From 1bdfc7b9512ec5fb3875d1691cb95c13a1ff610c Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Fri, 17 Nov 2017 18:04:25 +0900 Subject: [PATCH] core/cgroup: assigning empty string to Delegate= resets list of controllers (#7336) Before this, assigning empty string to Delegate= makes no change to the controller list. This is inconsistent to the other options that take list of strings. After this, when empty string is assigned to Delegate=, the list of controllers is reset. Such behavior is consistent to other options and useful for drop-in configs. Closes #7334. --- man/systemd.resource-control.xml | 3 ++- src/core/dbus-cgroup.c | 7 +++++-- src/core/load-fragment.c | 6 ++++++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/man/systemd.resource-control.xml b/man/systemd.resource-control.xml index 761a6056dec..9bf2d7e774c 100644 --- a/man/systemd.resource-control.xml +++ b/man/systemd.resource-control.xml @@ -723,7 +723,8 @@ enabled for the unit, making them available to the unit's processes for management. If false, delegation is turned off entirely (and no additional controllers are enabled). If set to a list of controllers, delegation is turned on, and the specified controllers are enabled for the unit. Note that assigning the empty string - will enable delegation, but not enable any additional controllers. Defaults to false. + will enable delegation, but reset the list of controllers, all assignments prior to this will have no effect. + Defaults to false. Note that controller delegation to less privileged code is only safe on the unified control group hierarchy. Accordingly, access to the specified controllers will not be granted to unprivileged services on diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c index dd8aa183636..e8e8b89bb2a 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c @@ -395,9 +395,12 @@ static int bus_cgroup_set_transient_property( return r; c->delegate = true; - c->delegate_controllers |= mask; + if (mask == 0) + c->delegate_controllers = 0; + else + c->delegate_controllers |= mask; - unit_write_drop_in_private_format(u, mode, name, "Delegate=%s", t); + unit_write_drop_in_private_format(u, mode, name, "Delegate=%s", strempty(t)); } return 1; diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index c1cf8379e82..52a10dd24bc 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -3297,6 +3297,12 @@ int config_parse_delegate( * off for all. Or it takes a list of controller names, in which case we add the specified controllers to the * mask to delegate. */ + if (isempty(rvalue)) { + c->delegate = true; + c->delegate_controllers = 0; + return 0; + } + r = parse_boolean(rvalue); if (r < 0) { const char *p = rvalue; -- 2.47.3