From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: [PATCH 5/5] pid: use namespaced iteration on processes while managing priority Date: Thu, 18 Dec 2008 12:13:17 -0600 Message-ID: <20081218181317.GA14409@us.ibm.com> References: <1229618553-6348-1-git-send-email-gowrishankar.m@linux.vnet.ibm.com> <1229618553-6348-6-git-send-email-gowrishankar.m@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" Cc: Gowrishankar M , Containers , Dave , Sukadev , Balbir List-Id: containers.vger.kernel.org Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org): > Gowrishankar M writes: > > > From: Gowrishankar M > > > > At present we scan all processes in init namespace, while getting or setting > > process priorities for a user. Incase of PID namespace, it leads to leak > > priority to processes in other namespace. > > > > Below patch proposes to use new macro controller to fix the boundary of > > processes list in current namespace. > > Nacked-by: "Eric W. Biederman" > > This has nothing to do with pids. The command is to set the > iopriority for a given user. This is a problem of the user namespace > not the pid namespace. The uid check needs to be fixed for user namespaces, agreed. I could go either way though on whether we should also restrict to the same pidns. (note to fix the userns part of this added to my userns queue - first I want to finish with keys; then maybe this should be done before handling capabilities) So if you want to nack this, I'll go along with that, but I think it's useful. thanks, -serge