From 85614eaa784d5935a777573797a1987bb4f095ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emir=20Buljuba=C5=A1i=C4=87?= <emirbuljubasic329@gmail.com>
Date: Tue, 8 Apr 2025 20:14:14 +0200
Subject: [PATCH] Add --enable-nsdelegate flag to mount cgroups2 with
 nsdelegate option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Emir Buljubašić <emirbuljubasic329@gmail.com>
---
 src/bindings.h       | 12 ++++++++----
 src/cgroups/cgfsng.c | 10 +++++++++-
 src/lxcfs.c          |  5 +++++
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/src/bindings.h b/src/bindings.h
index 45b92c30..0fa07c80 100644
--- a/src/bindings.h
+++ b/src/bindings.h
@@ -120,6 +120,7 @@ struct lxcfs_opts {
 	bool swap_off;
 	bool use_pidfd;
 	bool use_cfs;
+	bool use_nsdelegate;
 	/*
 	 * Ideally we'd version by size but because of backwards compatability
 	 * and the use of bool instead of explicited __u32 and __u64 we can't.
@@ -130,10 +131,11 @@ struct lxcfs_opts {
 };
 
 typedef enum lxcfs_opt_t {
-	LXCFS_SWAP_ON	= 0,
-	LXCFS_PIDFD_ON	= 1,
-	LXCFS_CFS_ON	= 2,
-	LXCFS_OPTS_MAX	= LXCFS_CFS_ON,
+	LXCFS_SWAP_ON		= 0,
+	LXCFS_PIDFD_ON		= 1,
+	LXCFS_CFS_ON		= 2,
+	LXCFS_NSDELEGATE_ON	= 3,
+	LXCFS_OPTS_MAX		= LXCFS_NSDELEGATE_ON,
 } lxcfs_opt_t;
 
 
@@ -164,6 +166,8 @@ static inline bool lxcfs_has_opt(struct lxcfs_opts *opts, lxcfs_opt_t opt)
 		return opts->use_pidfd;
 	case LXCFS_CFS_ON:
 		return opts->use_cfs;
+	case LXCFS_NSDELEGATE_ON:
+		return opts->use_nsdelegate;
 	}
 
 	return false;
diff --git a/src/cgroups/cgfsng.c b/src/cgroups/cgfsng.c
index f03f9280..dc5eb2a7 100644
--- a/src/cgroups/cgfsng.c
+++ b/src/cgroups/cgfsng.c
@@ -30,6 +30,7 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#include "../bindings.h"
 #include "../macro.h"
 #include "../memory_utils.h"
 #include "../utils.h"
@@ -401,6 +402,12 @@ static int __cg_mount_direct(struct hierarchy *h, const char *controllerpath)
 {
 	 __do_free char *controllers = NULL;
 	 char *fstype = "cgroup2";
+	 const char *mount_opts = NULL;
+
+	 const bool use_nsdelegate = lxcfs_has_opt(fuse_get_context()->private_data, LXCFS_NSDELEGATE_ON);
+	 if (use_nsdelegate) {
+		mount_opts = "nsdelegate";
+	 }
 	 unsigned long flags = 0;
 	 int ret;
 
@@ -414,9 +421,10 @@ static int __cg_mount_direct(struct hierarchy *h, const char *controllerpath)
 		 if (!controllers)
 			 return -ENOMEM;
 		 fstype = "cgroup";
+		 mount_opts = controllers;
 	}
 
-	ret = mount("cgroup", controllerpath, fstype, flags, controllers);
+	ret = mount("cgroup", controllerpath, fstype, flags, mount_opts);
 	if (ret < 0)
 		return -1;
 
diff --git a/src/lxcfs.c b/src/lxcfs.c
index 7d5076d3..b789e5b7 100644
--- a/src/lxcfs.c
+++ b/src/lxcfs.c
@@ -1243,6 +1243,7 @@ static void usage(void)
 	lxcfs_info("  --enable-cfs         Enable CPU virtualization via CPU shares");
 	lxcfs_info("  --enable-pidfd       Use pidfd for process tracking");
 	lxcfs_info("  --enable-cgroup      Enable cgroup emulation code");
+	lxcfs_info("  --enable-nsdelegate  Enable cgroup nsdelegate mount option");
 	lxcfs_info("  --runtime-dir=DIR    Path to use as the runtime directory.");
 	lxcfs_info("                       Default is %s", DEFAULT_RUNTIME_PATH);
 	exit(EXIT_FAILURE);
@@ -1294,6 +1295,7 @@ static const struct option long_options[] = {
 	{"enable-cfs",		no_argument,		0,	  0	},
 	{"enable-pidfd",	no_argument,		0,	  0	},
 	{"enable-cgroup",	no_argument,		0,	  0	},
+	{"enable-nsdelegate",	no_argument,		0,	  0	},
 
 	{"pidfile",		required_argument,	0,	'p'	},
 	{"runtime-dir",		required_argument,	0,	  0	},
@@ -1367,6 +1369,7 @@ int main(int argc, char *argv[])
 	opts->swap_off = false;
 	opts->use_pidfd = false;
 	opts->use_cfs = false;
+	opts->use_nsdelegate = false;
 	opts->version = 2;
 
 	while ((c = getopt_long(argc, argv, "dulfhvso:p:", long_options, &idx)) != -1) {
@@ -1378,6 +1381,8 @@ int main(int argc, char *argv[])
 				opts->use_cfs = true;
 			else if (strcmp(long_options[idx].name, "enable-cgroup") == 0)
 				cgroup_is_enabled = true;
+			else if (strcmp(long_options[idx].name, "enable-nsdelegate") == 0)
+				opts->use_nsdelegate = true;
 			else if (strcmp(long_options[idx].name, "runtime-dir") == 0)
 				runtime_path_arg = optarg;
 			else