[lxc-devel] [PATCH] cgmanager: chmod the container's base directory 775
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Jan 31 13:03:44 UTC 2014
In order for attach to work, the container owner must be able to
write to the tasks file. Therefore we make the container's cgroup
owned by the container root group, but the container owner uid.
So for the container root to be allowed to create new cgroups, it
needs group write perms.
With this patch, an unprivileged container with an
lxc.mount.auto = cgroup entry entry can run the cgproxy and pass
all cgmanager tests.
Acls would have been another way to do this, but are not yet being
used/exported by cgmanager.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/cgmanager.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c
index 686a208..a013e63 100644
--- a/src/lxc/cgmanager.c
+++ b/src/lxc/cgmanager.c
@@ -265,6 +265,20 @@ static int chown_cgroup_wrapper(void *data)
return do_chown_cgroup(arg->controller, arg->cgroup_path, arg->origuid);
}
+static bool lxc_cgmanager_chmod(const char *controller,
+ const char *cgroup_path, const char *file, int mode)
+{
+ if (cgmanager_chmod_sync(NULL, cgroup_manager, controller,
+ cgroup_path, file, mode) != 0) {
+ NihError *nerr;
+ nerr = nih_error_get();
+ ERROR("call to cgmanager_chmod_sync failed: %s", nerr->message);
+ nih_free(nerr);
+ return false;
+ }
+ return true;
+}
+
static bool chown_cgroup(const char *controller, const char *cgroup_path,
struct lxc_conf *conf)
{
@@ -282,6 +296,14 @@ static bool chown_cgroup(const char *controller, const char *cgroup_path,
ERROR("Error requesting cgroup chown in new namespace");
return false;
}
+
+ /* now chmod 775 the directory else the container cannot create cgroups */
+ if (!lxc_cgmanager_chmod(controller, cgroup_path, "", 0775))
+ return false;
+ if (!lxc_cgmanager_chmod(controller, cgroup_path, "tasks", 0775))
+ return false;
+ if (!lxc_cgmanager_chmod(controller, cgroup_path, "cgroup.procs", 0775))
+ return false;
return true;
}
--
1.8.5.3
More information about the lxc-devel
mailing list