use systemd dbus StartTransientUnit for unpriv cgroup2

If, when init'ing cgroups for a container start, we detect that we are an unprivileged user on a unified-hierarchy-only system, then we try to request systemd, through dbus api, to create a new scope for us with delegation. Call the cgroup it creates for us P1. We then create P1/init, move ourselves into there, so we can enable the controllers for delegation to P1's children through P1/cgroup.subtree_control. On attach, we try to request systemd attach us to the container's scope. We can't do that ourselves in the normal case, as root owns our login cgroups. Create a new command api for the lxc monitor to tell lxc-attach the systemd scope to which to attach. Changelog: * free cgroup_meta.systemd_scope in lxc_conf_free (Thanks Tycho) * fix some indent * address some (not all) of brauner's feedback Signed-off-by: Serge Hallyn <[email protected]>
scandian · Jun 21, 2022 · c55353f · c55353f
1 parent 0a73102
commit c55353f
Show file tree

Hide file tree

Showing 12 changed files with 524 additions and 18 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -26,7 +26,7 @@ jobs:
         run: |
           sudo apt-get update -qq
           sudo apt-get install -qq gcc clang meson llvm
-          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x
+          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libsystemd-dev
 
       - name: Compiler version
         env:

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -25,7 +25,7 @@ jobs:
         run: |
           sudo apt-get update -qq
           sudo apt-get install -qq gcc clang
-          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev docbook2x
+          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev docbook2x libsystemd-dev
 
       - name: Compiler version
         run: |

diff --git a/.github/workflows/sanitizers.sh b/.github/workflows/sanitizers.sh
@@ -18,7 +18,7 @@ apt-get install --yes --no-install-recommends \
     libpam0g-dev libseccomp-dev libselinux1-dev libtool linux-libc-dev \
     llvm lsb-release make openssl pkg-config python3-all-dev \
     python3-setuptools rsync squashfs-tools uidmap unzip uuid-runtime \
-    wget xz-utils systemd-coredump
+    wget xz-utils systemd-coredump libsystemd-dev
 apt-get remove --yes lxc-utils liblxc-common liblxc1 liblxc-dev
 
 ARGS="-Dprefix=/usr -Dtests=true -Dpam-cgroup=false -Dwerror=true -Dio-uring-event-loop=false -Db_lto_mode=default -Db_lundef=false"

diff --git a/.github/workflows/sanitizers.yml b/.github/workflows/sanitizers.yml
@@ -22,7 +22,7 @@ jobs:
         run: |
           sudo apt-get update -qq
           sudo apt-get install -qq gcc clang meson llvm
-          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x
+          sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev libselinux1-dev linux-libc-dev libpam0g-dev docbook2x libsystemd-dev
 
       - name: Compiler version
         env:

diff --git a/meson.build b/meson.build
@@ -151,6 +151,7 @@ want_oss_fuzz = get_option('oss-fuzz')
 want_seccomp = get_option('seccomp')
 want_thread_safety = get_option('thread-safety')
 want_memfd_rexec = get_option('memfd-rexec')
+want_sd_bus = get_option('sd-bus')
 
 srcconf.set_quoted('DEFAULT_CGROUP_PATTERN', cgrouppattern)
 if coverity
@@ -256,6 +257,49 @@ else
     srcconf.set10('HAVE_LIBURING', false)
 endif
 
+if not want_sd_bus.disabled()
+    has_sd_bus = true
+    sd_bus_optional = want_sd_bus.auto()
+
+    libsystemd = dependency('libsystemd', required: not sd_bus_optional)
+    if not libsystemd.found()
+        if not sd_bus_optional
+            error('missing required libsystemd dependency')
+        endif
+
+        has_sd_bus = false
+    endif
+
+    if not cc.has_header('systemd/sd-bus.h')
+        if not sd_bus_optional
+            error('libsystemd misses required systemd/sd-bus.h header')
+        endif
+
+        has_sd_bus = false
+    endif
+
+    if not cc.has_header('systemd/sd-event.h')
+        if not sd_bus_optional
+            error('libsystemd misses required systemd/sd-event.h header')
+        endif
+
+        has_sd_bus = false
+    endif
+
+    if not cc.has_function('sd_bus_call_method_asyncv', prefix: '#include <systemd/sd-bus.h>', dependencies: libsystemd) 
+        if not sd_bus_optional
+            error('libsystemd misses required sd_bus_call_method_asyncv function')
+        endif
+
+        has_sd_bus = false
+    endif
+
+    srcconf.set10('HAVE_LIBSYSTEMD', has_sd_bus)
+else
+    has_sd_bus = false
+    srcconf.set10('HAVE_LIBSYSTEMD', false)
+endif
+
 ## Time EPOCH.
 sh = find_program('sh')
 date = find_program('date')
@@ -639,6 +683,8 @@ endforeach
 found_headers = []
 missing_headers = []
 foreach tuple: [
+    ['systemd/sd-bus.h'],
+    ['systemd/sd-event.h'],
     ['sys/resource.h'],
     ['sys/memfd.h'],
     ['sys/personality.h'],
@@ -676,6 +722,7 @@ foreach tuple: [
     ['pam'],
     ['openssl'],
     ['liburing'],
+    ['libsystemd'],
 ]
 
     if tuple.length() >= 2
@@ -750,6 +797,10 @@ if want_io_uring
     liblxc_dependencies += [liburing]
 endif
 
+if has_sd_bus
+    liblxc_dependencies += [libsystemd]
+endif
+
 liblxc_link_whole = [liblxc_static]
 
 liblxc = shared_library(

diff --git a/meson_options.txt b/meson_options.txt
@@ -22,6 +22,9 @@ option('init-script', type : 'array',
 option('io-uring-event-loop', type: 'boolean', value: 'false',
        description: 'Enable io-uring based event loop')
 
+option('sd-bus', type: 'feature', value: 'auto',
+       description: 'Enable linking against sd-bus')
+
 # was --{disable,enable}-doc in autotools
 option('man', type: 'boolean', value: 'true',
        description: 'build and install manpages')