When a double-forking daemon spawns the shortlived forking process and
we fail to classify it in time, the child does not inherit (the
intended) cgroup membership.
We could process all children after receiving PROC_EVENT_FORK to remedy
this. But since we already have the timestamp logic introduced in
8953fc07c049 ("Changelog v2: * Use clock_gettime(2) for getting
timestamp since a system boot. * Change parent_info's memory to
dynamic allocation.")
and it may be too much work for all fork(2) calls, we extend the usage
of parent_info by assuming the parent would have changed its cgroup
membership by our actions even if it terminated quickly.
v2: Handle non-existent /proc/$PID/tasks as short-lived process too
Use cgroup_get_last_errno() helper
Signed-off-by: Michal Koutný <[email protected]>
---
src/daemon/cgrulesengd.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
index 0d288f3ca916..0d90b8b114b8 100644
--- a/src/daemon/cgrulesengd.c
+++ b/src/daemon/cgrulesengd.c
@@ -477,9 +477,13 @@ int cgre_process_event(const struct proc_event *ev, const
int type)
}
ret = cgroup_change_cgroup_flags(euid, egid, procname, pid,
CGFLAG_USECACHE);
- if ((ret == ECGOTHER) && (errno == ESRCH)) {
- /* A process finished already and that is not a problem. */
- ret = 0;
+ if (ret == ECGOTHER) {
+ /* A process finished already but we may have missed changing
it,
+ * make sure to apply to forked children. */
+ if (cgroup_get_last_errno() == ESRCH || cgroup_get_last_errno()
== ENOENT)
+ ret = cgre_store_parent_info(pid);
+ else
+ ret = 0;
} else if (ret) {
flog(LOG_WARNING,
"Cgroup change for PID: %d, UID: %d, GID: %d, PROCNAME:
%s FAILED! (Error Code: %d)\n",
--
2.21.0
_______________________________________________
Libcg-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libcg-devel
