From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 115292571B8 for ; Tue, 28 Apr 2026 03:35:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777347351; cv=none; b=HWEZXF35sVok8sc8bkUkjsWlduIqpvHbY7Pzl8HwENmFql5UMfmQ6zvroZFkPNothiqoDQaX6fDUjlNxgACzsPbTI0GNfz5dF6MziMxSyloqFJslMLi360BkMQONI4aJRxVVEuzEXRAsf5BlhJ+DY6oxitMmG65bjhhki74gwTg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777347351; c=relaxed/simple; bh=y0J12bcHH3gw09ivS0lCINsQR7jOqh0wgYBn+fh62Os=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=MOtuTDOkzKWvdPD4M/MasJdQNGMgTIb0e9VS6Bg9TN1jHYBlzPE4NzLABB2yx0B559/RmX5FE/n7Ex+nzxMhDxjssznAQnysK7gk0HMNfHvVQFsn61pE33fm6ybomiQ1sdpRqH7VmrtbQXNltesGSg9KjfAY7qRqENPfWFdjqqU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=JqSoftzN; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="JqSoftzN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1777347348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=hNvFXywxnjCALKwv4kJWYGAWulzWtLCfvxorDYEQLjk=; b=JqSoftzNXL/5qyTPPWY/a+6pnG96jUapm6Y9IFqzTLd4GmOmkFKUnUC2lSJ5/c+kKuYWJj IIxIPQUnWTMQpOeg8JfHqo03QNx1ZQmYfwPZAAhxm/F7ISRqMr2b/ozKl+2q2NtQsTervL NnJU78B0jntYbjyCaDKwhrWQ2O5/2E0= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-518-pHFbsgNcP92FF8Fg4_JsoA-1; Mon, 27 Apr 2026 23:35:44 -0400 X-MC-Unique: pHFbsgNcP92FF8Fg4_JsoA-1 X-Mimecast-MFC-AGG-ID: pHFbsgNcP92FF8Fg4_JsoA_1777347342 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 0F86F19560AA; Tue, 28 Apr 2026 03:35:42 +0000 (UTC) Received: from llong-thinkpadp16vgen1.westford.csb (unknown [10.22.65.144]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 9438719560AB; Tue, 28 Apr 2026 03:35:39 +0000 (UTC) From: Waiman Long To: Chen Ridong , Tejun Heo , Johannes Weiner , =?UTF-8?q?Michal=20Koutn=C3=BD?= , Jonathan Corbet , Shuah Khan Cc: cgroups@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Xie Maoyi , Waiman Long Subject: [PATCH] cgroup/cpuset: Creating or adding CPUs to partition not allowed without privilege Date: Mon, 27 Apr 2026 23:34:39 -0400 Message-ID: <20260428033439.783246-1-longman@redhat.com> Precedence: bulk X-Mailing-List: linux-doc@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 Creation of a cpuset partition or adding more CPUs to an existing partition will take CPUs away from other cpusets outside of the partition leaving less CPUs for the others. So it is a privileged operation that non-privileged users shouldn't be allowed to do. Currently, remote partition code has check for CAP_SYS_ADMIN capability before allowing such operations, but not for local partition. This leaves a security hole in case cpuset.cpus.partition of a cpuset is chown'ed to a non-root user and its parent cpuset happens to be a partition root. Add such privilege check for local partition too to close such a hole. Also update Documentation/admin-guide/cgroup-v2.rst to clarify the intention. With this patch applied, any attempt to enable partition or add CPUs to an existing local or remote partition by an unprivileged user will invalidate the partition even if writing to cpuset control files are allowed. Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag") Reported-by: Xie Maoyi Signed-off-by: Waiman Long --- Documentation/admin-guide/cgroup-v2.rst | 6 ++++-- kernel/cgroup/cpuset.c | 16 +++++++++++++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/Documentation/admin-guide/cgroup-v2.rst b/Documentation/admin-guide/cgroup-v2.rst index 6efd0095ed99..df58557902db 100644 --- a/Documentation/admin-guide/cgroup-v2.rst +++ b/Documentation/admin-guide/cgroup-v2.rst @@ -2599,8 +2599,10 @@ Cpuset Interface Files cpuset.cpus.partition A read-write single value file which exists on non-root - cpuset-enabled cgroups. This flag is owned by the parent cgroup - and is not delegatable. + cpuset-enabled cgroups. This file is owned by the parent cgroup + and is not delegatable. Any partition operations that take CPUs + away from other cpusets outside of a partition is not allowed + without privilege. It accepts only the following input values when written to. diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c index e3a081a07c6d..5fc8555f2046 100644 --- a/kernel/cgroup/cpuset.c +++ b/kernel/cgroup/cpuset.c @@ -57,7 +57,7 @@ static const char * const perr_strings[] = { [PERR_HOTPLUG] = "No cpu available due to hotplug", [PERR_CPUSEMPTY] = "cpuset.cpus and cpuset.cpus.exclusive are empty", [PERR_HKEEPING] = "partition config conflicts with housekeeping setup", - [PERR_ACCESS] = "Enable partition not permitted", + [PERR_ACCESS] = "Partition operation not permitted", [PERR_REMOTE] = "Have remote partition underneath", }; @@ -1740,6 +1740,8 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd, nocpu = tasks_nocpu_error(parent, cs, xcpus); if ((cmd == partcmd_enable) || (cmd == partcmd_enablei)) { + if (!capable(CAP_SYS_ADMIN)) + return PERR_ACCESS; /* * Need to call compute_excpus() in case * exclusive_cpus not set. Sibling conflict should only happen @@ -1833,12 +1835,18 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd, parent->effective_xcpus); } + /* + * Taking CPUs away from parent is not allowed without privilege + */ + if (deleting && !capable(CAP_SYS_ADMIN)) + part_error = PERR_ACCESS; + /* * TBD: Invalidate a currently valid child root partition may * still break isolated_cpus_can_update() rule if parent is an * isolated partition. */ - if (is_partition_valid(cs) && (old_prs != parent_prs)) { + else if (is_partition_valid(cs) && (old_prs != parent_prs)) { if ((parent_prs == PRS_ROOT) && /* Adding to parent means removing isolated CPUs */ !isolated_cpus_can_update(tmp->delmask, tmp->addmask)) @@ -1919,8 +1927,10 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd, } write_error: - if (part_error) + if (part_error) { WRITE_ONCE(cs->prs_err, part_error); + adding = deleting = false; + } if (cmd == partcmd_update) { /* -- 2.53.0