On 05/13/2011 03:17 PM, Michal Hocko wrote:
> We cannot setup file or directory permissions in (/etc/cgconfig.conf)
> configuration file while we can do this with available tools.
> This patch adds new two options fperm, dperm.
> Task section supports only fperm, because there are no directories
> involved while admin section supports both of them.
>
> Example:
> /etc/cgconfig.conf:
> mount {
> cpu = /dev/cpuctl;
> }
> group devel {
> perm {
> task {
> uid = root;
> gid = cgroup;
> fperm = 660;
> }
> admin {
> uid = root;
> gid = cgroup;
> dperm = 775;
> }
> }
> cpu {
> cpu.shares = 5120;
> }
> }
>
> $ tools/cgconfigparser -l /etc/cgconfig.conf
> $ ls -la /dev/cpuctl/devel/
> total 0
> drwxrwxr-x 2 root cgroup 0 May 13 15:22 .
> drwxr-xr-x 3 root root 0 May 13 15:22 ..
> -rw-r--r-- 1 root cgroup 0 May 13 15:22 cgroup.clone_children
> --w--w--w- 1 root cgroup 0 May 13 15:22 cgroup.event_control
> -r--r--r-- 1 root cgroup 0 May 13 15:22 cgroup.procs
> -rw-r--r-- 1 root cgroup 0 May 13 15:22 cpu.rt_period_us
> -rw-r--r-- 1 root cgroup 0 May 13 15:22 cpu.rt_runtime_us
> -rw-r--r-- 1 root cgroup 0 May 13 15:22 cpu.shares
> -rw-r--r-- 1 root cgroup 0 May 13 15:22 notify_on_release
> -rw-rw---- 1 root cgroup 0 May 13 15:22 tasks
>
> This patch enhances parser callbacks to initialize cgroup->task_fperm
> and cgroup->control_[fd]perm and forces chmod at general
> cgroup_create_cgroup level. This is safe because everybody who uses
> cgroup has those values initialized to -1 unless they are set and then
> they should be used.
>
> Signed-off-by: Michal Hocko <[email protected]>
> ---
> src/api.c | 11 +++++++++++
> src/config.c | 24 ++++++++++++++++++++++++
> 2 files changed, 35 insertions(+), 0 deletions(-)
>
> diff --git a/src/api.c b/src/api.c
> index 53c76e8..eb9f902 100644
> --- a/src/api.c
> +++ b/src/api.c
> @@ -1456,6 +1456,13 @@ int cgroup_create_cgroup(struct cgroup *cgroup, int
> ignore_ownership)
> cgroup_dbg("Changing ownership of %s\n", fts_path[0]);
> error = cg_chown_recursive(fts_path,
> cgroup->control_uid, cgroup->control_gid);
> + if (!error) {
> + error = cg_chmod_recursive(cgroup,
> + cgroup->control_dperm,
> + cgroup->control_dperm !=
> NO_PERMS,
> + cgroup->control_fperm,
> + cgroup->control_fperm !=
> NO_PERMS);
> + }
cg_chmod_recursive works on entire cgroup, while cg_chown_recursive
works per controller.
And when looking at cg_chmod_recursive, it is badly broken, it changes
permissions only in the first hierarchy the cgroup is in. There is
simple way how to fix it, I've already sent a patch. With my patch, you
can then use cg_chmod_recursive_controller() here + add new argument
owner_is_umask to it in your patch 3/3, you don't need
__cg_chmod_recursive() then.
> }
>
> if (error)
> @@ -1502,11 +1509,15 @@ int cgroup_create_cgroup(struct cgroup *cgroup, int
> ignore_ownership)
> }
> error = chown(path, cgroup->tasks_uid,
> cgroup->tasks_gid);
> + if (!error && cgroup->task_fperm != NO_PERMS)
> + error = chmod(path, cgroup->task_fperm);
> +
> if (error) {
> last_errno = errno;
> error = ECGOTHER;
> goto err;
> }
> +
> }
> free(base);
> base = NULL;
> diff --git a/src/config.c b/src/config.c
> index 4f5d04a..5c57eee 100644
> --- a/src/config.c
> +++ b/src/config.c
> @@ -236,6 +236,14 @@ int cgroup_config_group_task_perm(char *perm_type, char
> *value)
> config_cgroup->tasks_gid = val;
> }
>
> + if(!strcmp(perm_type, "fperm")) {
> + char *endptr;
> + val = strtol(value, &endptr, 8);
> + if (*endptr)
> + goto group_task_error;
> + config_cgroup->task_fperm = val;
> + }
> +
> free(perm_type);
> free(value);
> return 1;
> @@ -302,6 +310,22 @@ int cgroup_config_group_admin_perm(char *perm_type, char
> *value)
> config_cgroup->control_gid = val;
> }
>
> + if(!strcmp(perm_type, "fperm")) {
> + char *endptr;
> + val = strtol(value, &endptr, 8);
> + if (*endptr)
> + goto admin_error;
> + config_cgroup->control_fperm = val;
> + }
> +
> + if(!strcmp(perm_type, "dperm")) {
> + char *endptr;
> + val = strtol(value, &endptr, 8);
> + if (*endptr)
> + goto admin_error;
> + config_cgroup->control_dperm = val;
> + }
> +
> free(perm_type);
> free(value);
> return 1;
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
Libcg-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libcg-devel
