static bool chown_cgroup(const char *controller, const char *cgroup_path, struct lxc_conf *conf) { struct chown_data data; if (lxc_list_empty(&conf->id_map)) /* If there's no mapping then we don't need to chown */ return true; data.controller = controller; data.cgroup_path = cgroup_path; data.origuid = geteuid(); if (userns_exec_1(conf, chown_cgroup_wrapper, &data) < 0) { ERROR("Error requesting cgroup chown in new namespace"); return false; } /* now chmod 775 the directory else the container cannot create cgroups */ if (!lxc_cgmanager_chmod(controller, cgroup_path, "", 0775)) return false; if (!lxc_cgmanager_chmod(controller, cgroup_path, "tasks", 0775)) return false; if (!lxc_cgmanager_chmod(controller, cgroup_path, "cgroup.procs", 0775)) return false; return true; }
/* Internal helper. Must be called with the cgmanager dbus socket open */ static bool chown_cgroup(const char *cgroup_path, struct lxc_conf *conf) { struct chown_data data; char **slist = subsystems; int i; if (lxc_list_empty(&conf->id_map)) /* If there's no mapping then we don't need to chown */ return true; data.cgroup_path = cgroup_path; data.origuid = geteuid(); /* Unpriv users can't chown it themselves, so chown from * a child namespace mapping both our own and the target uid */ if (userns_exec_1(conf, chown_cgroup_wrapper, &data) < 0) { ERROR("Error requesting cgroup chown in new namespace"); return false; } /* * Now chmod 775 the directory else the container cannot create cgroups. * This can't be done in the child namespace because it only group-owns * the cgroup */ if (cgm_supports_multiple_controllers) slist = subsystems_inone; for (i = 0; slist[i]; i++) { if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "", 0775)) return false; if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "tasks", 0775)) return false; if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "cgroup.procs", 0775)) return false; } return true; }