From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Christian Brauner <christian.brauner@ubuntu.com>

Date: Sat, 4 Apr 2020 12:07:43 +0200

Subject: [PATCH lxc] api-extensions: add and document

 cgroup_advanced_isolation

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

---

 doc/api-extensions.md    | 4 ++++

 src/lxc/api_extensions.h | 1 +

 2 files changed, 5 insertions(+)

diff --git a/doc/api-extensions.md b/doc/api-extensions.md

index cdf82f937..6f9e1621d 100644

--- a/doc/api-extensions.md

+++ b/doc/api-extensions.md

@@ -136,6 +136,10 @@ Retrieve the seccomp notifier fd from a running container.

 Whether the seccomp notify proxy sends a long a notify fd file descriptor.

+## cgroup\_advanced\_isolation

+

+Privileged containers will usually be able to override the cgroup limits given to them. This introduces three new configuration keys `lxc.cgroup.dir.monitor`, `lxc.cgroup.dir.container`, and `lxc.cgroup.dir.container.inner`. The `lxc.cgroup.dir.monitor` and `lxc.cgroup.dir.container` keys can be used to set to place the `monitor` and the `container` into different cgroups. The `lxc.cgroup.dir.container.inner` key can be set to a cgroup that is concatenated with `lxc.cgroup.dir.container`. When `lxc.cgroup.dir.container.inner` is set the container will be placed into the `lxc.cgroup.dir.container.inner` cgroup but the limits will be set in the `lxc.cgroup.dir.container` cgroup. This way privileged containers cannot escape their cgroup limits.

+

 ## idmapped\_mounts

 Whether this LXC instance can handle idmapped mounts for the rootfs.

diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h

index c2509207d..ae71ff18e 100644

--- a/src/lxc/api_extensions.h

+++ b/src/lxc/api_extensions.h

@@ -41,6 +41,7 @@ static char *api_extensions[] = {

 	"devpts_fd",

 	"seccomp_notify_fd_active",

 	"seccomp_proxy_send_notify_fd",

+	"cgroup_advanced_isolation",

 	"idmapped_mounts",

 	"idmapped_mounts_v2",

 	"core_scheduling",