From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 27 Oct 2021 21:17:50 +0000 (+0200)
Subject: scope: refuse activation of scopes if no PIDs to add are left
X-Git-Tag: v250-rc1~386^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F21163%2Fhead;p=thirdparty%2Fsystemd.git

scope: refuse activation of scopes if no PIDs to add are left

If all processes we are supposed to add are gone by the time we are
ready to do so, let's fail.

THis is heavily based on Cunlong Li's work, who thankfully tracked this
down.

Replaces: #20577
---

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 98672c26e28..abc30e3990c 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -2291,7 +2291,8 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) {
                                 ret = r; /* Remember first error */
 
                         continue;
-                }
+                } else if (ret >= 0)
+                        ret++; /* Count successful additions */
 
                 r = cg_all_unified();
                 if (r < 0)
diff --git a/src/core/scope.c b/src/core/scope.c
index 74f16233c58..63d3288caf1 100644
--- a/src/core/scope.c
+++ b/src/core/scope.c
@@ -391,6 +391,12 @@ static int scope_start(Unit *u) {
                 scope_enter_dead(s, SCOPE_FAILURE_RESOURCES);
                 return r;
         }
+        if (r == 0) {
+                log_unit_warning(u, "No PIDs left to attach to the scope's control group, refusing: %m");
+                scope_enter_dead(s, SCOPE_FAILURE_RESOURCES);
+                return -ECHILD;
+        }
+        log_unit_debug(u, "%i %s added to scope's control group.", r, r == 1 ? "process" : "processes");
 
         s->result = SCOPE_SUCCESS;