git://git.onelab.eu
/
lxc-userspace.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
48ff285
)
Prevent slices from accessing cgroups fs
author
Sapan Bhatia
<gwsapan@gmail.com>
Tue, 22 Jan 2013 15:12:36 +0000
(10:12 -0500)
committer
Sapan Bhatia
<gwsapan@gmail.com>
Tue, 22 Jan 2013 15:12:36 +0000
(10:12 -0500)
lxcsu
[changed mode: 0755->0644]
patch
|
blob
|
history
diff --git
a/lxcsu
b/lxcsu
old mode 100755
(executable)
new mode 100644
(file)
index
dc24ec1
..
abc98be
--- a/
lxcsu
+++ b/
lxcsu
@@
-9,6
+9,11
@@
import sys
drop_capabilities='cap_sys_admin,cap_sys_boot,cap_sys_module'.split(',')
drop_capabilities='cap_sys_admin,cap_sys_boot,cap_sys_module'.split(',')
+def umount(fs_dir):
+ output = os.popen('/bin/umount %s 2>&1'%fs_dir).read()
+ return ('device is busy' not in fs_dir)
+
+
"""
parser = OptionParser()
parser.add_option("-n", "--net",
"""
parser = OptionParser()
parser.add_option("-n", "--net",
@@
-96,6
+101,20
@@
r3 = setns.chcontext('/proc/%s/ns/net'%pid)
open('/proc/lxcsu','w').write(pid)
open('/proc/pidsu','w').write(pid)
open('/proc/lxcsu','w').write(pid)
open('/proc/pidsu','w').write(pid)
+# cgroups is not yet LXC-safe, so we need to use the course grained access control
+# strategy of unmounting the filesystem
+
+umount_result = True
+for subsystem in ['cpuset','cpu,cpuacct','memory','devices','freezer','net_cls','blkio','perf_event']:
+ fs_path = '/sys/fs/cgroup/%s'%subsystem
+ if (not umount(fs_path)):
+ print "Error disabling cgroup access"
+ exit(1)
+
+if (not umount('/sys/fs/cgroup')):
+ print "Error disabling cgroup access"
+ exit(1)
+
pid = os.fork()
cap_args = map(lambda c:'--drop='+c, drop_capabilities)
pid = os.fork()
cap_args = map(lambda c:'--drop='+c, drop_capabilities)