Merge branch 'fix-cgroup-root' into 'master'

Fix bug where cgroup mount prefix not stripped from cgroup root

See merge request nvidia/container-toolkit/libnvidia-container!139

Author: klueska

src/cgroup.c

@@ -108,9 +108,10 @@ nvcgo_find_device_cgroup_path_1_svc(ptr_t ctxptr, int dev_cg_version, char *proc
         struct error *err = (struct error[]){0};
         struct nvcgo *nvcgo = (struct nvcgo *)ctxptr;
         char path[PATH_MAX] = {};
-        char *cgroup_path = NULL;
+        char *cgroup_mount_prefix = NULL;
         char *cgroup_mount = NULL;
         char *cgroup_root = NULL;
+        char *cgroup_path = NULL;
         char *rerr = NULL;
         int rv = -1;
 
@@ -127,12 +128,12 @@ nvcgo_find_device_cgroup_path_1_svc(ptr_t ctxptr, int dev_cg_version, char *proc
         if (perm_set_capabilities(err, CAP_EFFECTIVE, ecaps[NVC_CONTAINER], ecaps_size(NVC_CONTAINER)) < 0)
                 goto fail;
 
-        if ((rv = nvcgo->api.GetDeviceCGroupMountPath(dev_cg_version, proc_root, mp_pid, &cgroup_mount, &rerr)) < 0) {
+        if ((rv = nvcgo->api.GetDeviceCGroupMountPath(dev_cg_version, proc_root, mp_pid, &cgroup_mount_prefix, &cgroup_mount, &rerr)) < 0) {
                 error_setx(err, "failed to get device cgroup mount path: %s", rerr);
                 goto fail;
         }
 
-        if ((rv = nvcgo->api.GetDeviceCGroupRootPath(dev_cg_version, proc_root, rp_pid, &cgroup_root, &rerr)) < 0) {
+        if ((rv = nvcgo->api.GetDeviceCGroupRootPath(dev_cg_version, proc_root, cgroup_mount_prefix, rp_pid, &cgroup_root, &rerr)) < 0) {
                 error_setx(err, "failed to get device cgroup root path: %s", rerr);
                 goto fail;
         }

src/nvcgo/internal/cgroup/api.go

@@ -29,8 +29,8 @@ import (
 type DeviceRule = specs.LinuxDeviceCgroup
 
 type Interface interface {
-	GetDeviceCGroupMountPath(procRootPath string, pid int) (string, error)
-	GetDeviceCGroupRootPath(procRootPath string, pid int) (string, error)
+	GetDeviceCGroupMountPath(procRootPath string, pid int) (string, string, error)
+	GetDeviceCGroupRootPath(procRootPath string, prefix string, pid int) (string, error)
 	AddDeviceRules(cgroupPath string, devices []DeviceRule) error
 }
 

src/nvcgo/internal/cgroup/v1.go

@@ -24,13 +24,13 @@ import (
 	"strings"
 )
 
-// GetDeviceCGroupMountPath returns the mount path for the device cgroup controller associated with pid
-func (c *cgroupv1) GetDeviceCGroupMountPath(procRootPath string, pid int) (string, error) {
+// GetDeviceCGroupMountPath returns the mount path (and its prefix) for the device cgroup controller associated with pid
+func (c *cgroupv1) GetDeviceCGroupMountPath(procRootPath string, pid int) (string, string, error) {
 	// Open the pid's mountinfo file in /proc.
 	path := fmt.Sprintf(filepath.Join(procRootPath, "proc", "%v", "mountinfo"), pid)
 	file, err := os.Open(path)
 	if err != nil {
-		return "", err
+		return "", "", err
 	}
 	defer file.Close()
 
@@ -43,7 +43,7 @@ func (c *cgroupv1) GetDeviceCGroupMountPath(procRootPath string, pid int) (strin
 		// Split each entry by '[space]'
 		parts := strings.Split(scanner.Text(), " ")
 		if len(parts) < 5 {
-			return "", fmt.Errorf("malformed mountinfo entry: %v", scanner.Text())
+			return "", "", fmt.Errorf("malformed mountinfo entry: %v", scanner.Text())
 		}
 		// Look for an entry with cgroup as the mount type.
 		if parts[len(parts)-3] != "cgroup" {
@@ -53,15 +53,21 @@ func (c *cgroupv1) GetDeviceCGroupMountPath(procRootPath string, pid int) (strin
 		if filepath.Base(parts[4]) != "devices" {
 			continue
 		}
-		// Return the 4th element as the mount point of the devices cgroup.
-		return parts[4], nil
+		// Make sure the mount prefix is not a relative path.
+		if strings.HasPrefix(parts[3], "/..") {
+			return "", "", fmt.Errorf("relative path in mount prefix: %v", parts[3])
+		}
+		// Return the 3rd element as the prefix of the mount point for
+		// the devices cgroup and the 4th element as the mount point of
+		// the devices cgroup itself.
+		return parts[3], parts[4], nil
 	}
 
