Remove stale cgroup v2 dependency and references

Signed-off-by: Cong Wang <cwang@multikernel.io>

Author: congwang-mk

src/sandlock/__init__.py

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: Apache-2.0
 """Sandlock: Lightweight process sandbox.
 
-Uses Landlock, seccomp, and cgroup v2 for process confinement
+Uses Landlock and seccomp for process confinement
 without root or namespaces.
 """
 
@@ -21,7 +21,6 @@
     ConfinementError,
     LandlockUnavailableError,
     SeccompError,
-    CgroupError,
     ChildError,
     MemoryProtectError,
     NotifError,

src/sandlock/_cgroup.py

@@ -12,7 +12,7 @@
    socket.  The child runs save_fn and sends raw bytes back.
    This covers state that ptrace can't see (open sockets, epoll, etc.).
 
-Combined with BranchFS (O(1) filesystem snapshot) and cgroup freeze,
+Combined with BranchFS (O(1) filesystem snapshot) and SIGSTOP,
 this provides full checkpoint/restore without CRIU or root.
 
 Control socket protocol (for app-level state only):

src/sandlock/_checkpoint.py

@@ -4,7 +4,7 @@
 Each child is confined via Landlock (filesystem + network), seccomp
 (syscall blocklist + allowlist), and a seccomp user-notification
 supervisor for resource limits, /proc virtualization, and network
-enforcement.  No root or cgroups required.
+enforcement.  No root required.
 
 With the default ``policy.strict=True``, confinement failures (Landlock
 unavailable, seccomp installation failure) abort the child process.
@@ -129,11 +129,11 @@ class SandboxContext:
     """Fork-based sandbox context.
 
     Forks a child process and applies confinement (Landlock, seccomp,
-    cgroup v2) according to the given Policy.
+    seccomp) according to the given Policy.
 
     The child confinement sequence:
         1. setpgid(0, 0)                  — new process group
-        2. Add self to cgroup              — resource limits apply immediately
+        2. Apply resource limits            — RLIMIT_CPU, seccomp notif
         3. chroot(path) if policy.chroot   — optional path illusion
         4. confine(writable, readable)     — Landlock (irreversible)
         5. install notif filter + send fd  — seccomp user notification (optional)
@@ -325,7 +325,7 @@ def __enter__(self) -> "SandboxContext":
         # User namespace is only needed for privileged mode (UID 0 mapping)
         needs_userns = self._policy.privileged
         if needs_userns:
-            from ._userns import unshare_user_cgroup, setup_userns_in_parent, userns_available  # noqa: F811
+            from ._userns import unshare_user, setup_userns_in_parent, userns_available  # noqa: F811
 
         # Sync pipes for user namespace setup:
         #   child_to_parent: child signals "I've unshared"
@@ -374,12 +374,12 @@ def __enter__(self) -> "SandboxContext":
             try:
                 os.setpgid(0, 0)
 
-                # 1. User namespace for cgroup delegation (if needed)
+                # 1. User namespace for privileged mode (if needed)
                 if needs_userns and userns_c2p_w >= 0:
                     os.close(userns_c2p_r)
                     os.close(userns_p2c_w)
                     try:
-                        unshare_user_cgroup()
+                        unshare_user()
                         os.write(userns_c2p_w, b"1")  # Tell parent: unshared
                         os.close(userns_c2p_w)
                         os.read(userns_p2c_r, 1)       # Wait: maps written

src/sandlock/_context.py

@@ -92,7 +92,7 @@ def decide(
         Args:
             path: Resolved absolute path from the intercepted syscall.
             sandbox_pids: Set of PIDs belonging to this sandbox (from
-                cgroup).  Only used when ``isolate_pids`` is True.
+                the sandbox).  Only used when ``isolate_pids`` is True.
 
         Returns:
             (action, errno_code, virtual_content) tuple.

src/sandlock/_notif_policy.py

@@ -11,7 +11,7 @@
 
 Requires:
 - The target process must be a direct child (or ptrace-attachable).
-- The process should be frozen (cgroup.freeze) before dumping to
+- The process should be stopped (SIGSTOP) before dumping to
   guarantee a consistent snapshot.
 """
 
@@ -239,7 +239,7 @@ def _list_threads(pid: int) -> list[int]:
 def dump_process_state(pid: int) -> ProcessState:
     """Capture the full OS-level state of a frozen process.
 
