From c689b58ad3b30c400c8a394224075a1838c896e5 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 4 Feb 2021 12:50:43 +0100 Subject: [PATCH] cgroups: restricted fd-only controller mountpoint creation Signed-off-by: Christian Brauner --- src/lxc/cgroups/cgfsng.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c index a14193bc9..5bae07aaa 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -1808,6 +1808,7 @@ static inline int cg_mount_cgroup_full(int type, struct hierarchy *h, __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, struct lxc_conf *conf, int type) { + __do_close int dfd_mnt_cgroupfs = -EBADF; __do_free char *cgroup_root = NULL; bool has_cgns = false, wants_force_mount = false; struct lxc_rootfs *rootfs = &conf->rootfs; @@ -1893,6 +1894,14 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, if (ret < 0) return false; + dfd_mnt_cgroupfs = open_at(rootfs->mntpt_fd, + DEFAULT_CGROUP_MOUNTPOINT_RELATIVE, + PROTECT_OPATH_DIRECTORY, + PROTECT_LOOKUP_BENEATH_XDEV, 0); + if (dfd_mnt_cgroupfs < 0) + return log_error_errno(-errno, errno, "Failed to open %d(%s)", + rootfs->mntpt_fd, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE); + for (int i = 0; ops->hierarchies[i]; i++) { __do_free char *controllerpath = NULL, *path2 = NULL; struct hierarchy *h = ops->hierarchies[i]; @@ -1906,7 +1915,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, if (dir_exists(controllerpath)) continue; - ret = mkdir(controllerpath, 0755); + ret = mkdirat(dfd_mnt_cgroupfs, controller, 0000); if (ret < 0) return log_error_errno(false, errno, "Error creating cgroup path: %s", controllerpath); -- 2.47.2