[lxc.git] / debian / patches / pve / 0012-cgroups-populate-hierarchy-for-device-cgroup.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Mon, 19 Jul 2021 16:55:43 +0200
Subject: [PATCH] cgroups: populate hierarchy for device cgroup

With the changes introduced in:
b7b1e3a34ce28b01206c48227930ff83d399e7b6
the hierarchy-struct did not have the path_lim set anymore, which is
needed by setup_limits_legacy to actually access the cgroup directory.

The issue can be reproduced with a container config having
```
lxc.cgroup.devices.deny = a
```
(or any lxc.cgroup.devices entry) set on a system booted with
systemd.unified_cgroup_hierarchy=0.

This affects all privileged containers on PVE (due to the default
devices.deny entry).

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/lxc/cgroups/cgfsng.c | 39 +++++++++++++++++++--------------------
 1 file changed, 19 insertions(+), 20 deletions(-)

diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index 9e1ece5ca..e27baa625 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -794,8 +794,12 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
 		if (fd_limit < 0)
 			return syserror_ret(false, "Failed to create limiting cgroup %d(%s)", h->dfd_base, cgroup_limit_dir);
 
+		limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
+		h->dfd_lim = move_fd(fd_limit);
+		h->path_lim = move_ptr(limit_path);
+
 		TRACE("Created limit cgroup %d->%d(%s)",
-		      fd_limit, h->dfd_base, cgroup_limit_dir);
+		      h->dfd_lim, h->dfd_base, cgroup_limit_dir);
 
 		/*
 		 * With isolation the devices legacy cgroup needs to be
@@ -807,44 +811,39 @@ static bool cgroup_tree_create(struct cgroup_ops *ops, struct lxc_conf *conf,
 		    !ops->setup_limits_legacy(ops, conf, true))
 			return log_error(false, "Failed to setup legacy device limits");
 
-		limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
-		path = must_make_path(limit_path, cgroup_leaf, NULL);
+		path = must_make_path(h->path_lim, cgroup_leaf, NULL);
 
 		/*
 		 * If we use a separate limit cgroup, the leaf cgroup, i.e. the
 		 * cgroup the container actually resides in, is below fd_limit.
 		 */
-		fd_final = __cgroup_tree_create(fd_limit, cgroup_leaf, 0755, cpuset_v1, false);
+		fd_final = __cgroup_tree_create(h->dfd_lim, cgroup_leaf, 0755, cpuset_v1, false);
 		if (fd_final < 0) {
 			/* Ensure we don't leave any garbage behind. */
 			if (cgroup_tree_prune(h->dfd_base, cgroup_limit_dir))
 				SYSWARN("Failed to destroy %d(%s)", h->dfd_base, cgroup_limit_dir);
 			else
 				TRACE("Removed cgroup tree %d(%s)", h->dfd_base, cgroup_limit_dir);
+			return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
 		}
+		h->dfd_con = move_fd(fd_final);
+		h->path_con = move_ptr(path);
+
 	} else {
 		path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
 
 		fd_final = __cgroup_tree_create(h->dfd_base, cgroup_limit_dir, 0755, cpuset_v1, false);
-	}
-	if (fd_final < 0)
-		return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
-
-	if (payload) {
-		h->dfd_con = move_fd(fd_final);
-		h->path_con = move_ptr(path);
+		if (fd_final < 0)
+			return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
 
-		if (fd_limit < 0)
+		if (payload) {
+			h->dfd_con = move_fd(fd_final);
 			h->dfd_lim = h->dfd_con;
-		else
-			h->dfd_lim = move_fd(fd_limit);
-
-		if (limit_path)
-			h->path_lim = move_ptr(limit_path);
-		else
+			h->path_con = move_ptr(path);
 			h->path_lim = h->path_con;
-	} else {
-		h->dfd_mon = move_fd(fd_final);
+		} else {
+			h->dfd_mon = move_fd(fd_final);
+		}
 	}
 
