[Devel] [PATCH RH7 2/2] Allow write to several safe cgroup files from CT

Mon Mar 21 06:54:41 PDT 2016

Add flag CFTYPE_VEWRITABLE to identify cgroup files writable in CT.

File memory.use_hierarchy is safe to set in CT and needed by
systemd, it only makes memory cgroup accounting fully hierarchic.

Files tasks and cgroup.procs are needed to move tasks to top CT
cgroups - that is also safe.

https://jira.sw.ru/browse/PSBM-44981
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 include/linux/cgroup.h | 1 +
 kernel/cgroup.c        | 5 ++++-
 mm/memcontrol.c        | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index ed5e6ac..aad06e8 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -416,6 +416,7 @@ struct cgroup_map_cb {
 #define CFTYPE_ONLY_ON_ROOT	(1U << 0)	/* only create on root cg */
 #define CFTYPE_NOT_ON_ROOT	(1U << 1)	/* don't create on root cg */
 #define CFTYPE_INSANE		(1U << 2)	/* don't create if sane_behavior */
+#define CFTYPE_VE_WRITABLE	(1U << 15)	/* allow write from CT */
 
 #define MAX_CFTYPE_NAME		64
 
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index fa4eeb5..5afeb59 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2413,7 +2413,8 @@ static ssize_t cgroup_file_write(struct file *file, const char __user *buf,
 	 */
 	if (!ve_is_super(get_exec_env())
 	    && (!cgrp->parent || !cgrp->parent->parent)
-	    && !get_exec_env()->is_pseudosuper)
+	    && !get_exec_env()->is_pseudosuper
+	    && !(cft->flags & CFTYPE_VE_WRITABLE))
 		return -EPERM;
 #endif
 
@@ -4065,6 +4066,7 @@ static int cgroup_clone_children_write(struct cgroup *cgrp,
 static struct cftype files[] = {
 	{
 		.name = "tasks",
+		.flags = CFTYPE_VE_WRITABLE,
 		.open = cgroup_tasks_open,
 		.write_u64 = cgroup_tasks_write,
 		.release = cgroup_pidlist_release,
@@ -4072,6 +4074,7 @@ static struct cftype files[] = {
 	},
 	{
 		.name = CGROUP_FILE_GENERIC_PREFIX "procs",
+		.flags = CFTYPE_VE_WRITABLE,
 		.open = cgroup_procs_open,
 		.write_u64 = cgroup_procs_write,
 		.release = cgroup_pidlist_release,
diff --git a/mm/memcontrol.c b/mm/memcontrol.c
index 6009ff5..9672d54 100644
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -6229,7 +6229,7 @@ static struct cftype mem_cgroup_files[] = {
 	},
 	{
 		.name = "use_hierarchy",
-		.flags = CFTYPE_INSANE,
+		.flags = CFTYPE_INSANE | CFTYPE_VE_WRITABLE,
 		.write_u64 = mem_cgroup_hierarchy_write,
 		.read_u64 = mem_cgroup_hierarchy_read,
 	},
-- 
1.9.3

