[lxc.git] / debian / patches / 0004-separate-the-limiting-from-the-namespaced-cgroup-roo.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 28 Mar 2018 13:37:28 +0200
Subject: [PATCH] separate the limiting from the namespaced cgroup root

When cgroup namespaces are enabled a privileged container
with mixed cgroups has full write access to its own root
cgroup effectively allowing it to overwrite values written
from the outside or configured via lxc.cgroup.*.

This patch causes an additional 'ns/' directory to be
created in all cgroups if cgroup namespaces and cgfsng are
being used in order to combat this.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/lxc/cgroups/cgfsng.c | 88 +++++++++++++++++++++++++++++++++++++++---------
 src/lxc/cgroups/cgroup.c | 17 +++++-----
 src/lxc/cgroups/cgroup.h | 23 ++++++++-----
 src/lxc/commands.c       | 85 +++++++++++++++++++++++++++++++++++-----------
 src/lxc/commands.h       |  2 ++
 src/lxc/criu.c           |  4 +--
 src/lxc/start.c          | 28 +++++++++++----
 7 files changed, 186 insertions(+), 61 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 10c7ab2c..b48f997f 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -101,6 +101,7 @@ struct hierarchy {
 	char *mountpoint;
 	char *base_cgroup;
 	char *fullcgpath;
+	char *innercgpath;
 	int version;
 };
 
@@ -955,6 +956,7 @@ static struct hierarchy *add_hierarchy(char **clist, char *mountpoint,
 	new->mountpoint = mountpoint;
 	new->base_cgroup = base_cgroup;
 	new->fullcgpath = NULL;
+	new->innercgpath = NULL;
 	new->version = type;
 
 	newentry = append_null_to_list((void ***)&hierarchies);
@@ -1587,6 +1589,8 @@ static int cgroup_rmdir(char *container_cgroup)
 
 		free(h->fullcgpath);
 		h->fullcgpath = NULL;
+		free(h->innercgpath);
+		h->innercgpath = NULL;
 	}
 
 	return 0;
@@ -1597,6 +1601,7 @@ struct generic_userns_exec_data {
 	struct lxc_conf *conf;
 	uid_t origuid; /* target uid in parent namespace */
 	char *path;
+	bool inner;
 };
 
 static int cgroup_rmdir_wrapper(void *data)
@@ -1641,6 +1646,7 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
 	wrap.origuid = 0;
 	wrap.d = hdata;
 	wrap.conf = conf;
+	wrap.inner = false;
 
 	if (conf && !lxc_list_empty(&conf->id_map))
 		ret = userns_exec_1(conf, cgroup_rmdir_wrapper, &wrap,
@@ -1730,22 +1736,29 @@ on_error:
 	return bret;
 }
 
-static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname)
+static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, bool inner)
 {
 	int ret;
 
-	h->fullcgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL);
-	if (dir_exists(h->fullcgpath)) {
-		ERROR("The cgroup \"%s\" already existed", h->fullcgpath);
+	char *path;
+	if (inner) {
+		path = must_make_path(h->fullcgpath, CGROUP_NAMESPACE_SUBDIR, NULL);
+		h->innercgpath = path;
+	} else {
+		path = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL);
+		h->fullcgpath = path;
+	}
+	if (dir_exists(path)) { // it must not already exist
+		ERROR("Path \"%s\" already existed.", path);
 		return false;
 	}
 
-	if (!cg_legacy_handle_cpuset_hierarchy(h, cgname)) {
+	if (!inner && !cg_legacy_handle_cpuset_hierarchy(h, cgname)) {
 		ERROR("Failed to handle legacy cpuset controller");
 		return false;
 	}
 
-	ret = mkdir_p(h->fullcgpath, 0755);
+	ret = mkdir_p(path, 0755);
 	if (ret < 0) {
 		ERROR("Failed to create cgroup \"%s\"", h->fullcgpath);
 		return false;
@@ -1766,10 +1779,26 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
 	h->fullcgpath = NULL;
 }
 
