cgroup: don't enable bpf pseudo-controllers when doing a wildcard delegation

We can only delegate actual controllers, not the BPF pseudo-controllers we defined as there's imply no concept for that. Hence, when users set Delegate=yes to do a wildcard delegation, only delegate the regular controllers. This means that we won't bother with BPF stuff for such units where it's entirelly unnecessary.
2025-02-08 09:57:41 +03:00 · 2024-01-24 22:40:04 +01:00 · 2024-01-24 22:40:04 +01:00 · 677e6c14b1
commit 677e6c14b1
parent b009782b5d
3 changed files with 6 additions and 3 deletions
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@ -67,10 +67,13 @@ typedef enum CGroupMask {
        /* All real cgroup v2 controllers */
        CGROUP_MASK_V2 = CGROUP_MASK_CPU|CGROUP_MASK_CPUSET|CGROUP_MASK_IO|CGROUP_MASK_MEMORY|CGROUP_MASK_PIDS,

+        /* All controllers we want to delegate in case of Delegate=yes. Which are prety much the v2 controllers only, as delegation on v1 is not safe, and bpf stuff isn't a real controller */
+        CGROUP_MASK_DELEGATE = CGROUP_MASK_V2,
+
        /* All cgroup v2 BPF pseudo-controllers */
        CGROUP_MASK_BPF = CGROUP_MASK_BPF_FIREWALL|CGROUP_MASK_BPF_DEVICES|CGROUP_MASK_BPF_FOREIGN|CGROUP_MASK_BPF_SOCKET_BIND|CGROUP_MASK_BPF_RESTRICT_NETWORK_INTERFACES,

-        _CGROUP_MASK_ALL = CGROUP_CONTROLLER_TO_MASK(_CGROUP_CONTROLLER_MAX) - 1
+        _CGROUP_MASK_ALL = CGROUP_CONTROLLER_TO_MASK(_CGROUP_CONTROLLER_MAX) - 1,
 } CGroupMask;

 static inline CGroupMask CGROUP_MASK_EXTEND_JOINED(CGroupMask mask) {
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@ -542,7 +542,7 @@ static int bus_cgroup_set_transient_property(

                if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
                        c->delegate = b;
-                        c->delegate_controllers = b ? _CGROUP_MASK_ALL : 0;
+                        c->delegate_controllers = b ? CGROUP_MASK_DELEGATE : 0;

                        unit_write_settingf(u, flags, name, "Delegate=%s", yes_no(b));
                }
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -4036,7 +4036,7 @@ int config_parse_delegate(

        } else if (r > 0) {
                c->delegate = true;
-                c->delegate_controllers = _CGROUP_MASK_ALL;
+                c->delegate_controllers = CGROUP_MASK_DELEGATE;
        } else {
                c->delegate = false;
                c->delegate_controllers = 0;