From: James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
To: Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org,
Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces
Date: Mon, 02 May 2016 18:00:06 -0400 [thread overview]
Message-ID: <1462226406.3036.17.camel@HansenPartnership.com> (raw)
In-Reply-To: <1462110065-4904-2-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
On Sun, 2016-05-01 at 23:41 +1000, Aleksa Sarai wrote:
> Allow an unprivileged processes to control subtrees of their
> associated cgroup, a necessary feature if an unprivileged container
> (set up with an unprivileged user namespace) wishes to take advantage
> of cgroups for its own subprocesses.
>
> Change the mode of the cgroup directory for each cgroup association,
> allowing the process to create subtrees and modify the limits of the
> subtrees *without* allowing the process to modify its own limits. Due
> to the cgroup core restrictions and unix permission model, this
> allows for processes to create new subtrees without breaking the
> cgroup limits for the process.
Actually, that's not really what this patch does. If you unshare
without having created any cgroups, it sets the other permission of the
entire top level hierarchy to o+rwx:
jejb@jarvis:~> unshare -r --cgroup
root@jarvis:~# ls -l /sys/fs/cgroup/
total 0
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 blkio/
lrwxrwxrwx 1 nobody nogroup 11 May 2 14:50 cpu -> cpu,cpuacct/
lrwxrwxrwx 1 nobody nogroup 11 May 2 14:50 cpuacct -> cpu,cpuacct/
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 cpu,cpuacct/
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 cpuset/
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 devices/
dr-xr-xrwx 3 nobody nogroup 0 May 2 15:04 freezer/
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 hugetlb/
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 memory/
lrwxrwxrwx 1 nobody nogroup 16 May 2 14:50 net_cls -> net_cls,net_prio/
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 net_cls,net_prio/
lrwxrwxrwx 1 nobody nogroup 16 May 2 14:50 net_prio -> net_cls,net_prio/
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 perf_evesnt/
dr-xr-xrwx 2 nobody nogroup 0 May 2 14:50 pids/
dr-xr-xr-x 4 nobody nogroup 0 May 2 14:50 systemd/
But this is visible even to an unprivileged user not in any namespace,
meaning that now any user may create a cgroup control directory:
jejb@jarvis:~> ls -l /sys/fs/cgroup/
total 0
dr-xr-xrwx 2 root root 0 May 2 14:50 blkio/
lrwxrwxrwx 1 root root 11 May 2 14:50 cpu -> cpu,cpuacct/
lrwxrwxrwx 1 root root 11 May 2 14:50 cpuacct -> cpu,cpuacct/
dr-xr-xrwx 2 root root 0 May 2 14:50 cpu,cpuacct/
dr-xr-xrwx 2 root root 0 May 2 14:50 cpuset/
dr-xr-xrwx 2 root root 0 May 2 14:50 devices/
dr-xr-xrwx 3 root root 0 May 2 15:04 freezer/
dr-xr-xrwx 2 root root 0 May 2 14:50 hugetlb/
dr-xr-xrwx 2 root root 0 May 2 14:50 memory/
lrwxrwxrwx 1 root root 16 May 2 14:50 net_cls -> net_cls,net_prio/
dr-xr-xrwx 2 root root 0 May 2 14:50 net_cls,net_prio/
lrwxrwxrwx 1 root root 16 May 2 14:50 net_prio -> net_cls,net_prio/
dr-xr-xrwx 2 root root 0 May 2 14:50 perf_event/
dr-xr-xrwx 2 root root 0 May 2 14:50 pids/
dr-xr-xr-x 4 root root 0 May 2 14:50 systemd/
ironically, this now makes the root group a permission denier (at least
for my distribution), because if I were in the root group (and not
root), the r-x on the group would rule the rwx on other ... I really
don't think that sounds correct.
Perhaps what you should to be arguing then that the default permissions
of the cgroup directories need to be all rwx for everyone and then your
patch becomes unnecessary?
Alternatively, if the desire is fully to virtualize /sys/fs/cgroups,
then I think we have to decide how that would happen. I think the
default requirements would be that a pid namespace be established (so
only the tasks in that pid namespace would be able to be controlled by
the cgroup namespace. That, I think requires that any given cgroup
namespace "own" a pid namespace (being the one present when it was
created) but that it only gets a new virtual set of directories owned
by the userns owner if there's a pid namespace established for the
cgroup and cgroup->user_ns == pid_ns->user_ns (meaning we established a
user ns then a pid one then a cgroup one, so it's now safe to treat
root in the user_ns as owning the virtualized cgroup directories). We
could do this in the same way that proc gets virtualized after
remounting (in a new mount namespace) on fork into a pid namespace.
James
next prev parent reply other threads:[~2016-05-02 22:00 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-01 13:41 [PATCH v2] cgroup: allow management of subtrees by cgroup namespaces Aleksa Sarai
2016-05-01 13:41 ` [PATCH v2] cgroup: allow management of subtrees by new " Aleksa Sarai
[not found] ` <1462110065-4904-2-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
2016-05-02 9:32 ` Aleksa Sarai
2016-05-02 22:00 ` James Bottomley [this message]
[not found] ` <1462226406.3036.17.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-03 1:59 ` Aleksa Sarai
[not found] ` <572805FD.9080202-l3A5Bk7waGM@public.gmane.org>
2016-05-03 2:26 ` James Bottomley
[not found] ` <1462242375.3093.12.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-03 6:48 ` Aleksa Sarai
[not found] ` <572849C7.2020303-l3A5Bk7waGM@public.gmane.org>
2016-05-03 14:26 ` James Bottomley
[not found] ` <1462285590.11378.19.camel-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
2016-05-04 9:49 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1462226406.3036.17.camel@HansenPartnership.com \
--to=james.bottomley-d9phhud1jfjcxq6kfmz53/egyhegw8jk@public.gmane.org \
--cc=asarai-l3A5Bk7waGM@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org \
--cc=dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org \
--cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).