From b26a994fb8c86a0aee63acb3e780ada73dec93e9 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sun, 16 Mar 2025 22:42:02 +0100
Subject: [PATCH] nspawn: reject existing cgroupfs mount if cgns is enabled

---
 src/nspawn/nspawn-cgroup.c | 5 ++++-
 src/nspawn/nspawn-cgroup.h | 2 +-
 src/nspawn/nspawn.c        | 4 ++--
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/nspawn/nspawn-cgroup.c b/src/nspawn/nspawn-cgroup.c
index fcca16286a7..09a581a42a2 100644
--- a/src/nspawn/nspawn-cgroup.c
+++ b/src/nspawn/nspawn-cgroup.c
@@ -134,7 +134,7 @@ int create_subcgroup(
         return 0;
 }
 
-int mount_cgroups(const char *dest) {
+int mount_cgroups(const char *dest, bool accept_existing) {
         const char *p;
         int r;
 
@@ -146,6 +146,9 @@ int mount_cgroups(const char *dest) {
         if (r < 0)
                 return log_error_errno(r, "Failed to determine if %s is mounted already: %m", p);
         if (r > 0) {
+                if (!accept_existing)
+                        return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Refusing existing cgroupfs mount: %s", p);
+
                 if (access(strjoina(p, "/cgroup.procs"), F_OK) >= 0)
                         return 0;
                 if (errno != ENOENT)
diff --git a/src/nspawn/nspawn-cgroup.h b/src/nspawn/nspawn-cgroup.h
index 92f473c1d7a..125bbf5f803 100644
--- a/src/nspawn/nspawn-cgroup.h
+++ b/src/nspawn/nspawn-cgroup.h
@@ -13,5 +13,5 @@ int create_subcgroup(
                 int userns_fd,
                 UserNamespaceMode userns_mode);
 
-int mount_cgroups(const char *dest);
+int mount_cgroups(const char *dest, bool accept_existing);
 int bind_mount_cgroup_hierarchy(void);
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 4cd9cc70ae4..2dcab7d3798 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3342,7 +3342,7 @@ static int inner_child(
                 if (r < 0)
                         return log_error_errno(errno, "Failed to unshare cgroup namespace: %m");
 
-                r = mount_cgroups(/* dest = */ NULL);
+                r = mount_cgroups(/* dest = */ NULL, /* accept_existing = */ false);
         } else
                 r = bind_mount_cgroup_hierarchy();
         if (r < 0)
@@ -4217,7 +4217,7 @@ static int outer_child(
         (void) write_string_filef(p, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MODE_0444, SD_ID128_UUID_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid));
 
         if (!arg_use_cgns) {
-                r = mount_cgroups(directory);
+                r = mount_cgroups(directory, /* accept_existing = */ true);
                 if (r < 0)
                         return r;
         }
-- 
2.47.3