From 73a8992e9f61f2a85ff78a38a8e51fe45f1711cc Mon Sep 17 00:00:00 2001 From: Adriaan Schmidt Date: Tue, 2 Apr 2024 14:55:46 +0200 Subject: [PATCH] fix: cgroupv2_subtree_control_recursive(): test before writing cgroupv2_subtree_control_recursive() writes to subtree_control files in the cgroup tree, starting at the root cgroup. As the root cgroup is managed by SystemD, its control files belong to the root user. This new check ensures that we only attempt to write to subtree_control if the desired controller is not already active (e.g., because we're using SystemD Delegation mechanisms), thus better enabling cgroup manipulations for non-root users. Signed-off-by: Adriaan Schmidt Reviewed-by: Kamalesh Babulal Signed-off-by: Tom Hromatka --- src/api.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/api.c b/src/api.c index 526bda8a..09f04783 100644 --- a/src/api.c +++ b/src/api.c @@ -2625,7 +2625,7 @@ static int test_and_set_ctrl_mnt_path(const char * const mount_path, const char STATIC int cgroupv2_subtree_control_recursive(char *path, const char *ctrl_name, bool enable) { char *path_copy, *tmp_path, *stok_buff = NULL; - bool found_mount = false; + bool found_mount = false, controller_enabled = false; size_t mount_len; int i, error = 0; @@ -2679,6 +2679,12 @@ STATIC int cgroupv2_subtree_control_recursive(char *path, const char *ctrl_name, if (error) goto out; + error = cgroupv2_get_subtree_control(path_copy, ctrl_name, &controller_enabled); + if (controller_enabled) + continue; + if (error != ECGROUPNOTMOUNTED) + goto out; + error = cgroupv2_subtree_control(path_copy, ctrl_name, enable); if (error) goto out; -- 2.47.2