+static inline bool cgfsng_create_inner(struct cgfsng_handler_data *d)
+{
+	size_t i;
+	bool ret = true;
+	char *cgname = must_make_path(d->container_cgroup, CGROUP_NAMESPACE_SUBDIR, NULL);
+	for (i = 0; hierarchies[i]; i++) {
+		if (!create_path_for_hierarchy(hierarchies[i], cgname, true)) {
+			SYSERROR("Failed to create %s namespace subdirectory: %s", hierarchies[i]->fullcgpath, strerror(errno));
+			ret = false;
+			break;
+		}
+	}
+	free(cgname);
+	return ret;
+}
+
 /* Try to create the same cgroup in all hierarchies. Start with cgroup_pattern;
  * next cgroup_pattern-1, -2, ..., -999.
  */
-static inline bool cgfsng_create(void *hdata)
+static inline bool cgfsng_create(void *hdata, bool inner)
 {
 	int i;
 	size_t len;
@@ -1781,10 +1810,17 @@ static inline bool cgfsng_create(void *hdata)
 		return false;
 
 	if (d->container_cgroup) {
+		if (inner)
+			return cgfsng_create_inner(d);
 		WARN("cgfsng_create called a second time");
 		return false;
 	}
 
+	if (inner) {
+		ERROR("cgfsng_create called twice for innner cgroup");
+		return false;
+	}
+
 	if (d->cgroup_meta.dir)
 		tmp = lxc_string_join("/", (const char *[]){d->cgroup_meta.dir, d->name, NULL}, false);
 	else
@@ -1821,7 +1857,7 @@ again:
 	}
 
 	for (i = 0; hierarchies[i]; i++) {
-		if (!create_path_for_hierarchy(hierarchies[i], container_cgroup)) {
+		if (!create_path_for_hierarchy(hierarchies[i], container_cgroup, false)) {
 			int j;
 			ERROR("Failed to create cgroup \"%s\"", hierarchies[i]->fullcgpath);
 			free(hierarchies[i]->fullcgpath);
@@ -1843,7 +1879,7 @@ out_free:
 	return false;
 }
 
-static bool cgfsng_enter(void *hdata, pid_t pid)
+static bool cgfsng_enter(void *hdata, pid_t pid, bool inner)
 {
 	int i, len;
 	char pidstr[25];
@@ -1856,8 +1892,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
 		int ret;
 		char *fullpath;
 
-		fullpath = must_make_path(hierarchies[i]->fullcgpath,
-					  "cgroup.procs", NULL);
+		if (inner)
+			fullpath = must_make_path(hierarchies[i]->fullcgpath,
+						  CGROUP_NAMESPACE_SUBDIR,
+						  "cgroup.procs", NULL);
+		else
+			fullpath = must_make_path(hierarchies[i]->fullcgpath,
+						  "cgroup.procs", NULL);
 		ret = lxc_write_to_file(fullpath, pidstr, len, false);
 		if (ret != 0) {
 			SYSERROR("Failed to enter cgroup \"%s\"", fullpath);
@@ -1933,9 +1974,15 @@ static int chown_cgroup_wrapper(void *data)
 		char *fullpath;
 		char *path = hierarchies[i]->fullcgpath;
 
+		if (arg->inner)
+			path = must_make_path(path, CGROUP_NAMESPACE_SUBDIR, NULL);
+
 		ret = chowmod(path, destuid, nsgid, 0775);
-		if (ret < 0)
+		if (ret < 0) {
+			if (arg->inner)
+				free(path);
 			return -1;
+		}
 
 		/* Failures to chown() these are inconvenient but not
 		 * detrimental We leave these owned by the container launcher,
@@ -1954,8 +2001,11 @@ static int chown_cgroup_wrapper(void *data)
 		(void)chowmod(fullpath, destuid, 0, 0664);
 		free(fullpath);
 
-		if (hierarchies[i]->version != CGROUP2_SUPER_MAGIC)
+		if (hierarchies[i]->version != CGROUP2_SUPER_MAGIC) {
+			if (arg->inner)
+				free(path);
 			continue;
+		}
 
 		fullpath = must_make_path(path, "cgroup.subtree_control", NULL);
 		(void)chowmod(fullpath, destuid, nsgid, 0664);
@@ -1964,12 +2014,14 @@ static int chown_cgroup_wrapper(void *data)
 		fullpath = must_make_path(path, "cgroup.threads", NULL);
 		(void)chowmod(fullpath, destuid, nsgid, 0664);
 		free(fullpath);
+		if (arg->inner)
+			free(path);
 	}
 
 	return 0;
 }
 
-static bool cgfsng_chown(void *hdata, struct lxc_conf *conf)
+static bool cgfsng_chown(void *hdata, struct lxc_conf *conf, bool inner)
 {
 	struct cgfsng_handler_data *d = hdata;
 	struct generic_userns_exec_data wrap;
@@ -1984,6 +2036,7 @@ static bool cgfsng_chown(void *hdata, struct lxc_conf *conf)
 	wrap.path = NULL;
 	wrap.d = d;
 	wrap.conf = conf;
+	wrap.inner = inner;
 
 	if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap,
 			  "chown_cgroup_wrapper") < 0) {
@@ -2366,7 +2419,7 @@ static bool cgfsng_unfreeze(void *hdata)
 	return true;
 }
 
