From 6135d6239a40edb260dde80e5662d3e062dde0bd Mon Sep 17 00:00:00 2001

From: Nick Rosbrook <nick.rosbrook@canonical.com>

Date: Tue, 22 Nov 2022 10:33:55 -0500

Subject: [PATCH] oomd: always allow root-owned cgroups to set

 ManagedOOMPreference

Commit 652a4efb66a ("oomd: loosen the restriction on ManagedOOMPreference")

made the change to allow ManagedOOMPreference on a cgroup candidate when

the monitored cgroup and cgroup candidate are owned by the same user.

The commit assumed that this check was sufficient to continue allowing

ManagedOOMPreference on all cgroups owned by root. However, it caused a

regression for unprivileged LXD containers where e.g. /sys/fs/cgroup is

owned by nobody (uid=65534).

Fix this by explicitly allowing the ManagedOOMPreference if uid == 0 in

oomd_fetch_cgroup_oom_preference().

(cherry picked from commit 89186093485b52ca957d17842fc1f7c87958454a)

Related: #2138081

---

 src/oom/oomd-util.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/oom/oomd-util.c b/src/oom/oomd-util.c

index 1fc81d1843..70a1dc941e 100644

--- a/src/oom/oomd-util.c

+++ b/src/oom/oomd-util.c

@@ -164,7 +164,7 @@ int oomd_fetch_cgroup_oom_preference(OomdCGroupContext *ctx, const char *prefix)

         if (r < 0)

                 return log_debug_errno(r, "Failed to get owner/group from %s: %m", ctx->path);

-        if (uid == prefix_uid) {

+        if (uid == prefix_uid || uid == 0) {

                 /* Ignore most errors when reading the xattr since it is usually unset and cgroup xattrs are only used

                  * as an optional feature of systemd-oomd (and the system might not even support them). */

                 r = cg_get_xattr_bool(SYSTEMD_CGROUP_CONTROLLER, ctx->path, "user.oomd_avoid");