-    The process must be stopped (cgroup.freeze or ptrace-stopped)
+    The process must be stopped (SIGSTOP or ptrace-stopped)
     before calling this.  Does NOT freeze/unfreeze — caller manages that.
 
     Steps:

src/sandlock/_ptrace.py

@@ -1,13 +1,11 @@
 # SPDX-License-Identifier: Apache-2.0
-"""User namespace helpers for unprivileged cgroup creation.
+"""User namespace helpers for privileged mode.
 
-When cgroup v2 delegation is not available (stock Ubuntu), sandlock
-uses CLONE_NEWUSER + CLONE_NEWCGROUP to create a new cgroup namespace.
-Inside the namespace the process has CAP_SYS_ADMIN and can create
-sub-cgroups with resource limits.
+Sandlock uses CLONE_NEWUSER to create a new user namespace for
+privileged mode (UID 0 mapping inside the sandbox).
 
-This module only creates user + cgroup namespaces — no PID, network,
-or mount namespaces are created.
+This module only creates user namespaces — no PID, network, or mount
+namespaces are created.
 """
 
 from __future__ import annotations
@@ -19,7 +17,6 @@
 _libc = ctypes.CDLL(ctypes.util.find_library("c"), use_errno=True)
 
 CLONE_NEWUSER = 0x10000000
-CLONE_NEWCGROUP = 0x02000000
 
 
 def setup_userns_in_parent(child_pid: int, privileged: bool = False) -> None:
@@ -42,20 +39,19 @@ def setup_userns_in_parent(child_pid: int, privileged: bool = False) -> None:
     _write_id_map(f"/proc/{child_pid}/gid_map", inner_gid, gid, 1)
 
 
-def unshare_user_cgroup() -> None:
-    """Create new user + cgroup namespaces via unshare(2).
+def unshare_user() -> None:
+    """Create a new user namespace via unshare(2).
 
     After this call (and after the parent writes uid/gid maps),
-    the process has CAP_SYS_ADMIN in the new user namespace and
-    can create cgroup sub-trees freely.
+    the process has CAP_SYS_ADMIN in the new user namespace.
 
     Raises:
         OSError: If unshare fails (e.g. kernel.unprivileged_userns_clone=0).
     """
-    ret = _libc.unshare(ctypes.c_int(CLONE_NEWUSER | CLONE_NEWCGROUP))
+    ret = _libc.unshare(ctypes.c_int(CLONE_NEWUSER))
     if ret < 0:
         err = ctypes.get_errno()
-        raise OSError(err, f"unshare(NEWUSER|NEWCGROUP): {os.strerror(err)}")
+        raise OSError(err, f"unshare(NEWUSER): {os.strerror(err)}")
 
 
 def userns_available() -> bool:

src/sandlock/_userns.py

@@ -172,14 +172,6 @@ def cmd_check(args: argparse.Namespace) -> int:
     except Exception as e:
         print(f"  seccomp:   error ({e})")
 
-    # cgroup v2
-    try:
-        from ._cgroup import _find_user_cgroup
-        cg = _find_user_cgroup()
-        print(f"  cgroup v2: available ({cg})")
-    except Exception as e:
-        print(f"  cgroup v2: not available ({e})")
-
     print()
     return 0
 

src/sandlock/cli.py

@@ -50,11 +50,6 @@ class NotifError(SeccompError):
     pass
 
 
-class CgroupError(SandboxError):
-    """cgroup creation/configuration failed."""
-
-    pass
-
 
 
 class ChildError(SandboxError):

src/sandlock/exceptions.py

@@ -2,7 +2,7 @@
 """Policy dataclasses for Sandlock sandbox configuration.
 
 A Policy is frozen after creation — live updates go through
-BPF maps + cgroup writes, not Policy mutation.
+BPF maps + seccomp notif, not Policy mutation.
 """
 
 from __future__ import annotations
@@ -140,7 +140,7 @@ class Policy:
     """TCP ports the sandbox may connect to.  Empty = unrestricted.
     Each entry is a port number or a ``"lo-hi"`` range string."""
 
-    # Resource limits (cgroup v2)
+    # Resource limits
     max_memory: str | int | None = None
     """Memory limit. String like '512M' or int bytes."""