cgroups/cgfsng: improve cgroup creation and removal

src/lxc/cgroups/cgroup.c

@@ -67,9 +67,6 @@ void cgroup_exit(struct cgroup_ops *ops)
 	if (ops->cgroup2_devices)
 		bpf_program_free(ops->cgroup2_devices);
 
-	if (ops->unified_fd >= 0)
-		close(ops->unified_fd);
-
 	for (it = ops->hierarchies; it && *it; it++) {
 		char **p;
 
@@ -85,6 +82,10 @@ void cgroup_exit(struct cgroup_ops *ops)
 		free((*it)->container_base_path);
 		free((*it)->container_full_path);
 		free((*it)->monitor_full_path);
+		if ((*it)->cgfd_mon >= 0)
+			close((*it)->cgfd_con);
+		if ((*it)->cgfd_mon >= 0)
+			close((*it)->cgfd_mon);
 		free(*it);
 	}
 	free(ops->hierarchies);

src/lxc/cgroups/cgroup.h

@@ -14,6 +14,7 @@
 #define DEFAULT_MONITOR_CGROUP_PREFIX "lxc.monitor."
 #define CGROUP_CREATE_RETRY "-NNNN"
 #define CGROUP_CREATE_RETRY_LEN (STRLITERALLEN(CGROUP_CREATE_RETRY))
+#define CGROUP_PIVOT "lxc.pivot"
 
 struct lxc_handler;
 struct lxc_conf;
@@ -78,6 +79,11 @@ struct hierarchy {
 
 	/* cgroup2 only */
 	unsigned int bpf_device_controller:1;
+
+	/* monitor cgroup fd */
+	int cgfd_con;
+	/* container cgroup fd */
+	int cgfd_mon;
 };
 
 struct cgroup_ops {
@@ -101,8 +107,6 @@ struct cgroup_ops {
 	struct hierarchy **hierarchies;
 	/* Pointer to the unified hierarchy. Do not free! */
 	struct hierarchy *unified;
-	/* File descriptor to the container's cgroup. */
-	int unified_fd;
 
 	/*
 	 * @cgroup2_devices
@@ -179,4 +183,9 @@ extern int cgroup_attach(const char *name, const char *lxcpath, int64_t pid);
 
 #define __do_cgroup_exit __attribute__((__cleanup__(__auto_cgroup_exit__)))
 
+static inline bool pure_unified_layout(const struct cgroup_ops *ops)
+{
+	return ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED;
+}
+
 #endif

src/lxc/commands.c

@@ -1190,7 +1190,7 @@ static int lxc_cmd_freeze_callback(int fd, struct lxc_cmd_req *req,
 	};
 	struct cgroup_ops *ops = handler->cgroup_ops;
 
-	if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED)
+	if (pure_unified_layout(ops))
 		rsp.ret = ops->freeze(ops, timeout);
 
 	return lxc_cmd_rsp_send(fd, &rsp);
@@ -1223,7 +1223,7 @@ static int lxc_cmd_unfreeze_callback(int fd, struct lxc_cmd_req *req,
 	};
 	struct cgroup_ops *ops = handler->cgroup_ops;
 
-	if (ops->cgroup_layout == CGROUP_LAYOUT_UNIFIED)
+	if (pure_unified_layout(ops))
 		rsp.ret = ops->unfreeze(ops, timeout);
 
 	return lxc_cmd_rsp_send(fd, &rsp);
@@ -1259,11 +1259,11 @@ static int lxc_cmd_get_cgroup2_fd_callback(int fd, struct lxc_cmd_req *req,
 	struct cgroup_ops *ops = handler->cgroup_ops;
 	int ret;
 
-	if (ops->cgroup_layout != CGROUP_LAYOUT_UNIFIED)
+	if (!pure_unified_layout(ops) || !ops->unified)
 		return lxc_cmd_rsp_send(fd, &rsp);
 
 	rsp.ret = 0;
-	ret = lxc_abstract_unix_send_fds(fd, &ops->unified_fd, 1, &rsp,
+	ret = lxc_abstract_unix_send_fds(fd, &ops->unified->cgfd_con, 1, &rsp,
 					 sizeof(rsp));
 	if (ret < 0)
 		return log_error(1, "Failed to send cgroup2 fd");

src/lxc/file_utils.c

@@ -21,7 +21,7 @@
 
 int lxc_open_dirfd(const char *dir)
 {
-	return open(dir, O_DIRECTORY | O_RDONLY | O_CLOEXEC);
+	return open(dir, O_DIRECTORY | O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
 }
 
 int lxc_readat(int dirfd, const char *filename, void *buf, size_t count)

src/lxc/memory_utils.h

@@ -55,4 +55,6 @@ static inline void *memdup(const void *data, size_t len)
 	return copy ? memcpy(copy, data, len) : NULL;
 }
 
+#define zalloc(__size__) (calloc(1, __size__))
+
 #endif /* __LXC_MEMORY_UTILS_H */