From 4f875f707ac27d5b398da8093095d2a25518514d Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Fri, 19 Feb 2016 14:12:47 -0800
Subject: [PATCH] cgroups: do not fail if setting devices cgroup fails due to
 EPERM

If we're trying to allow a device which was denied to our parent
container, just continue.

Cgmanager does not help us to distinguish between eperm and other
errors, so just always continue.

We may want to consider actually computing the range of devices
to which the container monitor has access, but OTOH that introduces
a whole new set of complexity to compute access sets.

Closes #827

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 src/lxc/cgfs.c      | 8 ++++++++
 src/lxc/cgmanager.c | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c
index b43e1ce01..f303a11d2 100644
--- a/src/lxc/cgfs.c
+++ b/src/lxc/cgfs.c
@@ -1285,10 +1285,13 @@ static int lxc_cgroup_set_data(const char *filename, const char *value, struct c
 	if ((p = strchr(subsystem, '.')) != NULL)
 		*p = '\0';
 
+	errno = ENOENT;
 	path = lxc_cgroup_get_hierarchy_abs_path_data(subsystem, d);
 	if (path) {
 		ret = do_cgroup_set(path, filename, value);
+		int saved_errno = errno;
 		free(path);
+		errno = saved_errno;
 	}
 	return ret;
 }
@@ -1915,6 +1918,11 @@ static int do_setup_cgroup_limits(struct cgfs_data *d,
 					cgroup_devices_has_allow_or_deny(d, cg->value, true))
 				continue;
 			if (lxc_cgroup_set_data(cg->subsystem, cg->value, d)) {
+				if (do_devices && errno == EPERM) {
+					WARN("Error setting %s to %s for %s",
+					      cg->subsystem, cg->value, d->name);
+					continue;
+				}
 				ERROR("Error setting %s to %s for %s",
 				      cg->subsystem, cg->value, d->name);
 				goto out;
diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c
index 79912c08c..860d8f456 100644
--- a/src/lxc/cgmanager.c
+++ b/src/lxc/cgmanager.c
@@ -1523,6 +1523,14 @@ static bool cgm_setup_limits(void *hdata, struct lxc_list *cgroup_settings, bool
 					 d->cgroup_path, cg->subsystem, cg->value) != 0) {
 			NihError *nerr;
 			nerr = nih_error_get();
+			if (do_devices) {
+				WARN("call to cgmanager_set_value_sync failed: %s", nerr->message);
+				nih_free(nerr);
+				WARN("Error setting cgroup %s:%s limit type %s", controller,
+					d->cgroup_path, cg->subsystem);
+				continue;
+			}
+
 			ERROR("call to cgmanager_set_value_sync failed: %s", nerr->message);
 			nih_free(nerr);
 			ERROR("Error setting cgroup %s:%s limit type %s", controller,