-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
libcontainer/cgroups/fscommon: add openat2 support #2668
Conversation
Rebased on top of #2666 to fix CI |
CI failure is shfmt that went crazy; caused by mvdan/sh#628. Restarted travis. |
Should be fixed by #2671 |
@AkihiroSuda @cyphar @mrunalp can you please re-review? I think I have addressed all concerns and review comments |
@AkihiroSuda @cyphar @mrunalp PTAL |
In case openat2 is available, it will be used to guarantee that we're not accessing anything other than cgroupfs[2] files. In cases when openat2 is not available, or when cgroup has a non-standard prefix (not "/sys/fs/cgroup", which might theoretically be the case on some very old installs and/or very custom systems), fall back to using securejoin + os.Open like we did before. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In case we get ENOSYS from openat2(2), this is expected, so log that we're falling back to using securejoin as debug. Otherwise, log it as a warning (as the error is unexpected, but we're still good to go). Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
(based on previous work in PRs #2604, #2605, #2635; originally part of #2598)
In case
openat2
is available, it will be used to guaranteethat we're not accessing anything other than cgroupfs[2] files.
In cases when
openat2
is not available, or when cgroup has anon-standard prefix (not
"/sys/fs/cgroup"
, which might theoreticallybe the case on some very old installs and/or very custom systems),
fall back to using
securejoin
+os.Open
like we did before.