From: Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org>
To: James Bottomley
<James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org,
Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces
Date: Tue, 3 May 2016 11:59:25 +1000 [thread overview]
Message-ID: <572805FD.9080202@suse.de> (raw)
In-Reply-To: <1462226406.3036.17.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
>> Change the mode of the cgroup directory for each cgroup association,
>> allowing the process to create subtrees and modify the limits of the
>> subtrees *without* allowing the process to modify its own limits. Due
>> to the cgroup core restrictions and unix permission model, this
>> allows for processes to create new subtrees without breaking the
>> cgroup limits for the process.
>
> Actually, that's not really what this patch does. If you unshare
> without having created any cgroups, it sets the other permission of the
> entire top level hierarchy to o+rwx:
While that is odd, it makes sense (because that's the "current cgroup"
you are in). But I agree with your point that this patch is less than ideal.
> ironically, this now makes the root group a permission denier (at least
> for my distribution), because if I were in the root group (and not
> root), the r-x on the group would rule the rwx on other ... I really
> don't think that sounds correct.
You're right, that's odd. I'm confused why your root cgroups have u-w
though.
>
> Perhaps what you should to be arguing then that the default permissions
> of the cgroup directories need to be all rwx for everyone and then your
> patch becomes unnecessary?
I don't think that would be the nicest way of dealing with this (then a
process can make very large numbers of cgroups all over the tree, which
might not cause huge issues but would still be a pain for administrators
and systemds alike).
> Alternatively, if the desire is fully to virtualize /sys/fs/cgroups,
> then I think we have to decide how that would happen. I think the
> default requirements would be that a pid namespace be established (so
> only the tasks in that pid namespace would be able to be controlled by
> the cgroup namespace. That, I think requires that any given cgroup
> namespace "own" a pid namespace (being the one present when it was
> created) but that it only gets a new virtual set of directories owned
> by the userns owner if there's a pid namespace established for the
> cgroup and cgroup->user_ns == pid_ns->user_ns (meaning we established a
> user ns then a pid one then a cgroup one, so it's now safe to treat
> root in the user_ns as owning the virtualized cgroup directories).
I know this is probably a stupid question, but why couldn't we just
compare the user_ns with the tcred->user_ns? Or are you worried about a
process in a cgroup namespace moving processes to a subtree that isn't
in the same pid namespace (even though they're in the same user
namespace)? I don't mind implementing that this way (although we'd have
to change a bunch of the checks with pid_ns to use the
cgroup_ns->pid_ns), I'm just wondering if it's necessary.
> We could do this in the same way that proc gets virtualized after
> remounting (in a new mount namespace) on fork into a pid namespace.
I actually really like this idea. I'll get to work on it.
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
WARNING: multiple messages have this Message-ID (diff)
From: Aleksa Sarai <asarai@suse.de>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
Johannes Weiner <hannes@cmpxchg.org>
Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org,
dev@opencontainers.org, Aleksa Sarai <cyphar@cyphar.com>
Subject: Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces
Date: Tue, 3 May 2016 11:59:25 +1000 [thread overview]
Message-ID: <572805FD.9080202@suse.de> (raw)
In-Reply-To: <1462226406.3036.17.camel@HansenPartnership.com>
>> Change the mode of the cgroup directory for each cgroup association,
>> allowing the process to create subtrees and modify the limits of the
>> subtrees *without* allowing the process to modify its own limits. Due
>> to the cgroup core restrictions and unix permission model, this
>> allows for processes to create new subtrees without breaking the
>> cgroup limits for the process.
>
> Actually, that's not really what this patch does. If you unshare
> without having created any cgroups, it sets the other permission of the
> entire top level hierarchy to o+rwx:
While that is odd, it makes sense (because that's the "current cgroup"
you are in). But I agree with your point that this patch is less than ideal.
> ironically, this now makes the root group a permission denier (at least
> for my distribution), because if I were in the root group (and not
> root), the r-x on the group would rule the rwx on other ... I really
> don't think that sounds correct.
You're right, that's odd. I'm confused why your root cgroups have u-w
though.
>
> Perhaps what you should to be arguing then that the default permissions
> of the cgroup directories need to be all rwx for everyone and then your
> patch becomes unnecessary?
I don't think that would be the nicest way of dealing with this (then a
process can make very large numbers of cgroups all over the tree, which
might not cause huge issues but would still be a pain for administrators
and systemds alike).
> Alternatively, if the desire is fully to virtualize /sys/fs/cgroups,
> then I think we have to decide how that would happen. I think the
> default requirements would be that a pid namespace be established (so
> only the tasks in that pid namespace would be able to be controlled by
> the cgroup namespace. That, I think requires that any given cgroup
> namespace "own" a pid namespace (being the one present when it was
> created) but that it only gets a new virtual set of directories owned
> by the userns owner if there's a pid namespace established for the
> cgroup and cgroup->user_ns == pid_ns->user_ns (meaning we established a
> user ns then a pid one then a cgroup one, so it's now safe to treat
> root in the user_ns as owning the virtualized cgroup directories).
I know this is probably a stupid question, but why couldn't we just
compare the user_ns with the tcred->user_ns? Or are you worried about a
process in a cgroup namespace moving processes to a subtree that isn't
in the same pid namespace (even though they're in the same user
namespace)? I don't mind implementing that this way (although we'd have
to change a bunch of the checks with pid_ns to use the
cgroup_ns->pid_ns), I'm just wondering if it's necessary.
> We could do this in the same way that proc gets virtualized after
> remounting (in a new mount namespace) on fork into a pid namespace.
I actually really like this idea. I'll get to work on it.
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
next prev parent reply other threads:[~2016-05-03 1:59 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-01 13:41 [PATCH v2] cgroup: allow management of subtrees by cgroup namespaces Aleksa Sarai
2016-05-01 13:41 ` Aleksa Sarai
2016-05-01 13:41 ` [PATCH v2] cgroup: allow management of subtrees by new " Aleksa Sarai
[not found] ` <1462110065-4904-2-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
2016-05-02 9:32 ` Aleksa Sarai
2016-05-02 9:32 ` Aleksa Sarai
2016-05-02 22:00 ` James Bottomley
2016-05-02 22:00 ` James Bottomley
[not found] ` <1462226406.3036.17.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-03 1:59 ` Aleksa Sarai [this message]
2016-05-03 1:59 ` Aleksa Sarai
[not found] ` <572805FD.9080202-l3A5Bk7waGM@public.gmane.org>
2016-05-03 2:26 ` James Bottomley
2016-05-03 2:26 ` James Bottomley
[not found] ` <1462242375.3093.12.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-03 6:48 ` Aleksa Sarai
2016-05-03 6:48 ` Aleksa Sarai
[not found] ` <572849C7.2020303-l3A5Bk7waGM@public.gmane.org>
2016-05-03 14:26 ` James Bottomley
2016-05-03 14:26 ` James Bottomley
[not found] ` <1462285590.11378.19.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-04 9:49 ` Aleksa Sarai
2016-05-04 9:49 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=572805FD.9080202@suse.de \
--to=asarai-l3a5bk7wagm@public.gmane.org \
--cc=James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org \
--cc=dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org \
--cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.