jailer: Better error message for failure of moving to cgroup

If no --cgroup parameters are specified and --cgroup-version=2 is
passed, the jailer moves the process to the cgroup specified with
--parent-cgroup rather than creating a cgroup under it, contrary to its
name. This move fails if the destination cgroup has domain controllers
(e.g. memory) enabled in cgroup.subtree_control, which is called "no
internal process constraint [1].

[1]: https://docs.kernel.org/admin-guide/cgroup-v2.html#no-internal-process-constraint
Signed-off-by: Takahiro Itazuri <[email protected]>

Author: zulinx86

src/jailer/src/env.rs

@@ -218,7 +218,7 @@ impl Env {
             let cg_parent_procs = cg_parent.join("cgroup.procs");
             if cg_parent.exists() {
                 fs::write(cg_parent_procs, std::process::id().to_string())
-                    .map_err(|_| JailerError::CgroupWrite(io::Error::last_os_error()))?;
+                    .map_err(|_| JailerError::CgroupMove(cg_parent, io::Error::last_os_error()))?;
             }
         }
 

src/jailer/src/main.rs

@@ -43,8 +43,11 @@ pub enum JailerError {
     CgroupInvalidVersion(String),
     #[error("Parent cgroup path is invalid. Path should not be absolute or contain '..' or '.'")]
     CgroupInvalidParentPath(),
-    #[error("Failed to write to cgroups file: {0}")]
-    CgroupWrite(io::Error),
+    #[error(
+        "Failed to move process to cgroup ({0}): {1}.\nHint: If you intended to create a child \
+         cgroup under {0}, pass any --cgroup parameters."
+    )]
+    CgroupMove(PathBuf, io::Error),
     #[error("Failed to change owner for {0}: {1}")]
     ChangeFileOwner(PathBuf, io::Error),
     #[error("Failed to chdir into chroot directory: {0}")]