-	return "", fmt.Errorf("no cgroup filesystem mounted for the devices subsytem in mountinfo file")
+	return "", "", fmt.Errorf("no cgroup filesystem mounted for the devices subsytem in mountinfo file")
 }
 
-// GetDeviceCGroupMountPath returns the root path for the device cgroup controller associated with pid
-func (c *cgroupv1) GetDeviceCGroupRootPath(procRootPath string, pid int) (string, error) {
+// GetDeviceCGroupRootPath returns the root path for the device cgroup controller associated with pid
+func (c *cgroupv1) GetDeviceCGroupRootPath(procRootPath string, prefix string, pid int) (string, error) {
 	// Open the pid's cgroup file in /proc.
 	path := fmt.Sprintf(filepath.Join(procRootPath, "proc", "%v", "cgroup"), pid)
 	file, err := os.Open(path)
@@ -81,12 +87,16 @@ func (c *cgroupv1) GetDeviceCGroupRootPath(procRootPath string, pid int) (string
 		if len(parts) != 3 {
 			return "", fmt.Errorf("malformed cgroup entry: %v", scanner.Text())
 		}
-		// Look for the devices subsystem in the 2st element.
+		// Look for the devices subsystem in the 1st element.
 		if parts[1] != "devices" {
 			continue
 		}
-		// Return the cgroup root from the 2nd element.
-		return parts[2], nil
+		// Return the cgroup root from the 2nd element
+		// (with the prefix possibly stripped off).
+		if prefix == "/" {
+			return parts[2], nil
+		}
+		return strings.TrimPrefix(parts[2], prefix), nil
 	}
 
 	return "", fmt.Errorf("no devices cgroup entries found")
@@ -96,17 +106,17 @@ func (c *cgroupv1) GetDeviceCGroupRootPath(procRootPath string, pid int) (string
 func (c *cgroupv1) AddDeviceRules(cgroupPath string, rules []DeviceRule) error {
 	// Loop through all rules in the set of device rules and add that rule to the device.
 	for _, rule := range rules {
-                err := c.addDeviceRule(cgroupPath, &rule)
-                if err != nil {
-                        return err
-                }
+		err := c.addDeviceRule(cgroupPath, &rule)
+		if err != nil {
+			return err
+		}
 	}
 
 	return nil
 }
 
 func (c *cgroupv1) addDeviceRule(cgroupPath string, rule *DeviceRule) error {
-        // Check the major/minor numbers of the device in the device rule.
+	// Check the major/minor numbers of the device in the device rule.
 	if rule.Major == nil {
 		return fmt.Errorf("no major set in device rule")
 	}
@@ -126,7 +136,7 @@ func (c *cgroupv1) addDeviceRule(cgroupPath string, rule *DeviceRule) error {
 	if err != nil {
 		return err
 	}
-        defer file.Close()
+	defer file.Close()
 
 	// Write the device rule into the file.
 	_, err = file.WriteString(fmt.Sprintf("%s %d:%d %s", rule.Type, *rule.Major, *rule.Minor, rule.Access))

src/nvcgo/internal/cgroup/v2.go

@@ -32,13 +32,13 @@ const (
 	BpfProgramLicense = "Apache"
 )
 
-// GetDeviceCGroupMountPath returns the mount path for the device cgroup controller associated with pid
-func (c *cgroupv2) GetDeviceCGroupMountPath(procRootPath string, pid int) (string, error) {
+// GetDeviceCGroupMountPath returns the mount path (and its prefix) for the device cgroup controller associated with pid
+func (c *cgroupv2) GetDeviceCGroupMountPath(procRootPath string, pid int) (string, string, error) {
 	// Open the pid's mountinfo file in /proc.
 	path := fmt.Sprintf(filepath.Join(procRootPath, "proc", "%v", "mountinfo"), pid)
 	file, err := os.Open(path)
 	if err != nil {
-		return "", err
+		return "", "", err
 	}
 	defer file.Close()
 