 	return true;
Commit	Line	Data
ab2219be SI	1	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	2	From: Stoiko Ivanov <s.ivanov@proxmox.com>
	3	Date: Mon, 19 Jul 2021 16:55:43 +0200
	4	Subject: [PATCH] cgroups: populate hierarchy for device cgroup
	5
	6	With the changes introduced in:
	7	b7b1e3a34ce28b01206c48227930ff83d399e7b6
	8	the hierarchy-struct did not have the path_lim set anymore, which is
	9	needed by setup_limits_legacy to actually access the cgroup directory.
	10
	11	The issue can be reproduced with a container config having
	12	```
	13	lxc.cgroup.devices.deny = a
	14	```
	15	(or any lxc.cgroup.devices entry) set on a system booted with
	16	systemd.unified_cgroup_hierarchy=0.
	17
	18	This affects all privileged containers on PVE (due to the default
	19	devices.deny entry).
	20
	21	Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
	22	---
	23	src/lxc/cgroups/cgfsng.c \| 39 +++++++++++++++++++--------------------
	24	1 file changed, 19 insertions(+), 20 deletions(-)
	25
	26	diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
	27	index 9e1ece5ca..e27baa625 100644
	28	--- a/src/lxc/cgroups/cgfsng.c
	29	+++ b/src/lxc/cgroups/cgfsng.c
	30	@@ -794,8 +794,12 @@ static bool cgroup_tree_create(struct cgroup_ops ops, struct lxc_conf conf,
	31	if (fd_limit < 0)
	32	return syserror_ret(false, "Failed to create limiting cgroup %d(%s)", h->dfd_base, cgroup_limit_dir);
	33
	34	+ limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
	35	+ h->dfd_lim = move_fd(fd_limit);
	36	+ h->path_lim = move_ptr(limit_path);
	37	+
	38	TRACE("Created limit cgroup %d->%d(%s)",
	39	- fd_limit, h->dfd_base, cgroup_limit_dir);
	40	+ h->dfd_lim, h->dfd_base, cgroup_limit_dir);
	41
	42	/*
	43	* With isolation the devices legacy cgroup needs to be
	44	@@ -807,44 +811,39 @@ static bool cgroup_tree_create(struct cgroup_ops ops, struct lxc_conf conf,
	45	!ops->setup_limits_legacy(ops, conf, true))
	46	return log_error(false, "Failed to setup legacy device limits");
	47
	48	- limit_path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
	49	- path = must_make_path(limit_path, cgroup_leaf, NULL);
	50	+ path = must_make_path(h->path_lim, cgroup_leaf, NULL);
	51
	52	/*
	53	* If we use a separate limit cgroup, the leaf cgroup, i.e. the
	54	* cgroup the container actually resides in, is below fd_limit.
	55	*/
	56	- fd_final = __cgroup_tree_create(fd_limit, cgroup_leaf, 0755, cpuset_v1, false);
	57	+ fd_final = __cgroup_tree_create(h->dfd_lim, cgroup_leaf, 0755, cpuset_v1, false);
	58	if (fd_final < 0) {
	59	/* Ensure we don't leave any garbage behind. */
	60	if (cgroup_tree_prune(h->dfd_base, cgroup_limit_dir))
	61	SYSWARN("Failed to destroy %d(%s)", h->dfd_base, cgroup_limit_dir);
	62	else
	63	TRACE("Removed cgroup tree %d(%s)", h->dfd_base, cgroup_limit_dir);
	64	+ return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
65	}
66	+ h->dfd_con = move_fd(fd_final);
67	+ h->path_con = move_ptr(path);
68	+
69	} else {
70	path = make_cgroup_path(h, h->at_base, cgroup_limit_dir, NULL);
71
72	fd_final = __cgroup_tree_create(h->dfd_base, cgroup_limit_dir, 0755, cpuset_v1, false);
73	- }
74	- if (fd_final < 0)
75	- return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
76	-
77	- if (payload) {
78	- h->dfd_con = move_fd(fd_final);
79	- h->path_con = move_ptr(path);
80	+ if (fd_final < 0)
81	+ return syserror_ret(false, "Failed to create %s cgroup %d(%s)", payload ? "payload" : "monitor", h->dfd_base, cgroup_limit_dir);
82
83	- if (fd_limit < 0)
84	+ if (payload) {
85	+ h->dfd_con = move_fd(fd_final);
86	h->dfd_lim = h->dfd_con;
87	- else
88	- h->dfd_lim = move_fd(fd_limit);
89	-
90	- if (limit_path)
91	- h->path_lim = move_ptr(limit_path);
92	- else
93	+ h->path_con = move_ptr(path);
94	h->path_lim = h->path_con;
95	- } else {
96	- h->dfd_mon = move_fd(fd_final);
97	+ } else {
98	+ h->dfd_mon = move_fd(fd_final);
99	+ }
100	}
101
102	return true;