internal/runtime/cgroup: fix path on non-root mount point

We should trim the mount root (4th field in /proc/self/mountinfo) from
cgroup path read from /proc/self/cgroup before appending it to the mount
point.  Non-root mount points are very common in containers with cgroup
v1.

parseCPURelativePath is renamed to parseCPUCgroup, as it is unclear what
it is relative to. cgroups(7) says "This pathname is relative to the
mount point of the hierarchy." It should mean the root of the hierarchy,
and we cannot concat it to arbirary cgroup mount point. So just use the
word cgroup, since it parses /proc/self/cgroup.

It now returns errMalformedFile if the cgroup pathname does not start
with "/", and errPathTooLong if the pathname can't fit into the buffer.
We already rely on this when composing the path, just make this explicit
to avoid incorrect paths.

We now parse cgroup first then parse the mount point accordingly.  We
consider the previously read cgroup pathname and version to ensure we
got the desired mount point.  The out buffer is reused to pass in the
cgroup, to avoid extra memory allocation.

This should also resolve the race mentioned in the comments, so removing
those comments.  If our cgroup changed between the two read syscalls, we
will stick with the cgroup read from /proc/self/cgroup. This is the same
behavior as cgroup change after FindCPU() returns, so nothing special to
comment about now.

parseCPUMount now returns error when the combined path is too long, to
avoid panic or truncation if we got a really long path from mountinfo.

cgrouptest is changed to use dev returned from stat() to detect
filesystem boundary, since we don't return mount point and sub-path
separately now. This also avoid using os.Root since we don't handle
untrusted input here. os.Root is too complex, and the performance is
bad.

Fixes #76390

Change-Id: Ia9cbd7be3e58a2d51caf27a973fbd201dac06afc
Reviewed-on: https://go-review.googlesource.com/c/go/+/723241
Reviewed-by: Michael Pratt <mpratt@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

Author: huww98

src/internal/cgrouptest/cgrouptest_linux.go

@@ -50,9 +50,8 @@ func (c *CgroupV2) SetCPUMax(quota, period int64) error {
 //
 // This must not be used in parallel tests, as it affects the entire process.
 func InCgroupV2(t *testing.T, fn func(*CgroupV2)) {
-	mount, rel := findCurrent(t)
-	parent := findOwnedParent(t, mount, rel)
-	orig := filepath.Join(mount, rel)
+	orig := findCurrent(t)
+	parent := findOwnedParent(t, orig)
 
 	// Make sure the parent allows children to control cpu.
 	b, err := os.ReadFile(filepath.Join(parent, "cgroup.subtree_control"))
@@ -93,34 +92,25 @@ func InCgroupV2(t *testing.T, fn func(*CgroupV2)) {
 	fn(c)
 }
 
-// Returns the mount and relative directory of the current cgroup the process
-// is in.
-func findCurrent(t *testing.T) (string, string) {
+// Returns the filesystem path to the current cgroup the process is in.
+func findCurrent(t *testing.T) string {
 	// Find the path to our current CPU cgroup. Currently this package is
 	// only used for CPU cgroup testing, so the distinction of different
 	// controllers doesn't matter.
 	var scratch [cgroup.ParseSize]byte
 	buf := make([]byte, cgroup.PathSize)
-	n, err := cgroup.FindCPUMountPoint(buf, scratch[:])
+	n, ver, err := cgroup.FindCPU(buf, scratch[:])
 	if err != nil {
 		t.Skipf("cgroup: unable to find current cgroup mount: %v", err)
 	}
-	mount := string(buf[:n])
-
-	n, ver, err := cgroup.FindCPURelativePath(buf, scratch[:])
-	if err != nil {
-		t.Skipf("cgroup: unable to find current cgroup path: %v", err)
-	}
 	if ver != cgroup.V2 {
 		t.Skipf("cgroup: running on cgroup v%d want v2", ver)
 	}
-	rel := string(buf[1:n])       // The returned path always starts with /, skip it.
-	rel = filepath.Join(".", rel) // Make sure this isn't empty string at root.
-	return mount, rel
+	return string(buf[:n])
 }
 
 // Returns a parent directory in which we can create our own cgroup subdirectory.
-func findOwnedParent(t *testing.T, mount, rel string) string {
+func findOwnedParent(t *testing.T, orig string) string {
 	// There are many ways cgroups may be set up on a system. We don't try
 	// to cover all of them, just common ones.
 	//
@@ -142,7 +132,7 @@ func findOwnedParent(t *testing.T, mount, rel string) string {
 
 	// We want to create our own subdirectory that we can migrate into and
 	// then manipulate at will. It is tempting to create a new subdirectory
-	// inside the current cgroup we are already in, however that will likey
+	// inside the current cgroup we are already in, however that will likely
 	// not work. cgroup v2 only allows processes to be in leaf cgroups. Our
 	// current cgroup likely contains multiple processes (at least this one
 	// and the cmd/go test runner). If we make a subdirectory and try to
@@ -166,35 +156,37 @@ func findOwnedParent(t *testing.T, mount, rel string) string {
 	// is empty. As far as I tell, the only purpose of this is to allow
 	// reorganizing processes into a new set of subdirectories and then
 	// adding controllers once done.
-	root, err := os.OpenRoot(mount)
+	var stat syscall.Stat_t
+	err := syscall.Stat(orig, &stat)
 	if err != nil {
-		t.Fatalf("error opening cgroup mount root: %v", err)
+		t.Fatalf("error stating orig cgroup: %v", err)
 	}
 
 	uid := os.Getuid()
 	var prev string
-	for rel != "." {
-		fi, err := root.Stat(rel)
+	cur := filepath.Dir(orig)
+	for cur != "/" {
+		var curStat syscall.Stat_t
+		err = syscall.Stat(cur, &curStat)
 		if err != nil {
 			t.Fatalf("error stating cgroup path: %v", err)
 		}
 
-		st := fi.Sys().(*syscall.Stat_t)
-		if int(st.Uid) != uid {
-			// Stop at first directory we don't own.
+		if int(curStat.Uid) != uid || curStat.Dev != stat.Dev {
+			// Stop at first directory we don't own or filesystem boundary.
 			break
 		}
 
-		prev = rel
-		rel = filepath.Join(rel, "..")
+		prev = cur
+		cur = filepath.Dir(cur)
 	}
 
 	if prev == "" {
 		t.Skipf("No parent cgroup owned by UID %d", uid)
 	}
 
 	// We actually want the last directory where we were the owner.
-	return filepath.Join(mount, prev)
+	return prev
 }
 
 // Migrate the current process to the cgroup directory dst.