diff options
author | Lennart Poettering <lennart@poettering.net> | 2013-07-11 01:56:12 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2013-07-11 01:56:12 +0200 |
commit | 8aa75193662d0e18d7c21ee9d546b7f3c8b8bc14 (patch) | |
tree | 1cbf2d39aefbef5e42105006caea4e7b0482d27d | |
parent | befb5b6a71c175d523644edbddd01b4b722fe956 (diff) |
core: grant user@.service instances write access to their own cgroup
-rw-r--r-- | src/core/execute.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index cbeb0caf26..50d2d49ba8 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1258,6 +1258,23 @@ int exec_spawn(ExecCommand *command, } } +#ifdef HAVE_PAM + if (cgroup_path && context->user && context->pam_name) { + err = cg_set_task_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0644, uid, gid); + if (err < 0) { + r = EXIT_CGROUP; + goto fail_child; + } + + + err = cg_set_group_access(SYSTEMD_CGROUP_CONTROLLER, cgroup_path, 0755, uid, gid); + if (err < 0) { + r = EXIT_CGROUP; + goto fail_child; + } + } +#endif + if (apply_permissions) { err = enforce_groups(context, username, gid); if (err < 0) { |