[lxc-devel] [PATCH 7/8] cgroup: don't set devices cgroup if not in init_user_ns
Serge Hallyn
serge at mail.hallyn.com
Fri Jul 19 14:26:54 UTC 2013
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/cgroup.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index c707519..8a875b8 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -292,6 +292,14 @@ int lxc_cgroup_set_bypath(const char *cgrelpath, const char *filename, const cha
char *cgabspath;
char path[MAXPATHLEN];
+ /*
+ * exception: if in a user namespace, don't try to set devices cgroup.
+ * (a) a task in non-init userns can't use most devices anyway, and
+ * (b) a task in non-init userns cannot write to devices.{allow,deny}
+ */
+ if (strncmp(filename, "devices.", 8) == 0)
+ return 0;
+
cgabspath = cgroup_path_get(filename, cgrelpath);
if (!cgabspath)
return -1;
--
1.8.3.2
More information about the lxc-devel
mailing list