libcontainer: cgroups: loudly fail with Set

It is vital to loudly fail when a user attempts to set a cgroup limit (rather than using the system default). Otherwise the user will assume they have security they do not actually have. This mirrors the original Apply() (that would set cgroup configs) semantics. Signed-off-by: Aleksa Sarai <asarai@suse.com>
2015-12-17 20:13:06 +11:00 · 2015-12-17 20:13:06 +11:00 · 88e6d489f6
parent 8a740d5391
commit 88e6d489f6
2 changed files with 21 additions and 10 deletions
--- a/libcontainer/cgroups/fs/apply_raw.go
+++ b/libcontainer/cgroups/fs/apply_raw.go
@ -180,16 +180,24 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
 }

 func (m *Manager) Set(container *configs.Config) error {
-	for name, path := range m.Paths {
+	for _, sys := range subsystems {
 		// We can't set this here, because after being applied, memcg doesn't
 		// allow a non-empty cgroup from having its limits changed.
-		if name == "memory" {
+		if sys.Name() == "memory" {
 			continue
 		}
-		sys, err := subsystems.Get(name)
-		if err == errSubsystemDoesNotExist || !cgroups.PathExists(path) {
-			continue
+
+		// Generate fake cgroup data.
+		d, err := getCgroupData(container.Cgroups, -1)
+		if err != nil {
+			return err
 		}
+		// Get the path, but don't error out if the cgroup wasn't found.
+		path, err := d.path(sys.Name())
+		if err != nil && !cgroups.IsNotFound(err) {
+			return err
+		}
+
 		if err := sys.Set(path, container.Cgroups); err != nil {
 			return err
 		}
--- a/libcontainer/cgroups/systemd/apply_systemd.go
+++ b/libcontainer/cgroups/systemd/apply_systemd.go
@ -438,16 +438,19 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
 }

 func (m *Manager) Set(container *configs.Config) error {
-	for name, path := range m.Paths {
+	for _, sys := range subsystems {
 		// We can't set this here, because after being applied, memcg doesn't
 		// allow a non-empty cgroup from having its limits changed.
-		if name == "memory" {
+		if sys.Name() == "memory" {
 			continue
 		}
-		sys, err := subsystems.Get(name)
-		if err == errSubsystemDoesNotExist || !cgroups.PathExists(path) {
-			continue
+
+		// Get the subsystem path, but don't error out for not found cgroups.
+		path, err := getSubsystemPath(container.Cgroups, sys.Name())
+		if err != nil && !cgroups.IsNotFound(err) {
+			return err
 		}
+
 		if err := sys.Set(path, container.Cgroups); err != nil {
 			return err
 		}