@@ -51,21 +51,27 @@ func (c *cgroupv2) GetDeviceCGroupMountPath(procRootPath string, pid int) (strin
 		// Split each entry by '[space]'
 		parts := strings.Split(scanner.Text(), " ")
 		if len(parts) < 5 {
-			return "", fmt.Errorf("malformed mountinfo entry: %v", scanner.Text())
+			return "", "", fmt.Errorf("malformed mountinfo entry: %v", scanner.Text())
 		}
 		// Look for an entry with cgroup2 as the mount type.
 		if parts[len(parts)-3] != "cgroup2" {
 			continue
 		}
-		// Return the 4th element as the moint point of the devices cgroup.
-		return parts[4], nil
+		// Make sure the mount prefix is not a relative path.
+		if strings.HasPrefix(parts[3], "/..") {
+			return "", "", fmt.Errorf("relative path in mount prefix: %v", parts[3])
+		}
+		// Return the 3rd element as the prefix of the mount point for
+		// the devices cgroup and the 4th element as the mount point of
+		// the devices cgroup itself.
+		return parts[3], parts[4], nil
 	}
 
-	return "", fmt.Errorf("no cgroup2 filesystem in mountinfo file")
+	return "", "", fmt.Errorf("no cgroup2 filesystem in mountinfo file")
 }
 
-// GetDeviceCGroupMountPath returns the root path for the device cgroup controller associated with pid
-func (c *cgroupv2) GetDeviceCGroupRootPath(procRootPath string, pid int) (string, error) {
+// GetDeviceCGroupRootPath returns the root path for the device cgroup controller associated with pid
+func (c *cgroupv2) GetDeviceCGroupRootPath(procRootPath string, prefix string, pid int) (string, error) {
 	// Open the pid's cgroup file in /proc.
 	path := fmt.Sprintf(filepath.Join(procRootPath, "proc", "%v", "cgroup"), pid)
 	file, err := os.Open(path)
@@ -85,11 +91,16 @@ func (c *cgroupv2) GetDeviceCGroupRootPath(procRootPath string, pid int) (string
 		if len(parts) != 3 {
 			return "", fmt.Errorf("malformed cgroup entry: %v", scanner.Text())
 		}
+		// Look for the (empty) subsystem in the 1st element.
 		if parts[1] != "" {
 			continue
 		}
-		// Return the cgroup root from the 2nd element.
-		return parts[2], nil
+		// Return the cgroup root from the 2nd element
+		// (with the prefix possibly stripped off).
+		if prefix == "/" {
+			return parts[2], nil
+		}
+		return strings.TrimPrefix(parts[2], prefix), nil
 	}
 
 	return "", fmt.Errorf("no cgroupv2 entries in file")

src/nvcgo/main.go

@@ -54,32 +54,33 @@ func GetDeviceCGroupVersion(rootPath *C.char, pid C.pid_t, version *C.int, rerr
 }
 
 //export GetDeviceCGroupMountPath
-func GetDeviceCGroupMountPath(version C.int, procRootPath *C.char, pid C.pid_t, cgroupMountPath **C.char, rerr **C.char) C.int {
+func GetDeviceCGroupMountPath(version C.int, procRootPath *C.char, pid C.pid_t, cgroupMountPath **C.char, cgroupRootPrefix **C.char, rerr **C.char) C.int {
 	api, err := cgroup.New(int(version))
 	if err != nil {
 		*rerr = C.CString(fmt.Sprintf("unable to create cgroupv%v interface: %v", version, err))
 		return -1
 	}
 
-	p, err := api.GetDeviceCGroupMountPath(C.GoString(procRootPath), int(pid))
+	p, r, err := api.GetDeviceCGroupMountPath(C.GoString(procRootPath), int(pid))
 	if err != nil {
 		*rerr = C.CString(err.Error())
 		return -1
 	}
 	*cgroupMountPath = C.CString(p)
+	*cgroupRootPrefix= C.CString(r)
 
 	return 0
 }
 
 //export GetDeviceCGroupRootPath
-func GetDeviceCGroupRootPath(version C.int, procRootPath *C.char, pid C.int, cgroupRootPath **C.char, rerr **C.char) C.int {
+func GetDeviceCGroupRootPath(version C.int, procRootPath *C.char, cgroupRootPrefix *C.char, pid C.int, cgroupRootPath **C.char, rerr **C.char) C.int {
 	api, err := cgroup.New(int(version))
 	if err != nil {
 		*rerr = C.CString(fmt.Sprintf("unable to create cgroupv%v interface: %v", version, err))
 		return -1
 	}
 
-	p, err := api.GetDeviceCGroupRootPath(C.GoString(procRootPath), int(pid))
+	p, err := api.GetDeviceCGroupRootPath(C.GoString(procRootPath), C.GoString(cgroupRootPrefix), int(pid))
 	if err != nil {
 		*rerr = C.CString(err.Error())
 		return -1