From: Serge Hallyn Date: Thu, 25 Feb 2016 19:01:12 +0000 (-0800) Subject: cgfs: make sure we use valid cgroup mountpoints X-Git-Tag: lxc-1.0.9~85 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2e8fceaa21fd5c3c0bfe1d763416c5c3c0f21ec;p=thirdparty%2Flxc.git cgfs: make sure we use valid cgroup mountpoints If lxcfs starts before cgroup-lite, then the first cgroup mountpoints in /proc/self/mountinfo are /run/lxcfs/*. Unprivileged users cannot access these. So privileged containers are ok, and unprivileged containers are ok since they won't cache those to begin with. But unprivileged root-owned containers cache /run/lxcfs/* and then try to use them. So when doing cgroup automounting check whether the mountpoints we have stored are accessible, and if not look for a new one to use. Signed-off-by: Serge Hallyn --- diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c index bb3c88293..e0f1ce3da 100644 --- a/src/lxc/cgfs.c +++ b/src/lxc/cgfs.c @@ -635,6 +635,11 @@ static struct cgroup_hierarchy *lxc_cgroup_find_hierarchy(struct cgroup_meta_dat return NULL; } +static bool mountpoint_is_accessible(struct cgroup_mount_point *mp) +{ + return mp && access(mp->mount_point, F_OK) == 0; +} + static struct cgroup_mount_point *lxc_cgroup_find_mount_point(struct cgroup_hierarchy *hierarchy, const char *group, bool should_be_writable) { struct cgroup_mount_point **mps; @@ -642,9 +647,9 @@ static struct cgroup_mount_point *lxc_cgroup_find_mount_point(struct cgroup_hier ssize_t quality = -1; /* trivial case */ - if (hierarchy->rw_absolute_mount_point) + if (mountpoint_is_accessible(hierarchy->rw_absolute_mount_point)) return hierarchy->rw_absolute_mount_point; - if (!should_be_writable && hierarchy->ro_absolute_mount_point) + if (!should_be_writable && mountpoint_is_accessible(hierarchy->ro_absolute_mount_point)) return hierarchy->ro_absolute_mount_point; for (mps = hierarchy->all_mount_points; mps && *mps; mps++) { @@ -654,6 +659,9 @@ static struct cgroup_mount_point *lxc_cgroup_find_mount_point(struct cgroup_hier if (prefix_len == 1 && mp->mount_prefix[0] == '/') prefix_len = 0; + if (!mountpoint_is_accessible(mp)) + continue; + if (should_be_writable && mp->read_only) continue; @@ -1392,8 +1400,9 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type) for (info = base_info; info; info = info->next) { size_t subsystem_count, i; struct cgroup_mount_point *mp = info->designated_mount_point; - if (!mp) + if (!mountpoint_is_accessible(mp)) mp = lxc_cgroup_find_mount_point(info->hierarchy, info->cgroup_path, true); + if (!mp) { SYSERROR("could not find original mount point for cgroup hierarchy while trying to mount cgroup filesystem"); goto out_error;