[libvirt] [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers
Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD
to containers.
Currently it is not safe to allow a container access to a resource controller.
Signed-off-by: Richard Weinberger <richard(a)nod.at>
---
src/lxc/lxc_container.c | 3 ++-
src/util/vircgroup.c | 5 ++++-
src/util/vircgroup.h | 3 ++-
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index c6bdc8c..abd2db4 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1654,7 +1654,8 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
/* Now we can re-mount the cgroups controllers in the
* same configuration as before */
- if (virCgroupIsolateMount(cgroup, "/.oldroot/", sec_mount_options) < 0)
+ if (virCgroupIsolateMount(cgroup, "/.oldroot/", sec_mount_options,
+ (1 << VIR_CGROUP_CONTROLLER_SYSTEMD)) < 0)
goto cleanup;
/* Mounts /dev */
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index b2666e8..c75de9f 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -3166,7 +3166,7 @@ virCgroupGetFreezerState(virCgroupPtr group, char **state)
int
virCgroupIsolateMount(virCgroupPtr group, const char *oldroot,
- const char *mountopts)
+ const char *mountopts, int controllers)
{
int ret = -1;
size_t i;
@@ -3197,6 +3197,9 @@ virCgroupIsolateMount(virCgroupPtr group, const char *oldroot,
}
for (i = 0; i < VIR_CGROUP_CONTROLLER_LAST; i++) {
+ if (!((1 << i) & controllers))
+ continue;
+
if (!group->controllers[i].mountPoint)
continue;
diff --git a/src/util/vircgroup.h b/src/util/vircgroup.h
index 6e00f28..c005d28 100644
--- a/src/util/vircgroup.h
+++ b/src/util/vircgroup.h
@@ -221,7 +221,8 @@ int virCgroupKillPainfully(virCgroupPtr group);
int virCgroupIsolateMount(virCgroupPtr group,
const char *oldroot,
- const char *mountopts);
+ const char *mountopts,
+ int controllers);
bool virCgroupSupportsCpuBW(virCgroupPtr cgroup);
--
1.8.4.5