diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-11-05 17:57:23 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-11-05 18:49:14 +0100 |
| commit | a931ad47a8623163a29d898224d8a8c1177ffdaf (patch) | |
| tree | 34741242cc98bf038f3b57058e4b283b0d53b275 /src/core/cgroup.c | |
| parent | c962cb68d5754690cbe924a0d0b4251053217783 (diff) | |
core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies
For priviliged units this resource control property ensures that the
processes have all controllers systemd manages enabled.
For unpriviliged services (those with User= set) this ensures that
access rights to the service cgroup is granted to the user in question,
to create further subgroups. Note that this only applies to the
name=systemd hierarchy though, as access to other controllers is not
safe for unpriviliged processes.
Delegate=yes should be set for container scopes where a systemd instance
inside the container shall manage the hierarchies below its own cgroup
and have access to all controllers.
Delegate=yes should also be set for user@.service, so that systemd
--user can run, controlling its own cgroup tree.
This commit changes machined, systemd-nspawn@.service and user@.service
to set this boolean, in order to ensure that container management will
just work, and the user systemd instance can run fine.
Diffstat (limited to 'src/core/cgroup.c')
| -rw-r--r-- | src/core/cgroup.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/src/core/cgroup.c b/src/core/cgroup.c index e604c3cbc6..0951a09964 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -105,7 +105,8 @@ void cgroup_context_dump(CGroupContext *c, FILE* f, const char *prefix) { "%sBlockIOWeight=%lu\n" "%sStartupBlockIOWeight=%lu\n" "%sMemoryLimit=%" PRIu64 "\n" - "%sDevicePolicy=%s\n", + "%sDevicePolicy=%s\n" + "%sDelegate=%s\n", prefix, yes_no(c->cpu_accounting), prefix, yes_no(c->blockio_accounting), prefix, yes_no(c->memory_accounting), @@ -115,7 +116,8 @@ void cgroup_context_dump(CGroupContext *c, FILE* f, const char *prefix) { prefix, c->blockio_weight, prefix, c->startup_blockio_weight, prefix, c->memory_limit, - prefix, cgroup_device_policy_to_string(c->device_policy)); + prefix, cgroup_device_policy_to_string(c->device_policy), + prefix, yes_no(c->delegate)); LIST_FOREACH(device_allow, a, c->device_allow) fprintf(f, @@ -461,7 +463,8 @@ CGroupControllerMask cgroup_context_get_mask(CGroupContext *c) { c->memory_limit != (uint64_t) -1) mask |= CGROUP_MEMORY; - if (c->device_allow || c->device_policy != CGROUP_AUTO) + if (c->device_allow || + c->device_policy != CGROUP_AUTO) mask |= CGROUP_DEVICE; return mask; @@ -474,6 +477,19 @@ CGroupControllerMask unit_get_cgroup_mask(Unit *u) { if (!c) return 0; + /* If delegation is turned on, then turn on all cgroups, + * unless the process we fork into it is known to drop + * privileges anyway, and shouldn't get access to the + * controllers anyway. */ + + if (c->delegate) { + ExecContext *e; + + e = unit_get_exec_context(u); + if (!e || exec_context_maintains_privileges(e)) + return _CGROUP_CONTROLLER_MASK_ALL; + } + return cgroup_context_get_mask(c); } |