From: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: "Mickaël Salaün" <mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
Cc: John Stultz <john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
lkml <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Jonathan Corbet <corbet-T1hC0tSOHrs@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Android Kernel Team
<kernel-team-z5hGa2qSFaRBDgjK7y7TUQ@public.gmane.org>,
Rom Lemarchand <romlem-z5hGa2qSFaRBDgjK7y7TUQ@public.gmane.org>,
Colin Cross <ccross-z5hGa2qSFaRBDgjK7y7TUQ@public.gmane.org>,
Dmitry Shmidt <dimitrysh-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Todd Kjos <tkjos-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Christian Poetzsch
<christian.potzsch-1AXoQHu6uovQT0dZR+AlfA@public.gmane.org>,
Amit Pundir <amit.pundir-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
Dmitry Torokhov
<dmitry.torokhov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
"Serge E . Hallyn"
<serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Paul Moore <paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org>,
Stephen Smalley <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
Eric Paris <eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org>,
James Morris <james.>
Subject: Re: [PATCH] cgroup: Add new capability to allow a process to migrate other tasks between cgroups
Date: Mon, 19 Dec 2016 08:11:38 -0500 [thread overview]
Message-ID: <20161219131138.GA14837@mtj.duckdns.org> (raw)
In-Reply-To: <5855A8EB.8000005-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
Hello,
On Sat, Dec 17, 2016 at 10:06:51PM +0100, Mickaël Salaün wrote:
> If I understand correctly, this patch is intended to add a delegation
> feature to cgroup v1, which does not really make sense for the v2
It's more about upstreaming a workaround for android somewhat like
including binder into kernel. It isn't adding actual cgroup
delegation to v1. It's just splitting a small piece of CAP_SYS_ADMIN
to accomodate what android has been doing.
> because of the clean cgroup-v2 delegation design. However, this new
> capability impact both versions.
In the same way but it's not about cgroup delegation. It's just
allowing splitting up CAP_SYS_ADMIN so that "no extra restrictions on
cgroup" can be given away in a safer way.
> However, even if a cgroup does not directly involve a limitation, it may
> be used to identify a group of processes for a security critical purpose
> (e.g. kill a group of process). It can then make sense to have a
> dedicated capability CAP_CGROUP to allow a process *without the right to
> write in cgroup.procs* to be allowed to move a process out of its
> current cgroup. This is similar to CAP_DAC_OVERRIDE but only for
> cgroup/controllers files (but not necessarily sufficient to modify all
> cgroups). This does not means that CAP_CGROUP should allow to move any
> process from any cgroup. The cgroup_procs_write_permission() should
> compose the checks for CAP_CGROUP and/or CAP_SYS_RESOURCE and/or
> CAP_SYS_ADMIN depending on the current use of the cgroup (i.e. cgroup
> controller, BPF program type, netfilter).
There's no reason to invent a whole new set of security policies for
cgroup. It already got one which follows the filesystem permissions
with some extra restrictions. The CAP split is purely to accomodate
android and that's it. If that isn't good enough a reason, then
android should just keep carrying the patches it needs. This doesn't
justify bolting on another permission model on cgroup in any way.
Thanks.
--
tejun
next prev parent reply other threads:[~2016-12-19 13:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-17 4:43 [PATCH] cgroup: Add new capability to allow a process to migrate other tasks between cgroups John Stultz
[not found] ` <1481949827-23613-1-git-send-email-john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2016-12-17 21:06 ` Mickaël Salaün
[not found] ` <5855A8EB.8000005-WFhQfpSGs3bR7s880joybQ@public.gmane.org>
2016-12-19 13:11 ` Tejun Heo [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-10-17 22:35 John Stultz
[not found] ` <1476743724-9104-1-git-send-email-john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2016-10-17 22:40 ` Andy Lutomirski
2016-10-17 23:35 ` John Stultz
[not found] ` <CALAqxLW0_Xi0vrTkTN+Gmp3yKfOcmCYYCi5f4COgPiYY=odEJA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-18 8:17 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkjTYu53ji=gP2qXRYpvUEdAP=gxg0BR40JJ54z+XBha-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-10-18 16:54 ` John Stultz
2016-10-19 7:14 ` Michael Kerrisk (man-pages)
2016-10-19 20:52 ` Tejun Heo
[not found] ` <20161019205251.GG3044-piEFEHQLUPpN0TnZuCh8vA@public.gmane.org>
2016-10-19 20:55 ` John Stultz
2016-10-19 20:51 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161219131138.GA14837@mtj.duckdns.org \
--to=tj-dgejt+ai2ygdnm+yrofe0a@public.gmane.org \
--cc=amit.pundir-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=ccross-z5hGa2qSFaRBDgjK7y7TUQ@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=christian.potzsch-1AXoQHu6uovQT0dZR+AlfA@public.gmane.org \
--cc=corbet-T1hC0tSOHrs@public.gmane.org \
--cc=dimitrysh-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=dmitry.torokhov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \
--cc=john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=kernel-team-z5hGa2qSFaRBDgjK7y7TUQ@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org \
--cc=paul-r2n+y4ga6xFZroRs9YW3xA@public.gmane.org \
--cc=romlem-z5hGa2qSFaRBDgjK7y7TUQ@public.gmane.org \
--cc=sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=tkjos-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox