core/cgroup: assigning empty string to Delegate= resets list of controllers (#7336)

Before this, assigning empty string to Delegate= makes no change to the
controller list. This is inconsistent to the other options that take list
of strings. After this, when empty string is assigned to Delegate=, the
list of controllers is reset. Such behavior is consistent to other options
and useful for drop-in configs.

Closes #7334.

diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml
index 761a6056dec73cd3c4ae432d39b7cb47ca31e245..9bf2d7e774cd34099b6faff57ac4466b6de60c0a 100644 (file)
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@@ -723,7 +723,8 @@
           enabled for the unit, making them available to the unit's processes for management. If false, delegation is
           turned off entirely (and no additional controllers are enabled). If set to a list of controllers, delegation
           is turned on, and the specified controllers are enabled for the unit. Note that assigning the empty string
-          will enable delegation, but not enable any additional controllers. Defaults to false.</para>
+          will enable delegation, but reset the list of controllers, all assignments prior to this will have no effect.
+          Defaults to false.</para>
 
           <para>Note that controller delegation to less privileged code is only safe on the unified control group
           hierarchy. Accordingly, access to the specified controllers will not be granted to unprivileged services on

diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c
index dd8aa183636d7ce9582d72d0f76805d72db2cde7..e8e8b89bb2aa59263d97e563859d570ce53209ba 100644 (file)
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@@ -395,9 +395,12 @@ static int bus_cgroup_set_transient_property(
                                 return r;
 
                         c->delegate = true;
-                        c->delegate_controllers |= mask;
+                        if (mask == 0)
+                                c->delegate_controllers = 0;
+                        else
+                                c->delegate_controllers |= mask;
 
-                        unit_write_drop_in_private_format(u, mode, name, "Delegate=%s", t);
+                        unit_write_drop_in_private_format(u, mode, name, "Delegate=%s", strempty(t));
                 }
 
                 return 1;

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index c1cf8379e8286c7d6e350822759da00aa7423e32..52a10dd24bcddcc67eeaa726c57f50fa5f987ce5 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3297,6 +3297,12 @@ int config_parse_delegate(
          * off for all. Or it takes a list of controller names, in which case we add the specified controllers to the
          * mask to delegate. */
 
+        if (isempty(rvalue)) {
+                c->delegate = true;
+                c->delegate_controllers = 0;
+                return 0;
+        }
+
         r = parse_boolean(rvalue);
         if (r < 0) {
                 const char *p = rvalue;