core: general cgroup rework

Replace the very generic cgroup hookup with a much simpler one. With
this change only the high-level cgroup settings remain, the ability to
set arbitrary cgroup attributes is removed, so is support for adding
units to arbitrary cgroup controllers or setting arbitrary paths for
them (especially paths that are different for the various controllers).

This also introduces a new -.slice root slice, that is the parent of
system.slice and friends. This enables easy admin configuration of
root-level cgrouo properties.

This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in
/dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is
turned off by DevicePolicy=).

1 files changed, 7 insertions, 4 deletions

diff --git a/src/shared/cgroup-label.c b/src/shared/cgroup-label.c
index 5b5163c250..574a7be3ee 100644
--- a/src/shared/cgroup-label.c
+++ b/src/shared/cgroup-label.c
@@ -36,15 +36,18 @@
 #include "util.h"
 #include "mkdir.h"
 
-int cg_create(const char *controller, const char *path, const char *suffix) {
+/* This is split out since it needs label calls, either directly or
+ * indirectly. */
+
+int cg_create(const char *controller, const char *path) {
         _cleanup_free_ char *fs = NULL;
         int r;
 
-        r = cg_get_path_and_check(controller, path, suffix, &fs);
+        r = cg_get_path_and_check(controller, path, NULL, &fs);
         if (r < 0)
                 return r;
 
-        r = mkdir_parents_label(fs, 0755);
+        r = mkdir_parents_prefix("/sys/fs/cgroup", fs, 0755);
         if (r < 0)
                 return r;
 
@@ -64,7 +67,7 @@ int cg_create_and_attach(const char *controller, const char *path, pid_t pid) {
 
         assert(pid >= 0);
 
-        r = cg_create(controller, path, NULL);
+        r = cg_create(controller, path);
         if (r < 0)
                 return r;