-static const char *cgfsng_get_cgroup(void *hdata, const char *controller)
+static const char *cgfsng_get_cgroup(void *hdata, const char *controller, bool inner)
 {
 	struct hierarchy *h;
 
@@ -2377,6 +2430,9 @@ static const char *cgfsng_get_cgroup(void *hdata, const char *controller)
 		return NULL;
 	}
 
+	if (inner && h->innercgpath)
+		return h->innercgpath + strlen(h->mountpoint);
+
 	return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL;
 }
 
@@ -2408,7 +2464,7 @@ static int __cg_unified_attach(const struct hierarchy *h, const char *name,
 	int fret = -1, idx = 0;
 	char *base_path = NULL, *container_cgroup = NULL, *full_path = NULL;
 
-	container_cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller);
+	container_cgroup = lxc_cmd_get_attach_cgroup_path(name, lxcpath, controller);
 	/* not running */
 	if (!container_cgroup)
 		return 0;
diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c
index 9e7b26e0..ec45dd39 100644
--- a/src/lxc/cgroups/cgroup.c
+++ b/src/lxc/cgroups/cgroup.c
@@ -73,19 +73,19 @@ void cgroup_destroy(struct lxc_handler *handler)
 }
 
 /* Create the container cgroups for all requested controllers. */
-bool cgroup_create(struct lxc_handler *handler)
+bool cgroup_create(struct lxc_handler *handler, bool inner)
 {
 	if (ops)
-		return ops->create(handler->cgroup_data);
+		return ops->create(handler->cgroup_data, inner);
 
 	return false;
 }
 
 /* Enter the container init into its new cgroups for all requested controllers. */
-bool cgroup_enter(struct lxc_handler *handler)
+bool cgroup_enter(struct lxc_handler *handler, bool inner)
 {
 	if (ops)
-		return ops->enter(handler->cgroup_data, handler->pid);
+		return ops->enter(handler->cgroup_data, handler->pid, inner);
 
 	return false;
 }
@@ -99,10 +99,11 @@ bool cgroup_create_legacy(struct lxc_handler *handler)
 }
 
 const char *cgroup_get_cgroup(struct lxc_handler *handler,
-			      const char *subsystem)
+			      const char *subsystem,
+			      bool inner)
 {
 	if (ops)
-		return ops->get_cgroup(handler->cgroup_data, subsystem);
+		return ops->get_cgroup(handler->cgroup_data, subsystem, inner);
 
 	return NULL;
 }
@@ -148,10 +149,10 @@ bool cgroup_setup_limits(struct lxc_handler *handler, bool with_devices)
 	return false;
 }
 
-bool cgroup_chown(struct lxc_handler *handler)
+bool cgroup_chown(struct lxc_handler *handler, bool inner)
 {
 	if (ops && ops->chown)
-		return ops->chown(handler->cgroup_data, handler->conf);
+		return ops->chown(handler->cgroup_data, handler->conf, inner);
 
 	return true;
 }
diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h
index 0f04e8b7..3a63133d 100644
--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -28,6 +28,12 @@
 #include <stddef.h>
 #include <sys/types.h>
 
+/* When lxc.cgroup.protect_limits is in effect the container's cgroup namespace
+ * will be moved into an additional subdirectory "cgns/" inside the cgroup in
+ * order to prevent it from accessing the outer limiting cgroup.
+ */
+#define CGROUP_NAMESPACE_SUBDIR "cgns"
+
 struct lxc_handler;
 struct lxc_conf;
 struct lxc_list;
@@ -45,10 +51,10 @@ struct cgroup_ops {
 
