git.ipfire.org Git - thirdparty/systemd.git/commit

author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Fri, 25 Apr 2025 10:40:52 +0000 (12:40 +0200)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Thu, 5 Jun 2025 10:37:02 +0000 (12:37 +0200)
commit	f8f67eab70737549325a718d66c589847043516a
tree	82318c9ef57d1e3d3e7c652b257df49f9352022f	tree \| snapshot
parent	2d8191f4af416a7c7042353121e3ae3f93b56f4d	commit \| diff

core: Make sure we handle DelegateSubgroup= in combo with cgroupns

Currently, if we use a cgroup namespace together with DelegateSubgroup=,
the subgroup becomes the root of the cgroup namespace because we move the
service process to the subgroup before we unshare the cgroup namespace, and
the current cgroup becomes the root of the cgroup namespace when we unshare
the cgroup namespace.

Let's fix the problem by not moving the service process to the subgroup until
we've unshared the cgroup namespace. Note that this doesn't break the primary use
case of CLONE_INTO_CGROUP since we still use it to immediately clone into the service
main cgroup, just not anymore into the subgroup, but this shouldn't matter in practice.

Additionally, we need special handling for control processes, as those *do*
need to get spawned into the subcgroup immediately if delegation is configured to
avoid violating the cgroupsv2 "no inner processes" rule.

Effectively, this leaves us with the following logic:
- In exec_spawn(), spawn into subgroup if we're spawning a control process
  that needs to be spawned into a subgroup immediately. Otherwise, spawn into
  main service cgroup.
- In exec_invoke(), move into subgroup early if we don't need a cgroup namespace.
  Otherwise, move into subgroup after we've unshared the cgroup namespace.

src/core/exec-invoke.c		diff \| blob \| blame \| history
src/core/execute.c		diff \| blob \| blame \| history
src/core/execute.h		diff \| blob \| blame \| history
test/units/TEST-07-PID1.protect-control-groups.sh		diff \| blob \| blame \| history