nspawn: cleanup and chown the synced cgroup hierarchy (#4223)

Fixes: #4181
author: Evgeny Vereshchagin <evvers@ya.ru> 2016-10-13 16:50:46 +0300
committer: Sven Eden <yamakuzure@gmx.net> 2017-07-05 08:50:55 +0200
commit: d5949929f1247b0407637a44f388365e3966ef91 (patch)
tree: 09297b348c4144e05b9eb912c7f466ab6bbe3d91 /src/basic
parent: a04ba5e54a47f2284ce3f768d01c06881f280b5c (diff)
3 files changed, 40 insertions, 5 deletions
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index fce0b9e5d..424c2b69b 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -2583,6 +2583,20 @@ int cg_blkio_weight_parse(const char *s, uint64_t *ret) {
 }
 #endif // 0
 
+bool is_cgroup_fs(const struct statfs *s) {
+        return is_fs_type(s, CGROUP_SUPER_MAGIC) ||
+               is_fs_type(s, CGROUP2_SUPER_MAGIC);
+}
+
+bool fd_is_cgroup_fs(int fd) {
+        struct statfs s;
+
+        if (fstatfs(fd, &s) < 0)
+                return -errno;
+
+        return is_cgroup_fs(&s);
+}
+
 static const char *cgroup_controller_table[_CGROUP_CONTROLLER_MAX] = {
         [CGROUP_CONTROLLER_CPU] = "cpu",
         [CGROUP_CONTROLLER_CPUACCT] = "cpuacct",
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index 5f3152995..5a6d41635 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -118,6 +118,13 @@ static inline bool CGROUP_BLKIO_WEIGHT_IS_OK(uint64_t x) {
 #define DEFAULT_TASKS_MAX_PERCENTAGE            15U /* 15% of PIDs, 4915 on default settings */
 #define DEFAULT_USER_TASKS_MAX_PERCENTAGE       33U /* 33% of PIDs, 10813 on default settings */
 
+typedef enum CGroupUnified {
+        CGROUP_UNIFIED_UNKNOWN = -1,
+        CGROUP_UNIFIED_NONE = 0,        /* Both systemd and controllers on legacy */
+        CGROUP_UNIFIED_SYSTEMD = 1,     /* Only systemd on unified */
+        CGROUP_UNIFIED_ALL = 2,         /* Both systemd and controllers on unified */
+} CGroupUnified;
+
 /*
  * General rules:
  *
@@ -182,6 +189,9 @@ int cg_set_group_access(const char *controller, const char *path, mode_t mode, u
 int cg_set_task_access(const char *controller, const char *path, mode_t mode, uid_t uid, gid_t gid);
 #endif // 0
 
+int cg_set_xattr(const char *controller, const char *path, const char *name, const void *value, size_t size, int flags);
+int cg_get_xattr(const char *controller, const char *path, const char *name, void *value, size_t size);
+
 int cg_install_release_agent(const char *controller, const char *agent);
 int cg_uninstall_release_agent(const char *controller);
 
@@ -242,12 +252,15 @@ bool cg_ns_supported(void);
 #endif // 0
 
 #if 0 /// UNNEEDED by elogind
-int cg_unified(void);
+int cg_all_unified(void);
+int cg_unified(const char *controller);
 void cg_unified_flush(void);
 
 bool cg_is_unified_wanted(void);
 #endif // 0
 bool cg_is_legacy_wanted(void);
+bool cg_is_unified_systemd_controller_wanted(void);
+bool cg_is_legacy_systemd_controller_wanted(void);
 
 const char* cgroup_controller_to_string(CGroupController c) _const_;
 CGroupController cgroup_controller_from_string(const char *s) _pure_;
@@ -257,3 +270,6 @@ int cg_weight_parse(const char *s, uint64_t *ret);
 int cg_cpu_shares_parse(const char *s, uint64_t *ret);
 int cg_blkio_weight_parse(const char *s, uint64_t *ret);
 #endif // 0
+
+bool is_cgroup_fs(const struct statfs *s);
+bool fd_is_cgroup_fs(int fd);
diff --git a/src/basic/rm-rf.c b/src/basic/rm-rf.c
index 474bfbf43..6cb55cd0c 100644
--- a/src/basic/rm-rf.c
+++ b/src/basic/rm-rf.c
@@ -36,9 +36,14 @@
 #include "stat-util.h"
 #include "string-util.h"
 
+static bool is_physical_fs(const struct statfs *sfs) {
+        return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs);
+}
+
 int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) {
         _cleanup_closedir_ DIR *d = NULL;
         int ret = 0, r;
+        struct statfs sfs;
 
         assert(fd >= 0);
 
@@ -47,13 +52,13 @@ int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) {
 
         if (!(flags & REMOVE_PHYSICAL)) {
 
-                r = fd_is_temporary_fs(fd);
+                r = fstatfs(fd, &sfs);
                 if (r < 0) {
                         safe_close(fd);
-                        return r;
+                        return -errno;
                 }
 
-                if (!r) {
+                if (is_physical_fs(&sfs)) {
                         /* We refuse to clean physical file systems
                          * with this call, unless explicitly
                          * requested. This is extra paranoia just to
@@ -214,7 +219,7 @@ int rm_rf(const char *path, RemoveFlags flags) {
                         if (statfs(path, &s) < 0)
                                 return -errno;
 
-                        if (!is_temporary_fs(&s)) {
+                        if (is_physical_fs(&s)) {
                                 log_error("Attempted to remove disk file system, and we can't allow that.");
                                 return -EPERM;
                         }
author	Evgeny Vereshchagin <evvers@ya.ru>	2016-10-13 16:50:46 +0300
committer	Sven Eden <yamakuzure@gmx.net>	2017-07-05 08:50:55 +0200
commit	d5949929f1247b0407637a44f388365e3966ef91 (patch)
tree	09297b348c4144e05b9eb912c7f466ab6bbe3d91 /src/basic
parent	a04ba5e54a47f2284ce3f768d01c06881f280b5c (diff)