proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-14 09:47:06 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

cgroups/cgfsng: support MS_READONLY with cgroup ns

Browse Source 
If we lack CAP_SYS_ADMIN this is really useful.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit is contained in:
Christian Brauner 2017-10-31 12:01:29 +01:00
parent 058c1cb631
commit a760603e3b
No known key found for this signature in database
GPG Key ID: 7B3C391EFEA93624
1 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/lxc/cgroups/cgfsng.c
View File

@ -1630,27 +1630,36 @@ do_secondstage_mounts_if_needed(int type, struct hierarchy *h,
return 0; return 0;
} }
static int mount_cgroup_cgns_supported(struct hierarchy *h, const char *controllerpath) static int mount_cgroup_cgns_supported(int type, struct hierarchy *h, const char *controllerpath)
{ {
int ret; int ret;
char *controllers = NULL; char *controllers = NULL;
char *type = "cgroup2"; char *fstype = "cgroup2";
unsigned long flags = 0;
if (!h->is_cgroup_v2) { flags |= MS_NOSUID;
controllers = lxc_string_join(",", (const char **)h->controllers, false); flags |= MS_NOEXEC;
if (!controllers) flags |= MS_NODEV;
return -ENOMEM; flags |= MS_RELATIME;
type = "cgroup";
if (type == LXC_AUTO_CGROUP_RO || type == LXC_AUTO_CGROUP_FULL_RO)
flags |= MS_RDONLY;
if (!h->is_cgroup_v2) {
controllers = lxc_string_join(",", (const char **)h->controllers, false);
if (!controllers)
return -ENOMEM;
fstype = "cgroup";
} }
ret = mount("cgroup", controllerpath, type, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RELATIME, controllers); ret = mount("cgroup", controllerpath, fstype, flags, controllers);
free(controllers); free(controllers);
if (ret < 0) { if (ret < 0) {
SYSERROR("Failed to mount %s with cgroup filesystem type %s", controllerpath, type); SYSERROR("Failed to mount %s with cgroup filesystem type %s", controllerpath, fstype);
return -1; return -1;
} }
DEBUG("Mounted %s with cgroup filesystem type %s", controllerpath, type); DEBUG("Mounted %s with cgroup filesystem type %s", controllerpath, fstype);
return 0; return 0;
} }
@ -1714,7 +1723,7 @@ static bool cgfsng_mount(void *hdata, const char *root, int type)
* will not have CAP_SYS_ADMIN after it has started we * will not have CAP_SYS_ADMIN after it has started we
* need to mount the cgroups manually. * need to mount the cgroups manually.
*/ */
r = mount_cgroup_cgns_supported(h, controllerpath); r = mount_cgroup_cgns_supported(type, h, controllerpath);
free(controllerpath); free(controllerpath);
if (r < 0) if (r < 0)
goto bad; goto bad;