systemd/SOURCES/0068-oomd-always-allow-root...

From 6135d6239a40edb260dde80e5662d3e062dde0bd Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <nick.rosbrook@canonical.com>
Date: Tue, 22 Nov 2022 10:33:55 -0500
Subject: [PATCH] oomd: always allow root-owned cgroups to set
 ManagedOOMPreference

Commit 652a4efb66a ("oomd: loosen the restriction on ManagedOOMPreference")
made the change to allow ManagedOOMPreference on a cgroup candidate when
the monitored cgroup and cgroup candidate are owned by the same user.

The commit assumed that this check was sufficient to continue allowing
ManagedOOMPreference on all cgroups owned by root. However, it caused a
regression for unprivileged LXD containers where e.g. /sys/fs/cgroup is
owned by nobody (uid=65534).

Fix this by explicitly allowing the ManagedOOMPreference if uid == 0 in
oomd_fetch_cgroup_oom_preference().

(cherry picked from commit 89186093485b52ca957d17842fc1f7c87958454a)

Related: #2138081
---
 src/oom/oomd-util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c
index 1fc81d1843..70a1dc941e 100644
--- a/src/oom/oomd-util.c
+++ b/src/oom/oomd-util.c
@@ -164,7 +164,7 @@ int oomd_fetch_cgroup_oom_preference(OomdCGroupContext *ctx, const char *prefix)
         if (r < 0)
                 return log_debug_errno(r, "Failed to get owner/group from %s: %m", ctx->path);
 
-        if (uid == prefix_uid) {
+        if (uid == prefix_uid || uid == 0) {
                 /* Ignore most errors when reading the xattr since it is usually unset and cgroup xattrs are only used
                  * as an optional feature of systemd-oomd (and the system might not even support them). */
                 r = cg_get_xattr_bool(SYSTEMD_CGROUP_CONTROLLER, ctx->path, "user.oomd_avoid");
import systemd-252-13.el9_2 2 years ago			`From 6135d6239a40edb260dde80e5662d3e062dde0bd Mon Sep 17 00:00:00 2001`
			`From: Nick Rosbrook <nick.rosbrook@canonical.com>`
			`Date: Tue, 22 Nov 2022 10:33:55 -0500`
			`Subject: [PATCH] oomd: always allow root-owned cgroups to set`
			`ManagedOOMPreference`

			`Commit 652a4efb66a ("oomd: loosen the restriction on ManagedOOMPreference")`
			`made the change to allow ManagedOOMPreference on a cgroup candidate when`
			`the monitored cgroup and cgroup candidate are owned by the same user.`

			`The commit assumed that this check was sufficient to continue allowing`
			`ManagedOOMPreference on all cgroups owned by root. However, it caused a`
			`regression for unprivileged LXD containers where e.g. /sys/fs/cgroup is`
			`owned by nobody (uid=65534).`

			`Fix this by explicitly allowing the ManagedOOMPreference if uid == 0 in`
			`oomd_fetch_cgroup_oom_preference().`

			`(cherry picked from commit 89186093485b52ca957d17842fc1f7c87958454a)`

			`Related: #2138081`
			`---`
			`src/oom/oomd-util.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c`
			`index 1fc81d1843..70a1dc941e 100644`
			`--- a/src/oom/oomd-util.c`
			`+++ b/src/oom/oomd-util.c`
			`@@ -164,7 +164,7 @@ int oomd_fetch_cgroup_oom_preference(OomdCGroupContext ctx, const char prefix)`
			`if (r < 0)`
			`return log_debug_errno(r, "Failed to get owner/group from %s: %m", ctx->path);`

			`- if (uid == prefix_uid) {`
			`+ if (uid == prefix_uid \|\| uid == 0) {`
			`/* Ignore most errors when reading the xattr since it is usually unset and cgroup xattrs are only used`
			`* as an optional feature of systemd-oomd (and the system might not even support them). */`
			`r = cg_get_xattr_bool(SYSTEMD_CGROUP_CONTROLLER, ctx->path, "user.oomd_avoid");`