Skip to content

L
lxc
Commit 509c0772 by Serge Hallyn Committed by Stéphane Graber
Options

cgmanager: chmod the container's base directory 775

In order for attach to work, the container owner must be able to write to the tasks file. Therefore we make the container's cgroup owned by the container root group, but the container owner uid. So for the container root to be allowed to create new cgroups, it needs group write perms. With this patch, an unprivileged container with an lxc.mount.auto = cgroup entry entry can run the cgproxy and pass all cgmanager tests. Acls would have been another way to do this, but are not yet being used/exported by cgmanager. Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com> Acked-by: 's avatarStéphane Graber <stgraber@ubuntu.com>
parent a52e315d
Showing with 22 additions and 0 deletions
src/lxc/cgmanager.c
...@@ -264,6 +264,20 @@ static int chown_cgroup_wrapper(void *data) ...@@ -264,6 +264,20 @@ static int chown_cgroup_wrapper(void *data)
return do_chown_cgroup(arg->controller, arg->cgroup_path, arg->origuid); return do_chown_cgroup(arg->controller, arg->cgroup_path, arg->origuid);
} }
static bool lxc_cgmanager_chmod(const char *controller,
const char *cgroup_path, const char *file, int mode)
{
if (cgmanager_chmod_sync(NULL, cgroup_manager, controller,
cgroup_path, file, mode) != 0) {
NihError *nerr;
nerr = nih_error_get();
ERROR("call to cgmanager_chmod_sync failed: %s", nerr->message);
nih_free(nerr);
return false;
}
return true;
}
static bool chown_cgroup(const char *controller, const char *cgroup_path, static bool chown_cgroup(const char *controller, const char *cgroup_path,
struct lxc_conf *conf) struct lxc_conf *conf)
{ {
...@@ -281,6 +295,14 @@ static bool chown_cgroup(const char *controller, const char *cgroup_path, ...@@ -281,6 +295,14 @@ static bool chown_cgroup(const char *controller, const char *cgroup_path,
ERROR("Error requesting cgroup chown in new namespace"); ERROR("Error requesting cgroup chown in new namespace");
return false; return false;
} }
/* now chmod 775 the directory else the container cannot create cgroups */
if (!lxc_cgmanager_chmod(controller, cgroup_path, "", 0775))
return false;
if (!lxc_cgmanager_chmod(controller, cgroup_path, "tasks", 0775))
return false;
if (!lxc_cgmanager_chmod(controller, cgroup_path, "cgroup.procs", 0775))
return false;
return true; return true;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment