diff options
| author | Luke Shumaker <lukeshu@lukeshu.com> | 2017-06-14 18:03:04 -0400 |
|---|---|---|
| committer | Luke Shumaker <lukeshu@lukeshu.com> | 2017-06-16 17:06:57 -0400 |
| commit | 40d39b0ff8e3e5c9f148bcd820a6a570001a7182 (patch) | |
| tree | 91eb87beffa8d42183e0b78c1c94841c63e8e851 /src/nspawn/nspawn-cgroup.h | |
| parent | 1108b2858019c82f165fffa7eb19826d4f5a1b79 (diff) | |
nspawn: Be more robust when deciding to create subcgroups or chown cgroups
To demonstrate the breakage in the chown part: Be using an interactive
terminal, go to spawn a shell in a container; using --register=no, and using
userns. It will end up chown()ing the cgroup of your terminal session to the
container! And you will be left with that after you quit the container!
Similarly. the subcgroup bit will try create subcgroups for the parent and
child even they share the cgroup with other processes (as they likely to if
--register=no); and will find only partial success, leaving the cgroup with all
controllers disabled.
What we really care about is if the child process is alone in the cgroup, so
we'll take a peek at cgroup.procs for that cgroup to find out.
Diffstat (limited to 'src/nspawn/nspawn-cgroup.h')
| -rw-r--r-- | src/nspawn/nspawn-cgroup.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/nspawn/nspawn-cgroup.h b/src/nspawn/nspawn-cgroup.h index b141c4e5d3..e677766726 100644 --- a/src/nspawn/nspawn-cgroup.h +++ b/src/nspawn/nspawn-cgroup.h @@ -24,7 +24,7 @@ #include "cgroup-util.h" -int cgroup_setup(pid_t pid, CGroupUnified outer_cgver, CGroupUnified inner_cgver, uid_t uid_shift, bool keep_unit); +int cgroup_setup(pid_t pid, CGroupUnified outer_cgver, CGroupUnified inner_cgver, uid_t uid_shift); int mount_cgroups(const char *dest, CGroupUnified outer_cgver, CGroupUnified inner_cgver, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context, bool use_cgns); int mount_systemd_cgroup_writable(const char *dest, CGroupUnified inner_cgver); |