Skip to content

L
lxc
Unverified Commit 937a3af9 by Christian Brauner
Options

cgroups: verify that we are actually running in cgroup namespace

Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
parent ab8cd5d9
Showing with 12 additions and 5 deletions
src/lxc/cgroups/cgfsng.c
...@@ -1871,7 +1871,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, ...@@ -1871,7 +1871,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
{ {
__do_close int dfd_mnt_cgroupfs = -EBADF, fd_fs = -EBADF; __do_close int dfd_mnt_cgroupfs = -EBADF, fd_fs = -EBADF;
__do_free char *cgroup_root = NULL; __do_free char *cgroup_root = NULL;
bool has_cgns = false, wants_force_mount = false; bool in_cgroup_ns = false, wants_force_mount = false;
struct lxc_conf *conf = handler->conf; struct lxc_conf *conf = handler->conf;
struct lxc_rootfs *rootfs = &conf->rootfs; struct lxc_rootfs *rootfs = &conf->rootfs;
const char *rootfs_mnt = get_rootfs_mnt(rootfs); const char *rootfs_mnt = get_rootfs_mnt(rootfs);
...@@ -1911,8 +1911,9 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, ...@@ -1911,8 +1911,9 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
wants_force_mount = true; wants_force_mount = true;
} }
has_cgns = cgns_supported(); if (cgns_supported() && container_uses_namespace(handler, CLONE_NEWCGROUP))
if (has_cgns && !wants_force_mount) in_cgroup_ns = true;
if (in_cgroup_ns && !wants_force_mount)
return true; return true;
if (type == LXC_AUTO_CGROUP_NOSPEC) if (type == LXC_AUTO_CGROUP_NOSPEC)
...@@ -1930,7 +1931,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, ...@@ -1930,7 +1931,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
return log_error_errno(-errno, errno, "Failed to open %d(%s)", return log_error_errno(-errno, errno, "Failed to open %d(%s)",
rootfs->dfd_mnt, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE); rootfs->dfd_mnt, DEFAULT_CGROUP_MOUNTPOINT_RELATIVE);
if (has_cgns && wants_force_mount) { if (in_cgroup_ns && wants_force_mount) {
/* /*
* If cgroup namespaces are supported but the container * If cgroup namespaces are supported but the container
* will not have CAP_SYS_ADMIN after it has started we * will not have CAP_SYS_ADMIN after it has started we
...@@ -1995,7 +1996,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops, ...@@ -1995,7 +1996,7 @@ __cgfsng_ops static bool cgfsng_mount(struct cgroup_ops *ops,
if (ret < 0) if (ret < 0)
return log_error_errno(false, errno, "Failed to create cgroup mountpoint %d(%s)", dfd_mnt_cgroupfs, controller); return log_error_errno(false, errno, "Failed to create cgroup mountpoint %d(%s)", dfd_mnt_cgroupfs, controller);
if (has_cgns && wants_force_mount) { if (in_cgroup_ns && wants_force_mount) {
/* /*
* If cgroup namespaces are supported but the container * If cgroup namespaces are supported but the container
* will not have CAP_SYS_ADMIN after it has started we * will not have CAP_SYS_ADMIN after it has started we
......
src/lxc/start.h
...@@ -180,4 +180,10 @@ __hidden extern int __lxc_start(struct lxc_handler *, struct lxc_operations *, v ...@@ -180,4 +180,10 @@ __hidden extern int __lxc_start(struct lxc_handler *, struct lxc_operations *, v
__hidden extern int resolve_clone_flags(struct lxc_handler *handler); __hidden extern int resolve_clone_flags(struct lxc_handler *handler);
__hidden extern void lxc_expose_namespace_environment(const struct lxc_handler *handler); __hidden extern void lxc_expose_namespace_environment(const struct lxc_handler *handler);
static inline bool container_uses_namespace(const struct lxc_handler *handler,
unsigned int ns_flag)
{
return (handler->ns_clone_flags & ns_flag);
}
#endif #endif
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment