From: Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org,
Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces
Date: Mon, 2 May 2016 19:32:24 +1000 [thread overview]
Message-ID: <57271EA8.5080104@suse.de> (raw)
In-Reply-To: <1462110065-4904-2-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
> + * 3. cgroup core doesn't allow tasks to be migrated by users that have
> + * write access to two subtrees unless they also have write access to
> + * the common ancestor of the two subtrees. Thus you cannot use a
> + * complicit process in less restrictive cgroup to overcome your own
> + * cgroup restriction.
It appears this restriction isn't actually being applied on cgroupv1.
I'll send an updated patch which makes sure the cgroup.proc common
ancestor restriction is enforced for all hierarchies.
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
WARNING: multiple messages have this Message-ID (diff)
From: Aleksa Sarai <asarai@suse.de>
To: Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
Johannes Weiner <hannes@cmpxchg.org>
Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org,
dev@opencontainers.org, Aleksa Sarai <cyphar@cyphar.com>
Subject: Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces
Date: Mon, 2 May 2016 19:32:24 +1000 [thread overview]
Message-ID: <57271EA8.5080104@suse.de> (raw)
In-Reply-To: <1462110065-4904-2-git-send-email-asarai@suse.de>
> + * 3. cgroup core doesn't allow tasks to be migrated by users that have
> + * write access to two subtrees unless they also have write access to
> + * the common ancestor of the two subtrees. Thus you cannot use a
> + * complicit process in less restrictive cgroup to overcome your own
> + * cgroup restriction.
It appears this restriction isn't actually being applied on cgroupv1.
I'll send an updated patch which makes sure the cgroup.proc common
ancestor restriction is enforced for all hierarchies.
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
next prev parent reply other threads:[~2016-05-02 9:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-01 13:41 [PATCH v2] cgroup: allow management of subtrees by cgroup namespaces Aleksa Sarai
2016-05-01 13:41 ` Aleksa Sarai
2016-05-01 13:41 ` [PATCH v2] cgroup: allow management of subtrees by new " Aleksa Sarai
[not found] ` <1462110065-4904-2-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
2016-05-02 9:32 ` Aleksa Sarai [this message]
2016-05-02 9:32 ` Aleksa Sarai
2016-05-02 22:00 ` James Bottomley
2016-05-02 22:00 ` James Bottomley
[not found] ` <1462226406.3036.17.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-03 1:59 ` Aleksa Sarai
2016-05-03 1:59 ` Aleksa Sarai
[not found] ` <572805FD.9080202-l3A5Bk7waGM@public.gmane.org>
2016-05-03 2:26 ` James Bottomley
2016-05-03 2:26 ` James Bottomley
[not found] ` <1462242375.3093.12.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-03 6:48 ` Aleksa Sarai
2016-05-03 6:48 ` Aleksa Sarai
[not found] ` <572849C7.2020303-l3A5Bk7waGM@public.gmane.org>
2016-05-03 14:26 ` James Bottomley
2016-05-03 14:26 ` James Bottomley
[not found] ` <1462285590.11378.19.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-04 9:49 ` Aleksa Sarai
2016-05-04 9:49 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57271EA8.5080104@suse.de \
--to=asarai-l3a5bk7wagm@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org \
--cc=dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org \
--cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.