 	void *(*init)(struct lxc_handler *handler);
 	void (*destroy)(void *hdata, struct lxc_conf *conf);
-	bool (*create)(void *hdata);
-	bool (*enter)(void *hdata, pid_t pid);
+	bool (*create)(void *hdata, bool inner);
+	bool (*enter)(void *hdata, pid_t pid, bool inner);
 	bool (*create_legacy)(void *hdata, pid_t pid);
-	const char *(*get_cgroup)(void *hdata, const char *subsystem);
+	const char *(*get_cgroup)(void *hdata, const char *subsystem, bool inner);
 	bool (*escape)();
 	int (*num_hierarchies)();
 	bool (*get_hierarchies)(int n, char ***out);
@@ -56,7 +62,7 @@ struct cgroup_ops {
 	int (*get)(const char *filename, char *value, size_t len, const char *name, const char *lxcpath);
 	bool (*unfreeze)(void *hdata);
 	bool (*setup_limits)(void *hdata, struct lxc_conf *conf, bool with_devices);
-	bool (*chown)(void *hdata, struct lxc_conf *conf);
+	bool (*chown)(void *hdata, struct lxc_conf *conf, bool inner);
 	bool (*attach)(const char *name, const char *lxcpath, pid_t pid);
 	bool (*mount_cgroup)(void *hdata, const char *root, int type);
 	int (*nrtasks)(void *hdata);
@@ -67,15 +73,16 @@ extern bool cgroup_attach(const char *name, const char *lxcpath, pid_t pid);
 extern bool cgroup_mount(const char *root, struct lxc_handler *handler, int type);
 extern void cgroup_destroy(struct lxc_handler *handler);
 extern bool cgroup_init(struct lxc_handler *handler);
-extern bool cgroup_create(struct lxc_handler *handler);
+extern bool cgroup_create(struct lxc_handler *handler, bool inner);
 extern bool cgroup_setup_limits(struct lxc_handler *handler, bool with_devices);
-extern bool cgroup_chown(struct lxc_handler *handler);
-extern bool cgroup_enter(struct lxc_handler *handler);
+extern bool cgroup_chown(struct lxc_handler *handler, bool inner);
+extern bool cgroup_enter(struct lxc_handler *handler, bool inner);
 extern void cgroup_cleanup(struct lxc_handler *handler);
 extern bool cgroup_create_legacy(struct lxc_handler *handler);
 extern int cgroup_nrtasks(struct lxc_handler *handler);
 extern const char *cgroup_get_cgroup(struct lxc_handler *handler,
-				     const char *subsystem);
+				     const char *subsystem,
+				     bool inner);
 extern bool cgroup_escape();
 extern int cgroup_num_hierarchies();
 extern bool cgroup_get_hierarchies(int i, char ***out);
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 54e9f75c..df5a9907 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -426,20 +426,8 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req,
 	return lxc_cmd_rsp_send(fd, &rsp);
 }
 
-/*
- * lxc_cmd_get_cgroup_path: Calculate a container's cgroup path for a
- * particular subsystem. This is the cgroup path relative to the root
- * of the cgroup filesystem.
- *
- * @name      : name of container to connect to
- * @lxcpath   : the lxcpath in which the container is running
- * @subsystem : the subsystem being asked about
- *
- * Returns the path on success, NULL on failure. The caller must free() the
- * returned path.
- */
-char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
-			      const char *subsystem)
+char *do_lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
+			      const char *subsystem, bool inner)
 {
 	int ret, stopped;
 	struct lxc_cmd_rr cmd = {
@@ -452,8 +440,18 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
 
 	cmd.req.data = subsystem;
 	cmd.req.datalen = 0;
-	if (subsystem)
-		cmd.req.datalen = strlen(subsystem) + 1;
+	if (subsystem) {
+		size_t subsyslen = strlen(subsystem);
+		if (inner) {
+			char *data = alloca(subsyslen+2);
+			memcpy(data, subsystem, subsyslen+1);
+			data[subsyslen+1] = 1;
+			cmd.req.datalen = subsyslen+2,
+			cmd.req.data = data;
+		} else {
+			cmd.req.datalen = subsyslen+1;
+		}
+	}
 
 	ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
 	if (ret < 0)
@@ -468,16 +466,63 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
 	return cmd.rsp.data;
 }
 
+/*
+ * lxc_cmd_get_cgroup_path: Calculate a container's cgroup path for a
+ * particular subsystem. This is the cgroup path relative to the root
+ * of the cgroup filesystem.
+ *
+ * @name      : name of container to connect to
+ * @lxcpath   : the lxcpath in which the container is running
+ * @subsystem : the subsystem being asked about
+ *
+ * Returns the path on success, NULL on failure. The caller must free() the
+ * returned path.
+ */
+char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
+	const char *subsystem)
+{
+	return do_lxc_cmd_get_cgroup_path(name, lxcpath, subsystem, false);
+}
+
+/*
+ * lxc_cmd_get_attach_cgroup_path: Calculate a container's inner cgroup path
+ * for a particular subsystem. This is the cgroup path relative to the root
+ * of the cgroup filesystem.
+ *
+ * @name      : name of container to connect to
+ * @lxcpath   : the lxcpath in which the container is running
+ * @subsystem : the subsystem being asked about
+ *
+ * Returns the path on success, NULL on failure. The caller must free() the
+ * returned path.
+ */
+char *lxc_cmd_get_attach_cgroup_path(const char *name, const char *lxcpath,
+	const char *subsystem)
+{
+	return do_lxc_cmd_get_cgroup_path(name, lxcpath, subsystem, true);
+}
+
 static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req,
 				       struct lxc_handler *handler)
 {
 	const char *path;
 	struct lxc_cmd_rsp rsp;
 
