libcontainer: cgroups: loudly fail with Set

cyphar · cyphar · commit 88e6d489f608 · 2015-12-19T11:30:47.000+11:00
It is vital to loudly fail when a user attempts to set a cgroup limit
(rather than using the system default). Otherwise the user will assume
they have security they do not actually have. This mirrors the original
Apply() (that would set cgroup configs) semantics.

Signed-off-by: Aleksa Sarai &lt;asarai@suse.com&gt;
diff --git a/libcontainer/cgroups/fs/apply_raw.go b/libcontainer/cgroups/fs/apply_raw.go
@@ -180,16 +180,24 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
 }
 
 func (m *Manager) Set(container *configs.Config) error {
-	for name, path := range m.Paths {
+	for _, sys := range subsystems {
 		// We can't set this here, because after being applied, memcg doesn't
 		// allow a non-empty cgroup from having its limits changed.
-		if name == "memory" {
+		if sys.Name() == "memory" {
 			continue
 		}
-		sys, err := subsystems.Get(name)
-		if err == errSubsystemDoesNotExist || !cgroups.PathExists(path) {
-			continue
+
+		// Generate fake cgroup data.
+		d, err := getCgroupData(container.Cgroups, -1)
+		if err != nil {
+			return err
 		}
+		// Get the path, but don't error out if the cgroup wasn't found.
+		path, err := d.path(sys.Name())
+		if err != nil && !cgroups.IsNotFound(err) {
+			return err
+		}
+
 		if err := sys.Set(path, container.Cgroups); err != nil {
 			return err
 		}
diff --git a/libcontainer/cgroups/systemd/apply_systemd.go b/libcontainer/cgroups/systemd/apply_systemd.go
@@ -438,16 +438,19 @@ func (m *Manager) GetStats() (*cgroups.Stats, error) {
 }
 
 func (m *Manager) Set(container *configs.Config) error {
-	for name, path := range m.Paths {
+	for _, sys := range subsystems {
 		// We can't set this here, because after being applied, memcg doesn't
 		// allow a non-empty cgroup from having its limits changed.
-		if name == "memory" {
+		if sys.Name() == "memory" {
 			continue
 		}
-		sys, err := subsystems.Get(name)
-		if err == errSubsystemDoesNotExist || !cgroups.PathExists(path) {
-			continue
+
+		// Get the subsystem path, but don't error out for not found cgroups.
+		path, err := getSubsystemPath(container.Cgroups, sys.Name())
+		if err != nil && !cgroups.IsNotFound(err) {
+			return err
 		}
+
 		if err := sys.Set(path, container.Cgroups); err != nil {
 			return err
 		}

Original file line number	Diff line number	Diff line change
`@@ -438,16 +438,19 @@ func (m Manager) GetStats() (cgroups.Stats, error) {`
`438`	`438`	`}`
`439`	`439`
`440`	`440`	`func (m Manager) Set(container configs.Config) error {`
`441`		`- for name, path := range m.Paths {`
	`441`	`+ for _, sys := range subsystems {`
`442`	`442`	`// We can't set this here, because after being applied, memcg doesn't`
`443`	`443`	`// allow a non-empty cgroup from having its limits changed.`
`444`		`- if name == "memory" {`
	`444`	`+ if sys.Name() == "memory" {`
`445`	`445`	`continue`
`446`	`446`	`}`
`447`		`- sys, err := subsystems.Get(name)`
`448`		`- if err == errSubsystemDoesNotExist \|\| !cgroups.PathExists(path) {`
`449`		`- continue`
	`447`	`+`
	`448`	`+ // Get the subsystem path, but don't error out for not found cgroups.`
	`449`	`+ path, err := getSubsystemPath(container.Cgroups, sys.Name())`
	`450`	`+ if err != nil && !cgroups.IsNotFound(err) {`
	`451`	`+ return err`
`450`	`452`	`}`
	`453`	`+`
`451`	`454`	`if err := sys.Set(path, container.Cgroups); err != nil {`
`452`	`455`	`return err`
`453`	`456`	`}`