mirror of
https://github.com/morgan9e/systemd
synced 2026-04-14 16:37:19 +09:00
f8f67eab70
Currently, if we use a cgroup namespace together with DelegateSubgroup=, the subgroup becomes the root of the cgroup namespace because we move the service process to the subgroup before we unshare the cgroup namespace, and the current cgroup becomes the root of the cgroup namespace when we unshare the cgroup namespace. Let's fix the problem by not moving the service process to the subgroup until we've unshared the cgroup namespace. Note that this doesn't break the primary use case of CLONE_INTO_CGROUP since we still use it to immediately clone into the service main cgroup, just not anymore into the subgroup, but this shouldn't matter in practice. Additionally, we need special handling for control processes, as those *do* need to get spawned into the subcgroup immediately if delegation is configured to avoid violating the cgroupsv2 "no inner processes" rule. Effectively, this leaves us with the following logic: - In exec_spawn(), spawn into subgroup if we're spawning a control process that needs to be spawned into a subgroup immediately. Otherwise, spawn into main service cgroup. - In exec_invoke(), move into subgroup early if we don't need a cgroup namespace. Otherwise, move into subgroup after we've unshared the cgroup namespace.