cgroup: fix delegation on the unified hierarchy

Make sure to add the delegation mask to the mask of controllers we have
to enable on our own unit. Do not claim it was a members mask, as such
a logic would mean we'd collide with cgroupv2's "no processes on inner
nodes policy".

This change does the right thing: it means any controller enabled
through Controllers= will be made available to subcrgoups of our unit,
but the unit itself has to still enable it through
cgroup.subtree_control (which it can since that file is delegated too)
to be inherited further down.

Or to say this differently: we only should manipulate
cgroup.subtree_control ourselves for inner nodes (i.e. slices), and
for leaves we need to provide a way to enable controllers in the slices
above, but stay away from the cgroup's own cgroup.subtree_control —
which is what this patch ensures.

Fixes: #7355

diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index 413f180021d7ef60571f90a48c53df6daf06f75c..7e61b5ad22e65ae1b1045725138d53ad2a7cea49 100644 (file)
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -1074,7 +1074,7 @@ CGroupMask unit_get_own_mask(Unit *u) {
         if (!c)
                 return 0;
 
-        return cgroup_context_get_mask(c);
+        return cgroup_context_get_mask(c) | unit_get_delegate_mask(u);
 }
 
 CGroupMask unit_get_delegate_mask(Unit *u) {
@@ -1114,7 +1114,7 @@ CGroupMask unit_get_members_mask(Unit *u) {
         if (u->cgroup_members_mask_valid)
                 return u->cgroup_members_mask;
 
-        u->cgroup_members_mask = unit_get_delegate_mask(u);
+        u->cgroup_members_mask = 0;
 
         if (u->type == UNIT_SLICE) {
                 void *v;
@@ -1147,7 +1147,7 @@ CGroupMask unit_get_siblings_mask(Unit *u) {
         if (UNIT_ISSET(u->slice))
                 return unit_get_members_mask(UNIT_DEREF(u->slice));
 
-        return unit_get_subtree_mask(u);
+        return unit_get_subtree_mask(u); /* we are the top-level slice */
 }
 
 CGroupMask unit_get_subtree_mask(Unit *u) {