From 6c04d10a514cc3a62b9153faad3e84e2a4a64a0e Mon Sep 17 00:00:00 2001
From: Ace-Tang <aceapril@126.com>
Date: Wed, 12 Dec 2018 13:14:17 +0800
Subject: [PATCH] bugfix: container can not write cgroup with privileged

clear ro in mount option when container get privileged, make cgroup
writable, add test for it.

Signed-off-by: Ace-Tang <aceapril@126.com>
---
 daemon/mgr/spec_mount.go             | 13 ++++++++-----
 test/cli_run_with_privileged_test.go | 19 +++++++++++++++++++
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/daemon/mgr/spec_mount.go b/daemon/mgr/spec_mount.go
index 5e4876aa1..5b404ce36 100644
--- a/daemon/mgr/spec_mount.go
+++ b/daemon/mgr/spec_mount.go
@@ -129,12 +129,15 @@ func setupMounts(ctx context.Context, c *Container, s *specs.Spec) error {
 	s.Mounts = sortMounts(mounts)
 
 	if c.HostConfig.Privileged {
-		if !s.Root.Readonly {
+		for i := range s.Mounts {
 			// Clear readonly for /sys.
-			for i := range s.Mounts {
-				if s.Mounts[i].Destination == "/sys" {
-					clearReadonly(&s.Mounts[i])
-				}
+			if s.Mounts[i].Destination == "/sys" && !s.Root.Readonly {
+				clearReadonly(&s.Mounts[i])
+			}
+
+			// Clear readonly for cgroup
+			if s.Mounts[i].Type == "cgroup" {
+				clearReadonly(&s.Mounts[i])
 			}
 		}
 	}
diff --git a/test/cli_run_with_privileged_test.go b/test/cli_run_with_privileged_test.go
index 7de0c0ff0..76f9253df 100644
--- a/test/cli_run_with_privileged_test.go
+++ b/test/cli_run_with_privileged_test.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/alibaba/pouch/test/command"
 	"github.com/alibaba/pouch/test/environment"
+	"github.com/alibaba/pouch/test/util"
 
 	"github.com/go-check/check"
 	"github.com/gotestyourself/gotestyourself/icmd"
@@ -86,3 +87,21 @@ func (suite *PouchRunPrivilegedSuite) TestRunCheckSysWritableWithAndWithoutPrivi
 		c.Errorf("expected %s, but got %s", expected, out)
 	}
 }
+
+// TestCgroupWritableWithAndWithoutPrivileged tests cgroup can be writable with privileged,
+// can not be writable without privileged
+func (suite *PouchRunPrivilegedSuite) TestCgroupWritableWithAndWithoutPrivileged(c *check.C) {
+	name := "TestRunCheckCgroupWritable"
+	command.PouchRun("run", "--name", name, "--privileged", busyboxImage, "sh", "-c", "mkdir /sys/fs/cgroup/cpu/test").Assert(c, icmd.Success)
+	defer DelContainerForceMultyTime(c, name)
+
+	name1 := "TestRunCheckCgroupCannotWritable"
+	res := command.PouchRun("run", "--name", name1, busyboxImage, "sh", "-c", "mkdir /sys/fs/cgroup/cpu/test")
+	defer DelContainerForceMultyTime(c, name1)
+
+	if res.ExitCode == 0 {
+		c.Errorf("non-privileged container executes mkdir /sys/fs/cgroup/cpu/test should failed, but succeeded: %v", res.Combined())
+	}
+
+	c.Assert(util.PartialEqual(res.Combined(), "Read-only file system"), check.IsNil)
+}