assert(ret_path);
- r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 1, &p);
- if (r == -EACCES) {
- /* /proc/1/cgroup might not be accessible due
- * to security policy - assume sane default */
- p = strdup("/");
- if (!p)
- return -ENOMEM;
- } else if (r < 0)
- return r;
+ r = read_one_line_file(XCACHE_CGROUP_ROOT, &p);
+ if (r < 0) {
+ r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 1, &p);
+ if (r < 0)
+ return r;
+ }
e = endswith(p, "/" SPECIAL_INIT_SCOPE);
if (!e)
#define SPECIAL_SESSION_SLICE "session.slice"
#define SPECIAL_APP_SLICE "app.slice"
#define SPECIAL_BACKGROUND_SLICE "background.slice"
+
+#define XCACHE_CGROUP_ROOT "/run/systemd/x-cache-cgroup-root"
#include "process-util.h"
#include "procfs-util.h"
#include "restrict-ifaces.h"
+#include "smack-util.h"
#include "special.h"
#include "stdio-util.h"
#include "string-table.h"
#include "string-util.h"
+#include "umask-util.h"
#include "virt.h"
#if BPF_FRAMEWORK
* versions where PID 1 was moved there. Also see
* cg_get_root_path(). */
if (!e && MANAGER_IS_SYSTEM(m)) {
+ /* Cache pid's 1 cgroup for unpriviledged clients.
+ Needed as /proc/1/.. is inaccessible due to Smack privs */
+ WITH_UMASK(0022) {
+ r = write_string_file(XCACHE_CGROUP_ROOT, m->cgroup_root, WRITE_STRING_FILE_CREATE);
+ }
+ if (r >= 0)
+ mac_smack_apply(XCACHE_CGROUP_ROOT, SMACK_ATTR_ACCESS, "_");
+
e = endswith(m->cgroup_root, "/" SPECIAL_SYSTEM_SLICE);
if (!e)
e = endswith(m->cgroup_root, "/system"); /* even more legacy */