[lxc-devel] [PATCH] cgmanager: chmod the container's base directory 775

Stéphane Graber stgraber at ubuntu.com
Fri Jan 31 13:56:30 UTC 2014 

On Fri, Jan 31, 2014 at 01:03:44PM +0000, Serge Hallyn wrote:
> 
> In order for attach to work, the container owner must be able to
> write to the tasks file.  Therefore we make the container's cgroup
> owned by the container root group, but the container owner uid.
> So for the container root to be allowed to create new cgroups, it
> needs group write perms.
> 
> With this patch, an unprivileged container with an
> lxc.mount.auto = cgroup entry entry can run the cgproxy and pass
> all cgmanager tests.
> 
> Acls would have been another way to do this, but are not yet being
> used/exported by cgmanager.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/cgmanager.c | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
> 
> diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c
> index 686a208..a013e63 100644
> --- a/src/lxc/cgmanager.c
> +++ b/src/lxc/cgmanager.c
> @@ -265,6 +265,20 @@ static int chown_cgroup_wrapper(void *data)
>  	return do_chown_cgroup(arg->controller, arg->cgroup_path, arg->origuid);
>  }
>  
> +static bool lxc_cgmanager_chmod(const char *controller,
> +		const char *cgroup_path, const char *file, int mode)
> +{
> +	if (cgmanager_chmod_sync(NULL, cgroup_manager, controller,
> +			cgroup_path, file, mode) != 0) {
> +		NihError *nerr;
> +		nerr = nih_error_get();
> +		ERROR("call to cgmanager_chmod_sync failed: %s", nerr->message);
> +		nih_free(nerr);
> +		return false;
> +	}
> +	return true;
> +}
> +
>  static bool chown_cgroup(const char *controller, const char *cgroup_path,
>  			struct lxc_conf *conf)
>  {
> @@ -282,6 +296,14 @@ static bool chown_cgroup(const char *controller, const char *cgroup_path,
>  		ERROR("Error requesting cgroup chown in new namespace");
>  		return false;
>  	}
> +
> +	/* now chmod 775 the directory else the container cannot create cgroups */
> +	if (!lxc_cgmanager_chmod(controller, cgroup_path, "", 0775))
> +		return false;
> +	if (!lxc_cgmanager_chmod(controller, cgroup_path, "tasks", 0775))
> +		return false;
> +	if (!lxc_cgmanager_chmod(controller, cgroup_path, "cgroup.procs", 0775))
> +		return false;
>  	return true;
>  }
>  
> -- 
> 1.8.5.3
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140131/ba4981fd/attachment.pgp>

More information about the lxc-devel mailing list