From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sat, 7 Dec 2019 20:51:58 +0000 (+0100)
Subject: cgroups/cgfsng: rework cgroup2 unprivileged delegation
X-Git-Tag: lxc-4.0.0~78^2~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d606c4e9d2c311f701ec904ca42f92be45633162;p=thirdparty%2Flxc.git

cgroups/cgfsng: rework cgroup2 unprivileged delegation

We accidently checked files to delegate for privileged container and not for
unprivileged containers in the pure unified case. Fix that and clean up the
delegation file parsing.

Closes #3206.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 2011eb8a2..f42bedd27 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -2896,29 +2896,30 @@ static bool cgroup_use_wants_controllers(const struct cgroup_ops *ops,
 
 static void cg_unified_delegate(char ***delegate)
 {
-	__do_free char *tmp = NULL;
-	int idx;
+	__do_free char *buf = NULL;
 	char *standard[] = {"cgroup.subtree_control", "cgroup.threads", NULL};
+	char *token;
+	int idx;
 
-	tmp = read_file("/sys/kernel/cgroup/delegate");
-	if (!tmp) {
+	buf = read_file("/sys/kernel/cgroup/delegate");
+	if (!buf) {
 		for (char **p = standard; p && *p; p++) {
 			idx = append_null_to_list((void ***)delegate);
 			(*delegate)[idx] = must_copy_string(*p);
 		}
-	} else {
-		char *token;
-		lxc_iterate_parts (token, tmp, " \t\n") {
-			/*
-			 * We always need to chown this for both cgroup and
-			 * cgroup2.
-			 */
-			if (strcmp(token, "cgroup.procs") == 0)
-				continue;
+		log_warn_errno(return, errno, "Failed to read /sys/kernel/cgroup/delegate");
+	}
 
-			idx = append_null_to_list((void ***)delegate);
-			(*delegate)[idx] = must_copy_string(token);
-		}
+	lxc_iterate_parts (token, buf, " \t\n") {
+		/*
+		 * We always need to chown this for both cgroup and
+		 * cgroup2.
+		 */
+		if (strcmp(token, "cgroup.procs") == 0)
+			continue;
+
+		idx = append_null_to_list((void ***)delegate);
+		(*delegate)[idx] = must_copy_string(token);
 	}
 }
 
@@ -3112,9 +3113,10 @@ static int cg_unified_init(struct cgroup_ops *ops, bool relative,
 	if (!relative)
 		prune_init_scope(base_cgroup);
 
-	/* We assume that we have already been given controllers to delegate
-	 * further down the hierarchy. If not it is up to the user to delegate
-	 * them to us.
+	/*
+	 * We assume that the cgroup we're currently in has been delegated to
+	 * us and we are free to further delege all of the controllers listed
+	 * in cgroup.controllers further down the hierarchy.
 	 */
 	mountpoint = must_copy_string(DEFAULT_CGROUP_MOUNTPOINT);
 	subtree_path = must_make_path(mountpoint, base_cgroup, "cgroup.controllers", NULL);
@@ -3132,7 +3134,7 @@ static int cg_unified_init(struct cgroup_ops *ops, bool relative,
 	 */
 
 	new = add_hierarchy(&ops->hierarchies, delegatable, mountpoint, base_cgroup, CGROUP2_SUPER_MAGIC);
-	if (!unprivileged)
+	if (unprivileged)
 		cg_unified_delegate(&new->cgroup2_chown);
 
 	if (bpf_devices_cgroup_supported())