-From 6adbaea0d07553932f4cd78b5530cd5291c3b41f Mon Sep 17 00:00:00 2001
+From 5ceb26ec765edb81aba25b9db4fc5ede0d7a0375 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Tue, 15 Nov 2016 09:20:24 +0100
-Subject: [PATCH 5/9] separate the limiting from the namespaced cgroup root
+Subject: [PATCH 5/8] separate the limiting from the namespaced cgroup root
When cgroup namespaces are enabled a privileged container
with mixed cgroups has full write access to its own root
9 files changed, 219 insertions(+), 77 deletions(-)
diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c
-index 8499200..b78b78d 100644
+index 3bfa5239..f305a561 100644
--- a/src/lxc/cgroups/cgfs.c
+++ b/src/lxc/cgroups/cgfs.c
@@ -2383,12 +2383,15 @@ static void cgfs_destroy(void *hdata, struct lxc_conf *conf)
return false;
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
-index 2b772e2..f7df3cf 100644
+index ebd548b9..b26e1b27 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -72,6 +72,7 @@ struct hierarchy {
};
/*
-@@ -814,6 +815,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup)
+@@ -820,6 +821,7 @@ static void add_controller(char **clist, char *mountpoint, char *base_cgroup)
new->mountpoint = mountpoint;
new->base_cgroup = base_cgroup;
new->fullcgpath = NULL;
newentry = append_null_to_list((void ***)&hierarchies);
hierarchies[newentry] = new;
-@@ -1286,6 +1288,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
+@@ -1304,6 +1306,8 @@ static void cgfsng_destroy(void *hdata, struct lxc_conf *conf)
free(h->fullcgpath);
h->fullcgpath = NULL;
}
}
}
-@@ -1299,18 +1303,25 @@ struct cgroup_ops *cgfsng_ops_init(void)
+@@ -1321,18 +1325,25 @@ struct cgroup_ops *cgfsng_ops_init(void)
return &cgfsng_ops;
}
}
static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
-@@ -1325,7 +1336,8 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
+@@ -1347,7 +1358,8 @@ static void remove_path_for_hierarchy(struct hierarchy *h, char *cgname)
* Try to create the same cgroup in all hierarchies.
* Start with cgroup_pattern; next cgroup_pattern-1, -2, ..., -999
*/
{
struct cgfsng_handler_data *d = hdata;
char *tmp, *cgname, *offset;
-@@ -1335,9 +1347,15 @@ static inline bool cgfsng_create(void *hdata)
+@@ -1357,9 +1369,15 @@ static inline bool cgfsng_create(void *hdata)
if (!d)
return false;
if (d->container_cgroup) {
tmp = lxc_string_replace("%n", d->name, d->cgroup_pattern);
if (!tmp) {
-@@ -1358,7 +1376,7 @@ again:
+@@ -1380,7 +1398,7 @@ again:
if (idx)
snprintf(offset, 5, "-%d", idx);
for (i = 0; hierarchies[i]; i++) {
int j;
SYSERROR("Failed to create %s: %s", hierarchies[i]->fullcgpath, strerror(errno));
free(hierarchies[i]->fullcgpath);
-@@ -1378,7 +1396,24 @@ out_free:
+@@ -1400,7 +1418,24 @@ out_free:
return false;
}
{
char pidstr[25];
int i, len;
-@@ -1388,7 +1423,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
+@@ -1410,7 +1445,13 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
return false;
for (i = 0; hierarchies[i]; i++) {
"cgroup.procs", NULL);
if (lxc_write_to_file(fullpath, pidstr, len, false) != 0) {
SYSERROR("Failed to enter %s", fullpath);
-@@ -1404,6 +1445,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
+@@ -1426,6 +1467,7 @@ static bool cgfsng_enter(void *hdata, pid_t pid)
struct chown_data {
struct cgfsng_handler_data *d;
uid_t origuid; // target uid in parent namespace
};
/*
-@@ -1432,13 +1474,20 @@ static int chown_cgroup_wrapper(void *data)
+@@ -1454,13 +1496,20 @@ static int chown_cgroup_wrapper(void *data)
for (i = 0; hierarchies[i]; i++) {
char *fullpath, *path = hierarchies[i]->fullcgpath;
return -1;
}
-@@ -1462,12 +1511,14 @@ static int chown_cgroup_wrapper(void *data)
+@@ -1484,12 +1533,14 @@ static int chown_cgroup_wrapper(void *data)
if (chmod(fullpath, 0664) < 0)
WARN("Error chmoding %s: %m", path);
free(fullpath);
{
struct cgfsng_handler_data *d = hdata;
struct chown_data wrap;
-@@ -1480,6 +1531,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
+@@ -1502,6 +1553,7 @@ static bool cgfsns_chown(void *hdata, struct lxc_conf *conf)
wrap.d = d;
wrap.origuid = geteuid();
if (userns_exec_1(conf, chown_cgroup_wrapper, &wrap) < 0) {
ERROR("Error requesting cgroup chown in new namespace");
-@@ -1774,12 +1826,15 @@ static bool cgfsng_unfreeze(void *hdata)
+@@ -1796,12 +1848,15 @@ static bool cgfsng_unfreeze(void *hdata)
return true;
}
return h->fullcgpath ? h->fullcgpath + strlen(h->mountpoint) : NULL;
