core/cgroup: assigning empty string to Delegate= resets list of controllers (#7336)

Before this, assigning empty string to Delegate= makes no change to the controller list. This is inconsistent to the other options that take list of strings. After this, when empty string is assigned to Delegate=, the list of controllers is reset. Such behavior is consistent to other options and useful for drop-in configs. Closes #7334.
2025-02-27 13:57:26 +03:00 · 2017-11-17 18:04:25 +09:00 · 2017-11-17 18:04:25 +09:00 · 1bdfc7b951
commit 1bdfc7b951
parent cefdf55b58
3 changed files with 13 additions and 3 deletions
--- a/man/systemd.resource-control.xml
+++ b/man/systemd.resource-control.xml
@ -723,7 +723,8 @@
          enabled for the unit, making them available to the unit's processes for management. If false, delegation is
          turned off entirely (and no additional controllers are enabled). If set to a list of controllers, delegation
          is turned on, and the specified controllers are enabled for the unit. Note that assigning the empty string
-          will enable delegation, but not enable any additional controllers. Defaults to false.</para>
+          will enable delegation, but reset the list of controllers, all assignments prior to this will have no effect.
+          Defaults to false.</para>

          <para>Note that controller delegation to less privileged code is only safe on the unified control group
          hierarchy. Accordingly, access to the specified controllers will not be granted to unprivileged services on
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@ -395,9 +395,12 @@ static int bus_cgroup_set_transient_property(
                                return r;

                        c->delegate = true;
-                        c->delegate_controllers |= mask;
+                        if (mask == 0)
+                                c->delegate_controllers = 0;
+                        else
+                                c->delegate_controllers |= mask;

-                        unit_write_drop_in_private_format(u, mode, name, "Delegate=%s", t);
+                        unit_write_drop_in_private_format(u, mode, name, "Delegate=%s", strempty(t));
                }

                return 1;
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -3297,6 +3297,12 @@ int config_parse_delegate(
         * off for all. Or it takes a list of controller names, in which case we add the specified controllers to the
         * mask to delegate. */

+        if (isempty(rvalue)) {
+                c->delegate = true;
+                c->delegate_controllers = 0;
+                return 0;
+        }
+
        r = parse_boolean(rvalue);
        if (r < 0) {
                const char *p = rvalue;