diff options
author | Lennart Poettering <lennart@poettering.net> | 2017-11-28 17:58:00 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2017-12-05 13:49:13 +0100 |
commit | de54e02d5e2d4735edface6505b49b99b6bacc85 (patch) | |
tree | e0a0e5f5b2ae41396269b32725f608c2e0e69314 | |
parent | 2d3a5a73e0fd5283bd9de42decfd779e6a85ba53 (diff) | |
download | systemd-de54e02d5e2d4735edface6505b49b99b6bacc85.tar.gz |
nspawn: when in hybrid mode, chown() both the legacy and the unified hierarchy to the root in the container
If user namespacing is used, let's make sure that the root user in the
container gets access to both /sys/fs/cgroup/systemd and
/sys/fs/cgroup/unified.
This matches similar logic in cg_set_access().
-rw-r--r-- | src/nspawn/nspawn-cgroup.c | 15 | ||||
-rw-r--r-- | src/nspawn/nspawn-cgroup.h | 2 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 2 |
3 files changed, 16 insertions, 3 deletions
diff --git a/src/nspawn/nspawn-cgroup.c b/src/nspawn/nspawn-cgroup.c index 4b07b38163..d51585a652 100644 --- a/src/nspawn/nspawn-cgroup.c +++ b/src/nspawn/nspawn-cgroup.c @@ -57,7 +57,7 @@ static int chown_cgroup_path(const char *path, uid_t uid_shift) { return 0; } -int chown_cgroup(pid_t pid, uid_t uid_shift) { +int chown_cgroup(pid_t pid, CGroupUnified unified_requested, uid_t uid_shift) { _cleanup_free_ char *path = NULL, *fs = NULL; int r; @@ -73,6 +73,19 @@ int chown_cgroup(pid_t pid, uid_t uid_shift) { if (r < 0) return log_error_errno(r, "Failed to chown() cgroup %s: %m", fs); + if (unified_requested == CGROUP_UNIFIED_SYSTEMD) { + _cleanup_free_ char *lfs = NULL; + /* Always propagate access rights from unified to legacy controller */ + + r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER_LEGACY, path, NULL, &lfs); + if (r < 0) + return log_error_errno(r, "Failed to get file system path for container cgroup: %m"); + + r = chown_cgroup_path(lfs, uid_shift); + if (r < 0) + return log_error_errno(r, "Failed to chown() cgroup %s: %m", lfs); + } + return 0; } diff --git a/src/nspawn/nspawn-cgroup.h b/src/nspawn/nspawn-cgroup.h index e66a854843..3855e5b4ea 100644 --- a/src/nspawn/nspawn-cgroup.h +++ b/src/nspawn/nspawn-cgroup.h @@ -25,6 +25,6 @@ #include "cgroup-util.h" -int chown_cgroup(pid_t pid, uid_t uid_shift); +int chown_cgroup(pid_t pid, CGroupUnified unified_requested, uid_t uid_shift); int sync_cgroup(pid_t pid, CGroupUnified unified_requested, uid_t uid_shift); int create_subcgroup(pid_t pid, CGroupUnified unified_requested); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index dfe48bcf56..ccf5418ceb 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3619,7 +3619,7 @@ static int run(int master, return r; } - r = chown_cgroup(*pid, arg_uid_shift); + r = chown_cgroup(*pid, arg_unified_cgroup_hierarchy, arg_uid_shift); if (r < 0) return r; |