From 61b0ce4f42d48c7e10feaa59d62abed007d61560 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Wed, 20 Jan 2021 16:06:36 +0100
Subject: [PATCH] cgroup: fix regression when setting limits

when running in a user namespace, make sure to honor the cgroup
limits.

fix a regression caused by 3e2b3f224561e1845a95183d7f34247e965ccb8c

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 src/libcrun/cgroup.c    |  6 +++++-
 tests/test_resources.py | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/libcrun/cgroup.c b/src/libcrun/cgroup.c
index 227f24b7e1..2a84f7c28c 100644
--- a/src/libcrun/cgroup.c
+++ b/src/libcrun/cgroup.c
@@ -1620,7 +1620,11 @@ libcrun_cgroup_enter (struct libcrun_cgroup_args *args, libcrun_error_t *err)
   if (LIKELY (ret >= 0))
     {
       if (cgroup_mode == CGROUP_MODE_UNIFIED && (root_uid != (uid_t) -1 || root_gid != (gid_t) -1))
-        return chown_cgroups (*path, root_uid, root_gid, err);
+        {
+          ret = chown_cgroups (*path, root_uid, root_gid, err);
+          if (UNLIKELY (ret < 0))
+              return ret;
+        }
 
       if (args->resources)
         return libcrun_update_cgroup_resources (args->cgroup_mode, args->resources, *path, err);
diff --git a/tests/test_resources.py b/tests/test_resources.py
index 201b6f7085..de89ddb5a4 100755
--- a/tests/test_resources.py
+++ b/tests/test_resources.py
@@ -46,6 +46,43 @@ def test_resources_pid_limit():
         return -1
     return 0
 
+def test_resources_pid_limit_userns():
+    if os.getuid() != 0:
+        return 77
+
+    conf = base_config()
+    conf['linux']['resources'] = {"pids" : {"limit" : 1024}}
+    add_all_namespaces(conf)
+
+    mappings = [
+        {
+            "containerID": 0,
+            "hostID": 1,
+            "size": 1,
+        },
+        {
+            "containerID": 1,
+            "hostID": 0,
+            "size": 1,
+        }
+    ]
+
+    conf['linux']['namespaces'].append({"type" : "user"})
+    conf['linux']['uidMappings'] = mappings
+    conf['linux']['gidMappings'] = mappings
+
+    fn = "/sys/fs/cgroup/pids/pids.max"
+    if not os.path.exists("/sys/fs/cgroup/pids"):
+        fn = "/sys/fs/cgroup/pids.max"
+        conf['linux']['namespaces'].append({"type" : "cgroup"})
+
+    conf['process']['args'] = ['/init', 'cat', fn]
+
+    out, _ = run_and_get_output(conf)
+    if "1024" not in out:
+        return -1
+    return 0
+
 def test_resources_unified_invalid_controller():
     if not is_cgroup_v2_unified() or os.geteuid() != 0:
         return 77
@@ -125,6 +162,7 @@ def test_resources_unified():
 
 all_tests = {
     "resources-pid-limit" : test_resources_pid_limit,
+    "resources-pid-limit-userns" : test_resources_pid_limit_userns,
     "resources-unified" : test_resources_unified,
     "resources-unified-invalid-controller" : test_resources_unified_invalid_controller,
     "resources-unified-invalid-key" : test_resources_unified_invalid_key,