From: Tejun Heo <tj@kernel.org>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "John Stultz" <john.stultz@linaro.org>,
"Alexei Starovoitov" <alexei.starovoitov@gmail.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Daniel Mack" <daniel@zonque.org>,
"David S. Miller" <davem@davemloft.net>,
kafai@fb.com, "Florian Westphal" <fw@strlen.de>,
"Harald Hoyer" <harald@redhat.com>,
"Network Development" <netdev@vger.kernel.org>,
"Sargun Dhillon" <sargun@sargun.me>,
"Pablo Neira Ayuso" <pablo@netfilter.org>,
lkml <linux-kernel@vger.kernel.org>,
"Li Zefan" <lizefan@huawei.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"open list:CONTROL GROUP (CGROUP)" <cgroups@vger.kernel.org>,
"Android Kernel Team" <kernel-team@android.com>,
"Rom Lemarchand" <romlem@android.com>,
"Colin Cross" <ccross@android.com>
Subject: Re: [RESEND][PATCH v4] cgroup: Use CAP_SYS_RESOURCE to allow a process to migrate other tasks between cgroups
Date: Tue, 6 Dec 2016 13:23:15 -0500 [thread overview]
Message-ID: <20161206182315.GB2625@mtj.duckdns.org> (raw)
In-Reply-To: <CALCETrUmwPaWbN_U2XAsg6Z0UGBJ=Ou7BoD09-GZFdRVT5Y-EQ@mail.gmail.com>
Hello,
On Tue, Dec 06, 2016 at 10:13:53AM -0800, Andy Lutomirski wrote:
> > Delegation is an explicit operation and reflected in the ownership of
> > the subdirectories and cgroup interface files in them. The
> > subhierarchy containment is achieved by requiring the user who's
> > trying to migrate a process to have write perm on cgroup.procs on the
> > common ancestor of the source and target in addition to the target.
>
> OK, I see what you're doing. That's interesting.
It's something born out of usages of cgroup v1. People used it that
way (chowning files and directories) and combined with the uid checksn
it yielded something which is useful sometimes, but it always had
issues with hierarchical behaviors, which files to chmod and the weird
combination of uid checks. cgroup v2 has a clear delegation model but
the uid checks are still left in as not changing was the default.
It's not necessary and I'm thinking about queueing something like the
following in the next cycle.
As for the android CAP discussion, I think it'd be nice to share an
existing CAP but if we can't find a good one to share, let's create a
new one.
Thanks.
diff --git a/Documentation/cgroup-v2.txt b/Documentation/cgroup-v2.txt
index 4cc07ce..34b4b44 100644
--- a/Documentation/cgroup-v2.txt
+++ b/Documentation/cgroup-v2.txt
@@ -328,14 +328,12 @@ a process with a non-root euid to migrate a target process into a
cgroup by writing its PID to the "cgroup.procs" file, the following
conditions must be met.
-- The writer's euid must match either uid or suid of the target process.
-
- The writer must have write access to the "cgroup.procs" file.
- The writer must have write access to the "cgroup.procs" file of the
common ancestor of the source and destination cgroups.
-The above three constraints ensure that while a delegatee may migrate
+The above two constraints ensure that while a delegatee may migrate
processes around freely in the delegated sub-hierarchy it can't pull
in from or push out to outside the sub-hierarchy.
@@ -350,10 +348,10 @@ all processes under C0 and C1 belong to U0.
Let's also say U0 wants to write the PID of a process which is
currently in C10 into "C00/cgroup.procs". U0 has write access to the
-file and uid match on the process; however, the common ancestor of the
-source cgroup C10 and the destination cgroup C00 is above the points
-of delegation and U0 would not have write access to its "cgroup.procs"
-files and thus the write will be denied with -EACCES.
+file; however, the common ancestor of the source cgroup C10 and the
+destination cgroup C00 is above the points of delegation and U0 would
+not have write access to its "cgroup.procs" files and thus the write
+will be denied with -EACCES.
2-6. Guidelines
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 85bc9be..49384ff 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2854,12 +2854,18 @@ static int cgroup_procs_write_permission(struct task_struct *task,
* even if we're attaching all tasks in the thread group, we only
* need to check permissions on one of them.
*/
- if (!uid_eq(cred->euid, GLOBAL_ROOT_UID) &&
- !uid_eq(cred->euid, tcred->uid) &&
- !uid_eq(cred->euid, tcred->suid))
- ret = -EACCES;
- if (!ret && cgroup_on_dfl(dst_cgrp)) {
+ /* root is allowed to do anything */
+ if (uid_eq(cred->euid, GLOBAL_ROOT_UID))
+ goto out;
+
+ /*
+ * On v2, follow the delegation model. Inside a delegated subtree,
+ * the delegatee can move around the processes however it sees fit.
+ *
+ * On v1, a process should match one of the target's uids.
+ */
+ if (cgroup_on_dfl(dst_cgrp)) {
struct super_block *sb = of->file->f_path.dentry->d_sb;
struct cgroup *cgrp;
struct inode *inode;
@@ -2877,8 +2883,11 @@ static int cgroup_procs_write_permission(struct task_struct *task,
ret = inode_permission(inode, MAY_WRITE);
iput(inode);
}
+ } else if (!uid_eq(cred->euid, tcred->uid) &&
+ !uid_eq(cred->euid, tcred->suid)) {
+ ret = -EACCES;
}
-
+out:
put_cred(tcred);
return ret;
}
next prev parent reply other threads:[~2016-12-06 18:23 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-08 23:28 [RESEND][PATCH v4] cgroup: Use CAP_SYS_RESOURCE to allow a process to migrate other tasks between cgroups John Stultz
[not found] ` <1478647728-30357-1-git-send-email-john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2016-11-08 23:41 ` Kees Cook
2016-11-08 23:51 ` Andy Lutomirski
2016-11-09 0:03 ` Alexei Starovoitov
2016-11-09 0:12 ` Andy Lutomirski
2016-11-23 0:57 ` John Stultz
2016-12-06 0:28 ` John Stultz
[not found] ` <CALAqxLW-mq4Lnudtn5KMBPdzBTg5bhTXV9QmUC2vfabVru+fUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-06 0:36 ` Andy Lutomirski
2016-12-06 2:00 ` Serge E. Hallyn
[not found] ` <20161206020011.GA22261-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2016-12-06 16:57 ` Tejun Heo
2016-12-06 16:55 ` Tejun Heo
[not found] ` <20161206165519.GA17648-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-12-06 17:01 ` Andy Lutomirski
[not found] ` <CALCETrV3Yrq1hRcoGCTU_z-T-6hmq-gY-HytR2HGkvnRK-W1SQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-06 18:12 ` Tejun Heo
2016-12-06 18:13 ` Andy Lutomirski
2016-12-06 18:23 ` Tejun Heo [this message]
[not found] ` <20161206182315.GB2625-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-12-09 5:39 ` John Stultz
2016-12-09 13:27 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161206182315.GB2625@mtj.duckdns.org \
--to=tj@kernel.org \
--cc=alexei.starovoitov@gmail.com \
--cc=ccross@android.com \
--cc=cgroups@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=daniel@zonque.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=harald@redhat.com \
--cc=john.stultz@linaro.org \
--cc=kafai@fb.com \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mic@digikod.net \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=romlem@android.com \
--cc=sargun@sargun.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).