From: Mike Yuan <me@yhndnzj.com>
Date: Sun, 16 Mar 2025 21:08:48 +0000 (+0100)
Subject: nspawn: do not spuriously override cgroup2fs options on host
X-Git-Tag: v258-rc1~906^2~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=02c4d27b1710f70d1925191b18601848a6776d31;p=thirdparty%2Fsystemd.git

nspawn: do not spuriously override cgroup2fs options on host
---

diff --git a/src/nspawn/nspawn-cgroup.c b/src/nspawn/nspawn-cgroup.c
index 8f246fa958d..fcca16286a7 100644
--- a/src/nspawn/nspawn-cgroup.c
+++ b/src/nspawn/nspawn-cgroup.c
@@ -8,6 +8,7 @@
 #include "format-util.h"
 #include "fs-util.h"
 #include "mkdir.h"
+#include "mount-setup.h"
 #include "mount-util.h"
 #include "mountpoint-util.h"
 #include "nspawn-cgroup.h"
@@ -154,7 +155,7 @@ int mount_cgroups(const char *dest) {
                                        "%s is already mounted but not a unified cgroup hierarchy. Refusing.", p);
         }
 
-        return mount_nofollow_verbose(LOG_ERR, "cgroup", p, "cgroup2", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
+        return mount_cgroupfs(p);
 }
 
 int bind_mount_cgroup_hierarchy(void) {
diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
index ad2327e0845..df28180624f 100644
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -66,6 +66,21 @@ static bool cgroupfs_recursiveprot_supported(void) {
         return r > 0;
 }
 
+int mount_cgroupfs(const char *path) {
+        assert(path);
+
+        /* Mount a separate cgroupfs instance, taking all options we initial set into account. This is
+         * especially useful when cgroup namespace is *not* employed, since the kernel overrides all
+         * previous options if a new mount is established in initial cgns (c.f.
+         * https://github.com/torvalds/linux/blob/b69bb476dee99d564d65d418e9a20acca6f32c3f/kernel/cgroup/cgroup.c#L1984)
+         *
+         * The options shall be kept in sync with those in mount_table below. */
+
+        return mount_nofollow_verbose(LOG_ERR, "cgroup2", path, "cgroup2",
+                                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                                      cgroupfs_recursiveprot_supported() ? "nsdelegate,memory_recursiveprot" : "nsdelegate");
+}
+
 static const MountPoint mount_table[] = {
         { "proc",        "/proc",                     "proc",       NULL,                                       MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER|MNT_FOLLOW_SYMLINK },
diff --git a/src/shared/mount-setup.h b/src/shared/mount-setup.h
index 34de1dad0be..58a1b7619c8 100644
--- a/src/shared/mount-setup.h
+++ b/src/shared/mount-setup.h
@@ -8,3 +8,5 @@ bool mount_point_ignore(const char *path);
 
 int mount_setup_early(void);
 int mount_setup(bool loaded_policy, bool leave_propagation);
+
+int mount_cgroupfs(const char *path);