cgroups: verify that we are actually running in cgroup namespace

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

cgroups: verify that we are actually running in cgroup namespace
253990c2 · Christian Brauner · c915eca0 · 253990c2 · 253990c2
Unverified Commit 253990c2 authored Feb 15, 2021 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 5 deletions

cgfsng.c src/lxc/cgroups/cgfsng.c +6 -5

start.h src/lxc/start.h +6 -0

No files found.
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1870,7 +1870,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 {
 	__do_close int dfd_mnt_cgroupfs = -EBADF, fd_fs = -EBADF;
 	__do_free char *cgroup_root = NULL;
-	bool has_cgns = false, wants_force_mount = false;
+	bool in_cgroup_ns = false, wants_force_mount = false;
 	struct lxc_conf *conf = handler->conf;
 	struct lxc_rootfs *rootfs = &conf->rootfs;
 	const char *rootfs_mnt = get_rootfs_mnt(rootfs);
@@ -1910,8 +1910,9 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 			wants_force_mount = true;
 	}

-	has_cgns = cgns_supported();
-	if (has_cgns && !wants_force_mount)
+	if (cgns_supported() && container_uses_namespace(handler, CLONE_NEWCGROUP))
+		in_cgroup_ns = true;
+	if (in_cgroup_ns && !wants_force_mount)
 		return true;

 	if (type == LXC_AUTO_CGROUP_NOSPEC)
@@ -1929,7 +1930,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 			return log_error_errno(-errno, errno, "Failed to open %d(%s)",
 					       rootfs->dfd_mnt, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE);

-		if (has_cgns && wants_force_mount) {
+		if (in_cgroup_ns && wants_force_mount) {
 			/*
 			 * If cgroup namespaces are supported but the container
 			 * will not have CAP_SYS_ADMIN after it has started we
@@ -1994,7 +1995,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
 		if (ret < 0)
 			return log_error_errno(false, errno, "Failed to create cgroup mountpoint %d(%s)", dfd_mnt_cgroupfs, controller);

-		if (has_cgns && wants_force_mount) {
+		if (in_cgroup_ns && wants_force_mount) {
 			/*
 			 * If cgroup namespaces are supported but the container
 			 * will not have CAP_SYS_ADMIN after it has started we

--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -180,4 +180,10 @@ __hidden extern int __lxc_start(struct lxc_handler *, struct lxc_operations *, v
 __hidden extern int resolve_clone_flags(struct lxc_handler *handler);
 __hidden extern void lxc_expose_namespace_environment(const struct lxc_handler *handler);

+static inline bool container_uses_namespace(const struct lxc_handler *handler,
+					    unsigned int ns_flag)
+{
+	return (handler->ns_clone_flags & ns_flag);
+}
+
 #endif