}
-@@ -1814,7 +1869,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid)
+@@ -1836,7 +1891,7 @@ static bool cgfsng_attach(const char *name, const char *lxcpath, pid_t pid)
char *path, *fullpath;
struct hierarchy *h = hierarchies[i];
continue;
diff --git a/src/lxc/cgroups/cgmanager.c b/src/lxc/cgroups/cgmanager.c
-index f2756b0..ac966b6 100644
+index f2756b07..ac966b6f 100644
--- a/src/lxc/cgroups/cgmanager.c
+++ b/src/lxc/cgroups/cgmanager.c
@@ -609,7 +609,7 @@ static inline void cleanup_cgroups(char *path)
return false;
if (!cgm_dbus_connect()) {
diff --git a/src/lxc/cgroups/cgroup.c b/src/lxc/cgroups/cgroup.c
-index 78472d4..4d26e72 100644
+index 78472d4f..4d26e720 100644
--- a/src/lxc/cgroups/cgroup.c
+++ b/src/lxc/cgroups/cgroup.c
@@ -80,10 +80,10 @@ void cgroup_destroy(struct lxc_handler *handler)
}
diff --git a/src/lxc/cgroups/cgroup.h b/src/lxc/cgroups/cgroup.h
-index 11b251e..f36c6f0 100644
+index 11b251e6..f36c6f02 100644
--- a/src/lxc/cgroups/cgroup.h
+++ b/src/lxc/cgroups/cgroup.h
@@ -28,6 +28,12 @@
extern int cgroup_num_hierarchies();
extern bool cgroup_get_hierarchies(int i, char ***out);
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
-index b17879b..5ef682f 100644
+index 27c8c084..0eb2741f 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
-@@ -128,15 +128,15 @@ static int fill_sock_name(char *path, int len, const char *name,
+@@ -133,15 +133,15 @@ static int fill_sock_name(char *path, int len, const char *lxcname,
static const char *lxc_cmd_str(lxc_cmd_t cmd)
{
static const char * const cmdname[LXC_CMD_MAX] = {
};
if (cmd >= LXC_CMD_MAX)
-@@ -429,30 +429,28 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req,
+@@ -437,30 +437,28 @@ static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req,
return lxc_cmd_rsp_send(fd, &rsp);
}
ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
if (ret < 0)
return NULL;
-@@ -471,16 +469,42 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
+@@ -479,16 +477,42 @@ char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath,
return cmd.rsp.data;
}
if (!path)
return -1;
rsp.datalen = strlen(path) + 1,
-@@ -491,6 +515,24 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req,
+@@ -499,6 +523,24 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req,
}
/*
* lxc_cmd_get_config_item: Get config item the running container
*
* @name : name of container to connect to
-@@ -841,16 +883,16 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
+@@ -849,16 +891,16 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
typedef int (*callback)(int, struct lxc_cmd_req *, struct lxc_handler *);
callback cb[LXC_CMD_MAX] = {
if (req->cmd >= LXC_CMD_MAX) {
diff --git a/src/lxc/commands.h b/src/lxc/commands.h
-index 184eefa..6430b33 100644
+index 184eefa0..6430b334 100644
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -77,6 +77,8 @@ extern int lxc_cmd_console(const char *name, int *ttynum, int *fd,
extern char *lxc_cmd_get_config_item(const char *name, const char *item, const char *lxcpath);
extern char *lxc_cmd_get_name(const char *hashed_sock);
diff --git a/src/lxc/criu.c b/src/lxc/criu.c
-index 8a0702f..5843f97 100644
+index d757bef6..64512193 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -283,7 +283,7 @@ static void exec_criu(struct criu_opts *opts)
if (!p) {
ERROR("failed to get cgroup path for %s", controllers[0]);
goto err;
-@@ -795,7 +795,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
+@@ -805,7 +805,7 @@ static void do_restore(struct lxc_container *c, int status_pipe, struct migrate_
goto out_fini_handler;
}
goto out_fini_handler;
}
diff --git a/src/lxc/start.c b/src/lxc/start.c
-index c2c14a7..e889421 100644
+index bca7f8eb..2d7df0e7 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
-@@ -1104,7 +1104,7 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1115,7 +1115,7 @@ static int lxc_spawn(struct lxc_handler *handler)
cgroups_connected = true;
ERROR("Failed creating cgroups.");
goto out_delete_net;
}
-@@ -1191,10 +1191,10 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1202,10 +1202,10 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
}
goto out_delete_net;
if (failed_before_rename)
-@@ -1237,6 +1237,21 @@ static int lxc_spawn(struct lxc_handler *handler)
+@@ -1248,6 +1248,21 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
}
cgroups_connected = false;
--
-2.1.4
+2.11.0
projects / lxc.git / blobdiff