[Devel] [PATCH rh9] cgroup-v1: Allow setting release_agent from root Container user_ns

Konstantin Khorenko khorenko at virtuozzo.com
Fri May 27 14:10:06 MSK 2022 


--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 27.05.2022 00:28, Pavel Tikhomirov wrote:
> 
> 
> On 26.05.2022 18:42, Konstantin Khorenko wrote:
>> ms commit 24f600856418 ("cgroup-v1: Require capabilities to set
>> release_agent") restricts release_agent configuration to init user_ns
>> only, so let's tune checks to allow release_agent configuration from top
>> Container user_ns as well as we have release_agent virtualized per-CT in
>> Virtuozzo kernel.
>>
>> https://jira.sw.ru/browse/PSBM-140174
>>
>> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
>> Feature: cgroup: per-CT cgroup release_agent
>> ---
>>    kernel/cgroup/cgroup-v1.c | 7 ++++---
>>    1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
>> index f321e6691c46..a9dc9c2004d4 100644
>> --- a/kernel/cgroup/cgroup-v1.c
>> +++ b/kernel/cgroup/cgroup-v1.c
>> @@ -555,8 +555,8 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
>>    	 * Release agent gets called with all capabilities,
>>    	 * require capabilities to set release agent.
>>    	 */
>> -	if ((of->file->f_cred->user_ns != &init_user_ns) ||
>> -	    !capable(CAP_SYS_ADMIN))
>> +	if ((of->file->f_cred->user_ns != ve_init_user_ns()) ||
> 
> Would the above check prohibit setting release agent of a container
> cgroup from host? It should not break CRIU as we do
> prepare_cgroup_properties() from ve, but just in case we would need it
> for something.

Pasha, you are the sniper of the day. :)

# vzctl resume 100
...
running: /bin/grep  Error  /vz/private/100/dump/Dump/restore.log
(00.311205) Error (criu/cgroup.c:1592): cg: Failed writing /usr/lib/systemd/systemd-cgroups-agent to 
systemd//100/release_agent: Operation not permitted
(00.346252) Error (criu/cr-restore.c:3172): Restoring FAILED.
The restore log was saved in /vz/private/100/dump/Dump/restore.log
vcmmd: unregister
* Done wait status start ret=4 errcode=17
* Failed to configure [17]
criu exited with rc=17
Stopping the Container ...

> 
>> +	    !ve_capable(CAP_SYS_ADMIN))
>>    		return -EPERM;
>>    
>>    	cgrp = cgroup_kn_lock_live(of->kn, false);
>> @@ -1089,7 +1089,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
>>    		 * Release agent gets called with all capabilities,
>>    		 * require capabilities to set release agent.
>>    		 */
>> -		if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))
>> +		if ((fc->user_ns != ve_init_user_ns()) ||
>> +		    !ve_capable(CAP_SYS_ADMIN))
>>    			return invalfc(fc, "Setting release_agent not allowed");
>>    		ctx->release_agent = param->string;
>>    		param->string = NULL;
>

More information about the Devel mailing list