[PATCH 2/2] lxc: Add virCgroupSetOwner()

Richard Weinberger <richard@xxxxxx> · Sat, 8 Feb 2014 18:37:43 +0100

Add a new helper function to change the permissions
of a control group.

Signed-off-by: Richard Weinberger <richard@xxxxxx>
---
 src/lxc/lxc_controller.c |  7 +++++++
 src/util/vircgroup.c     | 43 +++++++++++++++++++++++++++++++++++++++++++
 src/util/vircgroup.h     |  2 ++
 3 files changed, 52 insertions(+)

diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index f7b614b..6e348b3 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -2223,6 +2223,13 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
         goto cleanup;
     }
 
+    /* setup control group permissions for user namespace */
+    if (ctrl->def->idmap.uidmap) {
+        if (virCgroupSetOwner(ctrl->cgroup, ctrl->def->idmap.uidmap[0].target,
+            ctrl->def->idmap.gidmap[0].target))
+            goto cleanup;
+    }
+
     if (lxcContainerSendContinue(containerposthandshake[0]) < 0) {
         virReportSystemError(errno, "%s",
                              _("Unable to send container continue message"));
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index a6d60c5..b66ffed 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -3252,6 +3252,49 @@ cleanup:
     return ret;
 }
 
+int virCgroupSetOwner(virCgroupPtr cgroup, uid_t uid, gid_t gid) {
+    size_t i;
+
+    for (i = 0; i < VIR_CGROUP_CONTROLLER_LAST; i++) {
+        char *base, *entry;
+        DIR *dh;
+        struct dirent *de;
+
+        if (virAsprintf(&base, "%s%s", cgroup->controllers[i].mountPoint,
+            cgroup->controllers[i].placement) < 0) {
+                virReportOOMError();
+                return -1;
+        }
+
+        dh = opendir(base);
+        while ((de = readdir(dh)) != NULL) {
+            if (STREQ(de->d_name, ".") ||
+                STREQ(de->d_name, ".."))
+                continue;
+
+            if (virAsprintf(&entry, "%s/%s", base, de->d_name) < 0) {
+                VIR_FREE(base);
+                virReportOOMError();
+            }
+
+            if (chown(entry, uid, gid) < 0)
+                virReportSystemError(errno, _("cannot chown '%s' to (%u, %u)"),
+                    entry, uid, gid);
+
+            VIR_FREE(entry);
+        }
+        closedir(dh);
+
+        if (chown(base, uid, gid) < 0)
+            virReportSystemError(errno, _("cannot chown '%s' to (%u, %u)"),
+                base, uid, gid);
+
+        VIR_FREE(base);
+    }
+
+    return 0;
+}
+
 
 /**
  * virCgroupSupportsCpuBW():
diff --git a/src/util/vircgroup.h b/src/util/vircgroup.h
index a70eb18..6e00f28 100644
--- a/src/util/vircgroup.h
+++ b/src/util/vircgroup.h
@@ -225,4 +225,6 @@ int virCgroupIsolateMount(virCgroupPtr group,
 
 bool virCgroupSupportsCpuBW(virCgroupPtr cgroup);
 
+int virCgroupSetOwner(virCgroupPtr cgroup, uid_t uid, gid_t gid);
+
 #endif /* __VIR_CGROUP_H__ */
-- 
1.8.4.5

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







