From 937a3af94e48b8f38ec0e717af456d4f11b7b9cc Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 15 Feb 2021 12:05:20 +0100
Subject: [PATCH] cgroups: verify that we are actually running in cgroup
 namespace

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/cgroups/cgfsng.c | 11 ++++++-----
 src/lxc/start.h          |  6 ++++++
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index d5883351b..dc5f0972b 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1871,7 +1871,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 {
 	__do_close int dfd_mnt_cgroupfs = -EBADF, fd_fs = -EBADF;
 	__do_free char *cgroup_root = NULL;
-	bool has_cgns = false, wants_force_mount = false;
+	bool in_cgroup_ns = false, wants_force_mount = false;
 	struct lxc_conf *conf = handler->conf;
 	struct lxc_rootfs *rootfs = &conf->rootfs;
 	const char *rootfs_mnt = get_rootfs_mnt(rootfs);
@@ -1911,8 +1911,9 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 			wants_force_mount = true;
 	}
 
-	has_cgns = cgns_supported();
-	if (has_cgns && !wants_force_mount)
+	if (cgns_supported() && container_uses_namespace(handler, CLONE_NEWCGROUP))
+		in_cgroup_ns = true;
+	if (in_cgroup_ns && !wants_force_mount)
 		return true;
 
 	if (type == LXC_AUTO_CGROUP_NOSPEC)
@@ -1930,7 +1931,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 			return log_error_errno(-errno, errno, "Failed to open %d(%s)",
 					       rootfs->dfd_mnt, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE);
 
-		if (has_cgns && wants_force_mount) {
+		if (in_cgroup_ns && wants_force_mount) {
 			/*
 			 * If cgroup namespaces are supported but the container
 			 * will not have CAP_SYS_ADMIN after it has started we
@@ -1995,7 +1996,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 		if (ret < 0)
 			return log_error_errno(false, errno, "Failed to create cgroup mountpoint %d(%s)", dfd_mnt_cgroupfs, controller);
 
-		if (has_cgns && wants_force_mount) {
+		if (in_cgroup_ns && wants_force_mount) {
 			/*
 			 * If cgroup namespaces are supported but the container
 			 * will not have CAP_SYS_ADMIN after it has started we
diff --git a/src/lxc/start.h b/src/lxc/start.h
index b06b0dd04..fa1593b98 100644
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -180,4 +180,10 @@ __hidden extern int __lxc_start(struct lxc_handler *, struct lxc_operations *, v
 __hidden extern int resolve_clone_flags(struct lxc_handler *handler);
 __hidden extern void lxc_expose_namespace_environment(const struct lxc_handler *handler);
 
+static inline bool container_uses_namespace(const struct lxc_handler *handler,
+					    unsigned int ns_flag)
+{
+	return (handler->ns_clone_flags & ns_flag);
+}
+
 #endif
-- 
2.47.2