Hi,
On Tue, 08 Feb 2011 15:35:48 +0100
Jiri Slaby <[email protected]> wrote:
>
> ============================
>
>
> cgrules.conf are as simple as:
> xslaby * cpu0/
> man * cpu1/
> * * others/
>
>
> ============================
>
>
> And now if I run the program under root as:
> # cgexec -g *:cpu1 --sticky ./fork
> the children are moved into the cpu0 group despite the sticky option.
> The same as for non-sticky case.
Thank you for testing.
> static void child(unsigned int id)
> {
> if (setuid(1000))
> err(2, "setuid");
> sleep(5+id);
> exit(id);
> }
I can reproduce this problem by using your test program.
And if removing setuid(1000) call the program, the children are *not*
moved to the other group.
The source problem is that a cgrulesengd daemon does not check whether
a sticky process when setuid(2)/setgid(2) happens.
The attached patch fixes this problem.
After applying this patch, a cgroulesengd daemon doesn't move a stickied
process like the following:
o Without --sticky option.
# cgexec -g *:cpu1 ./fork & sleep 2; ps -C fork ; echo "<cpu0>"; cat
/mnt/cpu/cpu0/tasks; echo "<cpu1>"; cat /mnt/cpu/cpu1/tasks
PID TTY TIME CMD
19170 pts/1 00:00:00 fork
19172 pts/1 00:00:00 fork
19173 pts/1 00:00:00 fork
19174 pts/1 00:00:00 fork
19175 pts/1 00:00:00 fork
19176 pts/1 00:00:00 fork
<cpu0>
<cpu1>
19170
o With --sticky option.
# cgexec -g *:cpu1 --sticky ./fork & sleep 2; ps -C fork ; echo "<cpu0>"; cat
/mnt/cpu/cpu0/tasks; echo "<cpu1>"; cat /mnt/cpu/cpu1/tasks
PID TTY TIME CMD
19181 pts/1 00:00:00 fork
19183 pts/1 00:00:00 fork
19184 pts/1 00:00:00 fork
19185 pts/1 00:00:00 fork
19186 pts/1 00:00:00 fork
19187 pts/1 00:00:00 fork
<cpu0>
<cpu1>
19181
19183
19184
19185
19186
19187
#
Thanks
Ken'ichi Ohmichi
---
[PATCH] Make --sticky option effective when setuid(2) and setgid(2).
A cgrulesengd daemon did not check whether a stickied process or when
setuid(2)/setgid(2) happens, and the daemon moved the process based on
/etc/cgrules.conf.
So --sticky option was not effective when setuid(2)/setgid(2).
This patch makes --sticky effective when setuid(2) and setgid(2) also.
Signed-off-by: Ken'ichi Ohmichi <[email protected]>
diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
index 69165bf..a2f9549 100644
--- a/src/daemon/cgrulesengd.c
+++ b/src/daemon/cgrulesengd.c
@@ -339,6 +339,12 @@ int cgre_process_event(const struct proc_event *ev, const
int type)
switch (type) {
case PROC_EVENT_UID:
case PROC_EVENT_GID:
+ /*
+ * If the unchanged process, the daemon should not change the
+ * cgroup of the process.
+ */
+ if (cgre_is_unchanged_process(ev->event_data.id.process_pid))
+ return 0;
pid = ev->event_data.id.process_pid;
break;
case PROC_EVENT_FORK:
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Libcg-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libcg-devel
