From aca565fc68f5acb4f157d7cc1a5626a4015e8916 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 9 Aug 2022 16:16:25 +0000
Subject: [PATCH] jail: Create a leaf cgroup

clone3() does not allow to clone into a cgroup that has subtree_control
set. So we need to create a temporary group.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/libpakfire/cgroup.c                 | 15 +++++++++++++++
 src/libpakfire/include/pakfire/cgroup.h |  3 +++
 src/libpakfire/jail.c                   | 21 +++++++++++++++++++--
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/src/libpakfire/cgroup.c b/src/libpakfire/cgroup.c
index 2d7d8a3d..def656c8 100644
--- a/src/libpakfire/cgroup.c
+++ b/src/libpakfire/cgroup.c
@@ -528,6 +528,21 @@ struct pakfire_cgroup* pakfire_cgroup_unref(struct pakfire_cgroup* cgroup) {
 	return NULL;
 }
 
+// Open a child cgroup
+int pakfire_cgroup_child(struct pakfire_cgroup** child,
+		struct pakfire_cgroup* cgroup, const char* name, int flags) {
+	char path[PATH_MAX];
+	int r;
+
+	// Join paths
+	r = pakfire_path_join(path, cgroup->path, name);
+	if (r < 0)
+		return 1;
+
+	// Open the child group
+	return pakfire_cgroup_open(child, cgroup->pakfire, path, flags);
+}
+
 static int pakfire_cgroup_procs_callback(struct pakfire_cgroup* cgroup,
 		int (*callback)(struct pakfire_cgroup* cgroup, pid_t pid, void* data), void* data) {
 	int r = 0;
diff --git a/src/libpakfire/include/pakfire/cgroup.h b/src/libpakfire/include/pakfire/cgroup.h
index 20dd0000..1d5251af 100644
--- a/src/libpakfire/include/pakfire/cgroup.h
+++ b/src/libpakfire/include/pakfire/cgroup.h
@@ -37,6 +37,9 @@ int pakfire_cgroup_open(struct pakfire_cgroup** cgroup,
 struct pakfire_cgroup* pakfire_cgroup_ref(struct pakfire_cgroup* cgroup);
 struct pakfire_cgroup* pakfire_cgroup_unref(struct pakfire_cgroup* cgroup);
 
+int pakfire_cgroup_child(struct pakfire_cgroup** child,
+	struct pakfire_cgroup* cgroup, const char* name, int flags);
+
 int pakfire_cgroup_enable_default_controllers(struct pakfire_cgroup* cgroup);
 
 int pakfire_cgroup_destroy(struct pakfire_cgroup* cgroup);
diff --git a/src/libpakfire/jail.c b/src/libpakfire/jail.c
index 3d196623..92faad6f 100644
--- a/src/libpakfire/jail.c
+++ b/src/libpakfire/jail.c
@@ -120,6 +120,8 @@ struct pakfire_jail_exec {
 		struct pakfire_log_buffer log_ERROR;
 		struct pakfire_log_buffer log_DEBUG;
 	} buffers;
+
+	struct pakfire_cgroup* cgroup;
 };
 
 static int clone3(struct clone_args* args, size_t size) {
@@ -1299,12 +1301,21 @@ static int __pakfire_jail_exec(struct pakfire_jail* jail, const char* argv[]) {
 		.pidfd = (long long unsigned int)&ctx.pidfd,
 	};
 
-	// Launch the process in a cgroup (if requested)
+	// Launch the process in a cgroup that is a leaf of the configured cgroup
 	if (jail->cgroup) {
 		args.flags |= CLONE_INTO_CGROUP;
 
+#warning TODO randomize the name
+
+		// Create a temporary cgroup
+		r = pakfire_cgroup_child(&ctx.cgroup, jail->cgroup, "jail", 0);
+		if (r) {
+			ERROR(jail->pakfire, "Could not create cgroup for jail: %m\n");
+			goto ERROR;
+		}
+
 		// Clone into this cgroup
-		args.cgroup = pakfire_cgroup_fd(jail->cgroup);
+		args.cgroup = pakfire_cgroup_fd(ctx.cgroup);
 	}
 
 	// Fork this process
@@ -1353,6 +1364,12 @@ static int __pakfire_jail_exec(struct pakfire_jail* jail, const char* argv[]) {
 	}
 
 ERROR:
+	// Destroy the temporary cgroup (if any)
+	if (ctx.cgroup) {
+		pakfire_cgroup_destroy(ctx.cgroup);
+		pakfire_cgroup_unref(ctx.cgroup);
+	}
+
 	// Close any file descriptors
 	pakfire_jail_close_pipe(jail, ctx.pipes.stdout);
 	pakfire_jail_close_pipe(jail, ctx.pipes.stderr);
-- 
2.47.3