[lxc-devel] [lxcfs/master] pam: bugfixes

brauner on Github lxc-bot at linuxcontainers.org
Tue May 16 15:39:31 UTC 2017 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 437 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170516/96b44088/attachment.bin>
-------------- next part --------------
From 423a3b4fff26690ea92ab713131e003b4b585e25 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 16 May 2017 01:06:24 +0200
Subject: [PATCH 1/3] pam: non-functional changes

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 pam/pam_cgfs.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/pam/pam_cgfs.c b/pam/pam_cgfs.c
index 4c163db..899e965 100644
--- a/pam/pam_cgfs.c
+++ b/pam/pam_cgfs.c
@@ -1511,8 +1511,7 @@ static bool cgv2_enter(const char *cgroup)
 	if (!v2->create_rw_cgroup || v2->systemd_user_slice)
 		return true;
 
-	path = must_make_path(v2->mountpoint, v2->base_cgroup, cgroup,
-			      "/cgroup.procs", NULL);
+	path = must_make_path(v2->mountpoint, v2->base_cgroup, cgroup, "/cgroup.procs", NULL);
 	lxcfs_debug("Attempting to enter cgroupfs v2 hierarchy in cgroup \"%s\".\n", path);
 	entered = write_int(path, (int)getpid());
 	if (!entered) {
@@ -2267,7 +2266,7 @@ static bool cgv2_create(const char *cgroup, uid_t uid, gid_t gid, bool *existed)
 				v2->systemd_user_slice))
 		return true;
 
-	/* We need to make sure that we do not create an endless chaing of
+	/* We need to make sure that we do not create an endless chain of
 	 * sub-cgroups. So we check if we have already logged in somehow (sudo
 	 * -i, su, etc.) and have created a /user/PAM_user/idx cgroup. If so, we
 	 * skip that part.

From ca2003d49d48bb2fce65c8a4386455d5b94f1096 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 16 May 2017 01:06:59 +0200
Subject: [PATCH 2/3] pam: report back we found the unified hierarchy

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 pam/pam_cgfs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pam/pam_cgfs.c b/pam/pam_cgfs.c
index 899e965..b99edff 100644
--- a/pam/pam_cgfs.c
+++ b/pam/pam_cgfs.c
@@ -1389,6 +1389,7 @@ static bool cgv2_init(uid_t uid, gid_t gid)
 		 * each of those mountpoints will expose identical information.
 		 * So let the first mountpoint we find, win.
 		 */
+		ret = true;
 		break;
 	}
 

From cf0461d226395b6d97d19faafb2afa438c2f53f4 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Tue, 16 May 2017 01:08:10 +0200
Subject: [PATCH 3/3] pam: chown cgroup.procs file on unified hierarchy

On the unified hierarchy cgroup.procs must be owned by the user in order for him
to be able to move processes into other cgroups.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 pam/pam_cgfs.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/pam/pam_cgfs.c b/pam/pam_cgfs.c
index b99edff..5dd68c9 100644
--- a/pam/pam_cgfs.c
+++ b/pam/pam_cgfs.c
@@ -2262,10 +2262,9 @@ static bool cgv2_create(const char *cgroup, uid_t uid, gid_t gid, bool *existed)
 	/* We can't be placed under init's cgroup for the v2 hierarchy. We need
 	 * to be placed under our current cgroup.
 	 */
-	if (cg_systemd_chown_existing_cgroup(v2->mountpoint,
-				v2->base_cgroup, uid, gid,
-				v2->systemd_user_slice))
-		return true;
+	if (cg_systemd_chown_existing_cgroup(v2->mountpoint, v2->base_cgroup,
+					     uid, gid, v2->systemd_user_slice))
+		goto chown_cgroup_procs_file;
 
 	/* We need to make sure that we do not create an endless chain of
 	 * sub-cgroups. So we check if we have already logged in somehow (sudo
@@ -2291,7 +2290,7 @@ static bool cgv2_create(const char *cgroup, uid_t uid, gid_t gid, bool *existed)
 			*existed = false;
 		else
 			*existed = true;
-		return our_cg;
+		goto chown_cgroup_procs_file;
 	}
 
 	created = mkdir_p(v2->mountpoint, path);
@@ -2300,10 +2299,27 @@ static bool cgv2_create(const char *cgroup, uid_t uid, gid_t gid, bool *existed)
 		return false;
 	}
 
+	/* chown cgroup to user */
 	if (chown(path, uid, gid) < 0)
 		mysyslog(LOG_WARNING, "Failed to chown %s to %d:%d: %s.\n",
 			 path, (int)uid, (int)gid, strerror(errno), NULL);
-	lxcfs_debug("Chowned %s to %d:%d.\n", path, (int)uid, (int)gid);
+	else
+		lxcfs_debug("Chowned %s to %d:%d.\n", path, (int)uid, (int)gid);
+	free(path);
+
+chown_cgroup_procs_file:
+	/* chown cgroup.procs to user */
+	if (v2->systemd_user_slice)
+		path = must_make_path(v2->mountpoint, v2->base_cgroup,
+				      "/cgroup.procs", NULL);
+	else
+		path = must_make_path(v2->mountpoint, v2->base_cgroup, cgroup,
+				      "/cgroup.procs", NULL);
+	if (chown(path, uid, gid) < 0)
+		mysyslog(LOG_WARNING, "Failed to chown %s to %d:%d: %s.\n",
+			 path, (int)uid, (int)gid, strerror(errno), NULL);
+	else
+		lxcfs_debug("Chowned %s to %d:%d.\n", path, (int)uid, (int)gid);
 	free(path);
 
 	return true;

More information about the lxc-devel mailing list