[lxc-devel] [lxcfs/master] bindings: revert cgroup check

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1333 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20160826/41a1ca8f/attachment.bin>
-------------- next part --------------
From 5ccc353f1fb14ce36ad6ec738ca709336fe4d312 Mon Sep 17 00:00:00 2001
From: Christian Brauner <cbrauner at suse.de>
Date: Thu, 25 Aug 2016 22:33:07 +0200
Subject: [PATCH] bindings: revert cgroup check

We do not need to check whether mode & W_OK is passed in. Even if the cgroup
root mount is writeable operations like cg_mkdir() et al. will fail with e.g.
EPERM. Basically all operations will fail on the cgroup root mount point because
the first operation they perform is pick_controller_from_path(). That is to say
they try to e.g. pick "blkio" from /var/lib/lxcfs/cgroup/blkio/some/cgroups an
similiar for all other controllers. If pick_controller_from_path() fails they
all return an appropriate errno. For example, cg_mkdir() does:

        controller = pick_controller_from_path(fc, path);
        if (!controller)
                return errno == ENOENT ? -EPERM : -errno;

This means, we do not need to return an errno already in cg_access when
mode & W_OK is passed in. This has the advantage that users are still able to
descend into /var/lib/lxcfs/cgroup via:

        cd /var/lib/lxcfs/cgroup

but are still blocked from doing any write operations.

Signed-off-by: Christian Brauner <cbrauner at suse.de>
---
 bindings.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/bindings.c b/bindings.c
index 281aad2..8a5909a 100644
--- a/bindings.c
+++ b/bindings.c
@@ -1926,11 +1926,8 @@ int cg_access(const char *path, int mode)
 	struct cgfs_files *k = NULL;
 	struct fuse_context *fc = fuse_get_context();
 
-	if (strcmp(path, "/cgroup") == 0) {
-		if ((mode & W_OK) == 0)
-			return -EACCES;
+	if (strcmp(path, "/cgroup") == 0)
 		return 0;
-	}
 
 	if (!fc)
 		return -EIO;