-	if (req->datalen > 0)
-		path = cgroup_get_cgroup(handler, req->data);
-	else
-		path = cgroup_get_cgroup(handler, NULL);
+	if (req->datalen > 0) {
+		const char *subsystem;
+		size_t subsyslen;
+		bool inner = false;
+		subsystem = req->data;
+		subsyslen = strlen(subsystem);
+		if (req->datalen == subsyslen+2)
+			inner = (subsystem[subsyslen+1] == 1);
+
+		path = cgroup_get_cgroup(handler, req->data, inner);
+	} else {
+		// FIXME: cgroup separation for cgroup v2 cannot be handled
+		// like we used to do v1 here... need to figure this out...
+		path = cgroup_get_cgroup(handler, NULL, false);
+	}
 	if (!path)
 		return -1;
 
diff --git a/src/lxc/commands.h b/src/lxc/commands.h
index 816cd748..e16c0d79 100644
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -93,6 +93,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd,
  */
 extern char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
 			const char *subsystem);
+extern char *lxc_cmd_get_attach_cgroup_path(const char *name,
+			const char *lxcpath, const char *subsystem);
 extern int lxc_cmd_get_clone_flags(const char *name, const char *lxcpath);
 extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath);
 extern char *lxc_cmd_get_name(const char *hashed_sock);
diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index f60a6e15..7c8a8aee 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -324,7 +324,7 @@ static void exec_criu(struct criu_opts *opts)
 		} else {
 			const char *p;
 
-			p = cgroup_get_cgroup(opts->handler, controllers[0]);
+			p = cgroup_get_cgroup(opts->handler, controllers[0], false);
 			if (!p) {
 				ERROR("failed to get cgroup path for %s", controllers[0]);
 				goto err;
@@ -958,7 +958,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
 		goto out_fini_handler;
 	}
 
-	if (!cgroup_create(handler)) {
+	if (!cgroup_create(handler, false)) {
 		ERROR("failed creating groups");
 		goto out_fini_handler;
 	}
diff --git a/src/lxc/start.c b/src/lxc/start.c
index f66f50a7..772eacc2 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1556,7 +1556,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 
 	cgroups_connected = true;
 
-	if (!cgroup_create(handler)) {
+	if (!cgroup_create(handler, false)) {
 		ERROR("Failed creating cgroups");
 		goto out_delete_net;
 	}
@@ -1650,10 +1650,10 @@ static int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
 
-	if (!cgroup_enter(handler))
+	if (!cgroup_enter(handler, false))
 		goto out_delete_net;
 
-	if (!cgroup_chown(handler))
+	if (!cgroup_chown(handler, false))
 		goto out_delete_net;
 
 	/* Now we're ready to preserve the network namespace */
@@ -1714,16 +1714,30 @@ static int lxc_spawn(struct lxc_handler *handler)
 		}
 	}
 
-	ret = lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE);
-	if (ret < 0)
-		goto out_delete_net;
-
 	if (!cgroup_setup_limits(handler, true)) {
 		ERROR("Failed to setup legacy device cgroup controller limits");
 		goto out_delete_net;
 	}
 	TRACE("Set up legacy device cgroup controller limits");
 
+	if (cgns_supported()) {
+		if (!cgroup_create(handler, true)) {
+			ERROR("failed to create inner cgroup separation layer");
+			goto out_delete_net;
+		}
+		if (!cgroup_enter(handler, true)) {
+			ERROR("failed to enter inner cgroup separation layer");
+			goto out_delete_net;
+		}
+		if (!cgroup_chown(handler, true)) {
+			ERROR("failed chown inner cgroup separation layer");
+			goto out_delete_net;
+		}
+	}
+
+	if (lxc_sync_barrier_child(handler, LXC_SYNC_CGROUP_UNSHARE))
+		goto out_delete_net;
+
 	cgroup_disconnect();
 	cgroups_connected = false;
 
-- 
2.11.0