From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman) Subject: Re: Why does devices cgroup check for CAP_SYS_ADMIN explicitly? Date: Tue, 06 Nov 2012 03:58:04 -0800 Message-ID: <877gpzrlir.fsf@xmission.com> References: <20121106023845.GI19354@mtj.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20121106023845.GI19354-9pTldWuhBndy/B6EtB590w@public.gmane.org> (Tejun Heo's message of "Mon, 5 Nov 2012 18:38:45 -0800") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Tejun Heo Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, Aristeu Rozanski , cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tejun Heo writes: > Hello, guys. > > Why doesn't it follow the usual security enforced by cgroupfs > permissions? Why is the explicit check necessary? An almost more interesting question is why is cgroup one of the last pieces of code not using capabilities and instead lets you attach to any process simply if your uid == 0. I don't know the history but the device cgroup testing for CAP_SYS_ADMIN makes a naive sort of sense to me. Eric