static bool chown_cgroup(const char *controller, const char *cgroup_path,
struct lxc_conf *conf)
{
struct chown_data data;
if (lxc_list_empty(&conf->id_map))
/* If there's no mapping then we don't need to chown */
return true;
data.controller = controller;
data.cgroup_path = cgroup_path;
data.origuid = geteuid();
if (userns_exec_1(conf, chown_cgroup_wrapper, &data) < 0) {
ERROR("Error requesting cgroup chown in new namespace");
return false;
}
/* now chmod 775 the directory else the container cannot create cgroups */
if (!lxc_cgmanager_chmod(controller, cgroup_path, "", 0775))
return false;
if (!lxc_cgmanager_chmod(controller, cgroup_path, "tasks", 0775))
return false;
if (!lxc_cgmanager_chmod(controller, cgroup_path, "cgroup.procs", 0775))
return false;
return true;
}
/* Internal helper. Must be called with the cgmanager dbus socket open */
static bool chown_cgroup(const char *cgroup_path, struct lxc_conf *conf)
{
struct chown_data data;
char **slist = subsystems;
int i;
if (lxc_list_empty(&conf->id_map))
/* If there's no mapping then we don't need to chown */
return true;
data.cgroup_path = cgroup_path;
data.origuid = geteuid();
/* Unpriv users can't chown it themselves, so chown from
* a child namespace mapping both our own and the target uid
*/
if (userns_exec_1(conf, chown_cgroup_wrapper, &data) < 0) {
ERROR("Error requesting cgroup chown in new namespace");
return false;
}
/*
* Now chmod 775 the directory else the container cannot create cgroups.
* This can't be done in the child namespace because it only group-owns
* the cgroup
*/
if (cgm_supports_multiple_controllers)
slist = subsystems_inone;
for (i = 0; slist[i]; i++) {
if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "", 0775))
return false;
if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "tasks", 0775))
return false;
if (!lxc_cgmanager_chmod(slist[i], cgroup_path, "cgroup.procs", 0775))
return false;
}
return true;
}
