Linux Cgroup writing to control files, working for CPU but not Device subsystem?

Question

I'm trying to setup Cgroups for a non-root user glassfish.

System setup:

• CentOS 7.2.1511
• Kernel 3.10.0-327.el7.x86_64
• Cgroup mounted at /sys/fs/cgroup

It should be possible to create a Cgroup for non-root user by issuing these commands:

1. For CPU subsystem:

   $ sudo mkdir /sys/fs/cgroup/cpu/${USER}
   $ sudo chown -R ${USER} /sys/fs/cgroup/cpu/${USER}
   

2. For Devices subsystem:

   $ sudo mkdir /sys/fs/cgroup/devices/${USER}
   $ sudo chown -R ${USER} /sys/fs/cgroup/devices/${USER}
   

This works for the CPU subsystem. Since I am able to write to control files as glassfish, such as cpu.cfs_period_us like below

    echo 43434 > cpu.cfs_period_us

But writing to the Devices subsystem such as

    echo 'a *:* rwm' > devices.deny

Results in the following error

    bash: echo: write error: Operation not permitted

CPU subsystem permissions

Device subsystem permissions

Any help would be deeply appreciated, I've been stuck with this for so long and it just doesn't make sense to me.

Answer 1

I had the same issue.

Repro steps: I change the owner and group of all of the subsystems (cpu, cpuset, memory, freeze, devices, etc). Then I try to write to cgroup.procs of the devices cgroup and I get an "Operation not permitted". The same command works fine on every other subsystem.

for i in cpuset nls_cls,net_prio perf_event devices pids cpu,cpuacct memory hugetlb blkio freezer systemd; do 
  mkdir -p /sys/fs/cgroup/$i/mygroup;
  mkdir -p /sys/fs/cgroup/$i/mygroup/subgroup;
  chown -R myuser:myuser /sys/fs/cgroup/$i/mygroup;
done

[~]$ echo 1943 > /sys/fs/cgroup/devices/mygroup/subgroup/cgroup.procs
-bash: echo: write error: Operation not permitted

The file (/sys/fs/cgroup/devices/mygroup/subgroup/cgroup.procs) has permissions 644, selinux is disabled, and lsattr shows "Inappropriate ioctl for device while reading flags" (which is normal). I tried changing the permissions of the file to 666 but got the same error. The error is, in any case, not "permission denied" but "Operation not permitted."

The command works fine when run as sudo but the whole point is to delegate the mygroup to a non-sudo user.

[Solution] The process which is writing to the cgroup.procs in the devices system must have SYS_CAP_ADMIN. The documentation is very confusing but you can see it in the second paragraph here: https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v1/devices.html#security

"CAP_SYS_ADMIN is needed to modify the whitelist or move another task to a new cgroup. (Again we’ll probably want to change that)."

This line doesn't show up in any of the other subsystems documentation so it is apparently limited to the devices subtree. I modified my actual code (not the bash script described above) to have the correct permission using sudo setcap cap_sys_admin=+ep <my_bin> and then it started working correctly.