Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libcontainer/cgroups/fscommon: add openat2 support #2668

Merged
merged 2 commits into from
Dec 7, 2020
Merged

libcontainer/cgroups/fscommon: add openat2 support #2668

merged 2 commits into from
Dec 7, 2020

Conversation

kolyshkin
Copy link
Contributor

(based on previous work in PRs #2604, #2605, #2635; originally part of #2598)

In case openat2 is available, it will be used to guarantee
that we're not accessing anything other than cgroupfs[2] files.

In cases when openat2 is not available, or when cgroup has a
non-standard prefix (not "/sys/fs/cgroup", which might theoretically
be the case on some very old installs and/or very custom systems),
fall back to using securejoin + os.Open like we did before.

@kolyshkin kolyshkin mentioned this pull request Oct 29, 2020
Closed
4 tasks
@kolyshkin
Copy link
Contributor Author

Rebased on top of #2666 to fix CI

@kolyshkin
Copy link
Contributor Author

CI failure is shfmt that went crazy; caused by mvdan/sh#628.

Restarted travis.

@kolyshkin
Copy link
Contributor Author

CI failure is shfmt that went crazy; caused by mvdan/sh#628.

Should be fixed by #2671

@kolyshkin
Copy link
Contributor Author

@AkihiroSuda @cyphar @mrunalp can you please re-review? I think I have addressed all concerns and review comments

@kolyshkin
Copy link
Contributor Author

@AkihiroSuda @cyphar @mrunalp PTAL

@kolyshkin
libcontainer/cgroups/fscommon: add openat2 support
6bda460 
In case openat2 is available, it will be used to guarantee
that we're not accessing anything other than cgroupfs[2] files.

In cases when openat2 is not available, or when cgroup has a
non-standard prefix (not "/sys/fs/cgroup", which might theoretically
be the case on some very old installs and/or very custom systems),
fall back to using securejoin + os.Open like we did before.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
@kolyshkin
libct/cg/fscommon: log openat2 init failures
3c9b03f 
In case we get ENOSYS from openat2(2), this is expected, so log that
we're falling back to using securejoin as debug.

Otherwise, log it as a warning (as the error is unexpected, but we're
still good to go).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
cyphar
cyphar approved these changes Dec 7, 2020
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@AkihiroSuda AkihiroSuda merged commit 4d8d989 into opencontainers:master Dec 7, 2020
@kolyshkin kolyshkin mentioned this pull request Feb 3, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyphar cyphar cyphar approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
area/cgroupv1 area/cgroupv2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kolyshkin @cyphar @AkihiroSuda