[lxc-devel] [lxc/lxc] d6559c: lxc-cgm: fix issue with nested chowning
GitHub
noreply at github.com
Fri Aug 29 14:28:34 UTC 2014
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: d6559c5d09c99e42b532a6259b98d4030dc5b616
https://github.com/lxc/lxc/commit/d6559c5d09c99e42b532a6259b98d4030dc5b616
Author: Serge Hallyn <serge.hallyn at ubuntu.com>
Date: 2014-08-29 (Fri, 29 Aug 2014)
Changed paths:
M src/lxc/cgmanager.c
Log Message:
-----------
lxc-cgm: fix issue with nested chowning
To ask cgmanager to chown files as an unpriv user, we must send the
request from the container's namespace (with our own userid also
mapped in). However when we create a new namespace then we must
open a new dbus connection, so that our credential and the credential
on the dbus socket match. Otherwise the proxy will refuse the request.
Because we were warning about this failure but not exiting, the failure
was not noticed until the unprivileged container went on to try to
administer its cgroups, i.e. creating a container inside itself.
Fix this by having the do_chown_cgroup create a new cgmanager connection.
In order to reduce the number of connections, since the list of subsystems
is global anyway, don't call do_chown_cgroup once for each controller,
just call it once and have it run over all controllers.
(This patch does not change the fact that we don't fail if the
chown failed. I think we should change that, but let's do it in a
later patch)
Reported-by: Stéphane Graber <stgraber at ubuntu.com>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
More information about the lxc-devel
mailing list