diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-11-27 14:50:01 +0100 |
|---|---|---|
| committer | Mike Yuan <me@yhndnzj.com> | 2024-12-11 19:23:03 +0100 |
| commit | 7f0a615ef8bec6d7e56ffbae566b3029e17817bd (patch) | |
| tree | 41a9b75af82f6fef67d7376a8cc6e651e3f08669 /src/basic/virt.c | |
| parent | man: document unprivileged is not for reading properties (diff) | |
| download | systemd-7f0a615ef8bec6d7e56ffbae566b3029e17817bd.tar.xz systemd-7f0a615ef8bec6d7e56ffbae566b3029e17817bd.zip | |
virt: dont check for cgroupns anymore
Now that we have a reliable pidns check I don't think we really should
look for cgroupns anymore, it's too weak a check. I mean, if I myself
would implement a desktop app sandbox (like flatpak) I'd always enable
cgroupns, simply to hide the host cgroup hierarchy.
Hence drop the check.
I suggested adding this 4 years ago here:
https://github.com/systemd/systemd/pull/17902#issuecomment-745548306
Diffstat (limited to '')
| -rw-r--r-- | src/basic/virt.c | 84 |
1 files changed, 0 insertions, 84 deletions
diff --git a/src/basic/virt.c b/src/basic/virt.c index 9dcafb9dea..7f9a7e9a24 100644 --- a/src/basic/virt.c +++ b/src/basic/virt.c @@ -9,7 +9,6 @@ #include <unistd.h> #include "alloc-util.h" -#include "cgroup-util.h" #include "dirent-util.h" #include "env-util.h" #include "errno-util.h" @@ -579,80 +578,6 @@ static const char *const container_table[_VIRTUALIZATION_MAX] = { DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(container, int); -static int running_in_cgroupns(void) { - int r; - - if (!cg_ns_supported()) - return false; - - r = namespace_is_init(NAMESPACE_CGROUP); - if (r < 0) - log_debug_errno(r, "Failed to test if in root cgroup namespace, ignoring: %m"); - else if (r > 0) - return false; - - // FIXME: We really should drop the heuristics below. - - r = cg_all_unified(); - if (r < 0) - return r; - - if (r) { - /* cgroup v2 */ - - r = access("/sys/fs/cgroup/cgroup.events", F_OK); - if (r < 0) { - if (errno != ENOENT) - return -errno; - /* All kernel versions have cgroup.events in nested cgroups. */ - return false; - } - - /* There's no cgroup.type in the root cgroup, and future kernel versions - * are unlikely to add it since cgroup.type is something that makes no sense - * whatsoever in the root cgroup. */ - r = access("/sys/fs/cgroup/cgroup.type", F_OK); - if (r == 0) - return true; - if (r < 0 && errno != ENOENT) - return -errno; - - /* On older kernel versions, there's no cgroup.type */ - r = access("/sys/kernel/cgroup/features", F_OK); - if (r < 0) { - if (errno != ENOENT) - return -errno; - /* This is an old kernel that we know for sure has cgroup.events - * only in nested cgroups. */ - return true; - } - - /* This is a recent kernel, and cgroup.type doesn't exist, so we must be - * in the root cgroup. */ - return false; - } else { - /* cgroup v1 */ - - /* If systemd controller is not mounted, do not even bother. */ - r = access("/sys/fs/cgroup/systemd", F_OK); - if (r < 0) { - if (errno != ENOENT) - return -errno; - return false; - } - - /* release_agent only exists in the root cgroup. */ - r = access("/sys/fs/cgroup/systemd/release_agent", F_OK); - if (r < 0) { - if (errno != ENOENT) - return -errno; - return true; - } - - return false; - } -} - static int running_in_pidns(void) { int r; @@ -806,15 +731,6 @@ check_files: if (v != VIRTUALIZATION_NONE) goto finish; - r = running_in_cgroupns(); - if (r > 0) { - log_debug("Running in a cgroup namespace, assuming unknown container manager."); - v = VIRTUALIZATION_CONTAINER_OTHER; - goto finish; - } - if (r < 0) - log_debug_errno(r, "Failed to detect cgroup namespace: %m"); - /* Finally, the root pid namespace has an hardcoded inode number of 0xEFFFFFFC since kernel 3.8, so * if all else fails we can check the inode number of our pid namespace and compare it. */ if (running_in_pidns() > 0) { |