Re: Why does devices cgroup check for CAP_SYS_ADMIN explicitly?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
	"Eric W. Biederman"
	<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
	Aristeu Rozanski <aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: Why does devices cgroup check for CAP_SYS_ADMIN explicitly?
Date: Tue, 6 Nov 2012 12:25:15 -0600	[thread overview]
Message-ID: <20121106182515.GA32263@sergelap> (raw)
In-Reply-To: <20121106181623.GO30069-9pTldWuhBndy/B6EtB590w@public.gmane.org>

Quoting Tejun Heo (tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org):
> Hello, Serge.
> 
> On Tue, Nov 06, 2012 at 12:12:14PM -0600, Serge Hallyn wrote:
> > Quoting Tejun Heo (tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org):
> > > On Tue, Nov 06, 2012 at 11:31:04AM -0600, Serge Hallyn wrote:
> > > > We can't generally require a capability to move tasks between cgroups,
> > > > as that will break currently intended uses.  I can create two cgroups,
> > > > chown them to serge, and let serge move between them.
> > > 
> > > Sure, then just live with the cgroupfs based permission check.  What
> > > next?  Should we add CAP_SYS_RESOURCE check to all resource related
> > 
> > That would be the next step, yes.
> 
> Hmmm... I don't know.  What does that buy us?  Fine grained CAP_* is
> to be able to give away privliedges in smaller pieces, right?  If
> we're gonna be requiring root to modify cgroup, what difference does
> it make to have finer grained CAPs specified?
> 
> > > controllers?  Moreover, We're headed to unified hierarchy, so in the
> > > end that means only the user with almost all CAP_* can manipulate
> > > cgroups at all making the whole thing meaningless.
> > 
> > Why meaningless?  Many caps needed to "do everything", but moving
> > a task into the freezer and freezing it, or reducing its allowed
> > memory, would only requiring uid equiv or some limited bit of
> > privilege.
> 
> All controllers will be co-mounted and you'll need all CAPs needed by

Oh.  I thought each controller could only be mounted once, but not
that all must be co-mounted.

Jinkeys.

> all controllers to move tasks between cgroups and there won't be an
> easy way to tell which CAP is missing.  Doesn't sound too useful to
> me.
> 
> > > I don't think applying fine-grained CAP_* to cgroup controllers makes
> > > sense or would be useful in any real sense.  We can introduce, say,
> > > CAP_CGROUP to control access cgroupfs but I think we already have
> > > enough access control to cgroupfs, don't we?
> > 
> > That's the question :)
> > 
> > I feel like we need a list of the various uses people have in mind,
> > so we can figure out which ones are supportable...  but I know there
> > is the whole long thread I've not had time to keep up with, and
> > many answers are probably there.
> 
> Care to give a pointer?

I mean the recent thread you started on cgroup cleanups :)

-serge

next prev parent reply	other threads:[~2012-11-06 18:25 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-06  2:38 Why does devices cgroup check for CAP_SYS_ADMIN explicitly? Tejun Heo
     [not found] ` <20121106023845.GI19354-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-06 11:58   ` Eric W. Biederman
     [not found]     ` <877gpzrlir.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-06 14:48       ` Tejun Heo
2012-11-06 14:48       ` Tejun Heo
2012-11-06 15:01       ` Serge Hallyn
2012-11-06 15:01       ` Serge Hallyn
2012-11-06 15:06         ` Tejun Heo
     [not found]           ` <20121106150639.GB30069-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-06 15:30             ` Serge Hallyn
2012-11-06 15:41               ` Tejun Heo
     [not found]                 ` <20121106154105.GD30069-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-06 16:12                   ` Aristeu Rozanski
2012-11-06 16:12                   ` Aristeu Rozanski
2012-11-06 15:41               ` Tejun Heo
2012-11-06 15:30             ` Serge Hallyn
2012-11-06 15:34             ` Eric W. Biederman
2012-11-06 15:34             ` Eric W. Biederman
     [not found]               ` <871ug6rbio.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-06 15:43                 ` Tejun Heo
     [not found]                   ` <20121106154320.GE30069-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-06 16:10                     ` Eric W. Biederman
     [not found]                       ` <87sj8mogpp.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-06 16:52                         ` Tejun Heo
     [not found]                           ` <20121106165246.GF30069-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-06 17:31                             ` Serge Hallyn
2012-11-06 17:38                               ` Tejun Heo
2012-11-06 17:38                               ` Tejun Heo
     [not found]                                 ` <20121106173823.GK30069-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-06 17:41                                   ` Tejun Heo
     [not found]                                     ` <20121106174130.GL30069-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-06 18:02                                       ` Serge Hallyn
2012-11-06 18:08                                         ` Tejun Heo
2012-11-06 18:08                                         ` Tejun Heo
2012-11-06 18:02                                       ` Serge Hallyn
2012-11-06 18:12                                   ` Serge Hallyn
2012-11-06 18:16                                     ` Tejun Heo
     [not found]                                       ` <20121106181623.GO30069-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-11-06 18:25                                         ` Serge Hallyn [this message]
2012-11-06 18:16                                     ` Tejun Heo
2012-11-06 18:12                                   ` Serge Hallyn
2012-11-06 17:31                             ` Serge Hallyn
2012-11-06 16:10                     ` Eric W. Biederman
2012-11-06 15:45                 ` Serge Hallyn
2012-11-06 15:45                 ` Serge Hallyn
2012-11-06 15:06         ` Tejun Heo
  -- strict thread matches above, loose matches on Subject: below --
2012-11-06  2:38 Tejun Heo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121106182515.GA32263@sergelap \
    --to=serge.hallyn-z7wlfzj8ewms+fvcfc7uqw@public.gmane.org \
    --cc=aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
    --cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
    --cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.