diff options
| author | Lennart Poettering <lennart@poettering.net> | 2022-03-16 14:58:57 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2022-03-16 16:32:44 +0100 |
| commit | d9bc1c36141e247d5f78eaeefeab92e9302449fc (patch) | |
| tree | 0753e89dec69f85e1d99b1c9504055025326c3d4 /src/shared/cgroup-show.c | |
| parent | bde2607563678de28d6cf16e14e7d40bf3fb895a (diff) | |
| download | systemd-d9bc1c36141e247d5f78eaeefeab92e9302449fc.tar.gz | |
cgroup: also indicate cgroup delegation state in user-accessible xattr
So far we set the "trusted.delegate" xattr on cgroups where delegation
is on. This duplicates this behaviour with the "user.delegate" xattr.
This has two benefits:
1. unprivileged clients can *read* the xattr. "systemd-cgls" can thus
show delegated cgroups as such properly, even when invoked without
privs
2. unprivileged systemd instances can set the xattr, i.e. when systemd
--user delegates a cgroup to further payloads.
This weakens security a tiny bit, given that code that got a cgroup
delegated can manipulate the xattr, but I think that's OK, given they
have a higher trust level regarding cgroups anyway, if they got a
subtree delegated, and access controls on the cgroup itself are still
enforced. Moreover PID 1 as the cgroup manager only sets these xattrs,
never reads them — the xattr is primarily a way to tell payloads about
the delegation, and it's strictly this one way.
Diffstat (limited to 'src/shared/cgroup-show.c')
| -rw-r--r-- | src/shared/cgroup-show.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/shared/cgroup-show.c b/src/shared/cgroup-show.c index d2fb17ff5d..fc1e631464 100644 --- a/src/shared/cgroup-show.c +++ b/src/shared/cgroup-show.c @@ -135,16 +135,20 @@ static int is_delegated(int cgfd, const char *path) { assert(cgfd >= 0 || path); r = getxattr_malloc(cgfd < 0 ? path : FORMAT_PROC_FD_PATH(cgfd), "trusted.delegate", &b); - if (r < 0) { + if (r == -ENODATA) { + /* If the trusted xattr isn't set (preferred), then check the untrusted one. Under the + * assumption that whoever is trusted enough to own the cgroup, is also trusted enough to + * decide if it is delegated or not this should be safe. */ + r = getxattr_malloc(cgfd < 0 ? path : FORMAT_PROC_FD_PATH(cgfd), "user.delegate", &b); if (r == -ENODATA) return false; - - return log_debug_errno(r, "Failed to read trusted.delegate extended attribute, ignoring: %m"); } + if (r < 0) + return log_debug_errno(r, "Failed to read delegate xattr, ignoring: %m"); r = parse_boolean(b); if (r < 0) - return log_debug_errno(r, "Failed to parse trusted.delegate extended attribute boolean value, ignoring: %m"); + return log_debug_errno(r, "Failed to parse delegate xattr boolean value, ignoring: %m"); return r; } |