[lxc.git] / debian / patches / pve / 0005-api-extensions-add-and-document-cgroup_advanced_isol.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sat, 4 Apr 2020 12:07:43 +0200
Subject: [PATCH lxc] api-extensions: add and document
 cgroup_advanced_isolation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 doc/api-extensions.md    | 4 ++++
 src/lxc/api_extensions.h | 1 +
 2 files changed, 5 insertions(+)

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 98686f9ed..fe1b1bdb7 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
 
 Whether the seccomp notify proxy sends a long a notify fd file descriptor.
 
+## cgroup\_advanced\_isolation
+
+Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
+
 ## idmapped\_mounts
 
 Whether this LXC instance can handle idmapped mounts for the rootfs.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index d99adacbe..a10f2e5f3 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -45,6 +45,7 @@ static char *api_extensions[] = {
 	"seccomp_notify_fd_active",
 	"seccomp_proxy_send_notify_fd",
 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
+	"cgroup_advanced_isolation",
 	"idmapped_mounts",
 	"idmapped_mounts_v2",
 	"core_scheduling",
Commit	Line	Data
080abced WB	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Christian Brauner <christian.brauner@ubuntu.com>
	3	Date: Sat, 4 Apr 2020 12:07:43 +0200
87c39e90 WB	4	Subject: [PATCH lxc] api-extensions: add and document
87c39e90 WB	5	cgroup_advanced_isolation
080abced WB	6
	7	Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
	8	---
	9	doc/api-extensions.md \| 4 ++++
	10	src/lxc/api_extensions.h \| 1 +
	11	2 files changed, 5 insertions(+)
	12
	13	diff --git a/doc/api-extensions.md b/doc/api-extensions.md
545d7dec	14	index 98686f9ed..fe1b1bdb7 100644
080abced WB	15	--- a/doc/api-extensions.md
080abced WB	16	+++ b/doc/api-extensions.md
63e050e2	17	@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.
080abced	18
02c596f3	19	Whether the seccomp notify proxy sends a long a notify fd file descriptor.
63e050e2	20
080abced WB	21	+## cgroup\_advanced\_isolation
	22	+
	23	+Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.
63e050e2 TL	24	+
	25	## idmapped\_mounts
	26
87c39e90	27	Whether this LXC instance can handle idmapped mounts for the rootfs.
080abced	28	diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
545d7dec	29	index d99adacbe..a10f2e5f3 100644
080abced WB	30	--- a/src/lxc/api_extensions.h
080abced WB	31	+++ b/src/lxc/api_extensions.h
545d7dec	32	@@ -45,6 +45,7 @@ static char *api_extensions[] = {
02c596f3 WB	33	"seccomp_notify_fd_active",
02c596f3 WB	34	"seccomp_proxy_send_notify_fd",
545d7dec	35	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
080abced	36	+ "cgroup_advanced_isolation",
63e050e2	37	"idmapped_mounts",
87c39e90 WB	38	"idmapped_mounts_v2",
87c39e90 WB	39	"core_scheduling",