From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Subject: Re: [PATCH 8/8] Add FS_USERNS_FLAG to cgroup fs
Date: Tue, 16 Feb 2016 13:05:51 -0500
Message-ID: <20160216180551.GN3741@mtj.duckdns.org>
References: <1454057651-23959-1-git-send-email-serge.hallyn@ubuntu.com>
 <1454057651-23959-9-git-send-email-serge.hallyn@ubuntu.com>
Mime-Version: 1.0
Return-path: <linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=sender:date:from:to:cc:subject:message-id:references:mime-version
         :content-type:content-disposition:in-reply-to:user-agent;
        bh=Px6c+bnZojJO+RkH5OXPEof8gA8BN4Zp7HYl6B35Qbk=;
        b=LcyRvVMjZKm24vCuC2F5Y4Z87t7X1hUmkA+XcMLiasK41kGyesOYY1qJSgXjT9GMQw
         mCAH+vH8evPPf7SqDIHx6FuWXqKOLKIRoeDI/vThxCE0D1QLF4NZgerqc4sXOUK8mqzz
         O5r8LSfIbJKYURvcxJF6lppvkqI9+ErtZK59Qmzh3MuMS0FncPvG0MC5UiERZ5+Zwxgx
         2mOiuSScp00IDwuSJojfI4AY9yiVPlJYAY2HSKUorodxuz/VUqAthD1b914b5r3QjjcO
         7tWqlir9hnHVa0ok082GwvOEhigbllh/01PWr4xV1yTxPHWNoyd189qv2bLYEhttCxgu
         WhvA==
Content-Disposition: inline
In-Reply-To: <1454057651-23959-9-git-send-email-serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
List-ID: <cgroups.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org
Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, adityakali-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org, linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, lxc-devel-cunTk1MwBs9qMoObBWhMNEqPaTDuhLve2LY78lusg7I@public.gmane.org, akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org, ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org, gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org, lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org, hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org, Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>

On Fri, Jan 29, 2016 at 02:54:11AM -0600, serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org wrote:
> From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
> 
> allowing root in a non-init user namespace to mount it.  This should
> now be safe, because
> 
> 1. non-init-root cannot mount a previously unbound subsystem
> 2. the task doing the mount must be privileged with respect to the
>    user namespace owning the cgroup namespace
> 3. the mounted subsystem will have its current cgroup as the root dentry.
>    the permissions will be unchanged, so tasks will receive no new
>    privilege over the cgroups which they did not have on the original
>    mounts.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>

Applied 1-8 to cgroup/for-4.6-ns w/ trivial stylistic updates.

Thanks.

-- 
tejun