 +218,7 @@ struct cgroup_ops {
 				 struct lxc_handler *handler);
 	bool (*monitor_delegate_controllers)(struct cgroup_ops *ops);
 	bool (*payload_delegate_controllers)(struct cgroup_ops *ops);
-	void (*payload_finalize)(struct cgroup_ops *ops);
+	void (*finalize)(struct cgroup_ops *ops);
 	const char *(*get_limiting_cgroup)(struct cgroup_ops *ops, const char *controller);
 };
 
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 67a234848..f8c22ff73 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1888,7 +1888,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 		}
 	}
 
-	cgroup_ops->payload_finalize(cgroup_ops);
+	cgroup_ops->finalize(cgroup_ops);
 	TRACE("Finished setting up cgroups");
 
 	if (handler->ns_unshare_flags & CLONE_NEWTIME) {