From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755751AbcBPSF4 (ORCPT ); Tue, 16 Feb 2016 13:05:56 -0500 Received: from mail-yk0-f174.google.com ([209.85.160.174]:35529 "EHLO mail-yk0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755374AbcBPSFy (ORCPT ); Tue, 16 Feb 2016 13:05:54 -0500 Date: Tue, 16 Feb 2016 13:05:51 -0500 From: Tejun Heo To: serge.hallyn@ubuntu.com Cc: linux-kernel@vger.kernel.org, adityakali@google.com, linux-api@vger.kernel.org, containers@lists.linux-foundation.org, cgroups@vger.kernel.org, lxc-devel@lists.linuxcontainers.org, akpm@linux-foundation.org, ebiederm@xmission.com, gregkh@linuxfoundation.org, lizefan@huawei.com, hannes@cmpxchg.org, Serge Hallyn Subject: Re: [PATCH 8/8] Add FS_USERNS_FLAG to cgroup fs Message-ID: <20160216180551.GN3741@mtj.duckdns.org> References: <1454057651-23959-1-git-send-email-serge.hallyn@ubuntu.com> <1454057651-23959-9-git-send-email-serge.hallyn@ubuntu.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1454057651-23959-9-git-send-email-serge.hallyn@ubuntu.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 29, 2016 at 02:54:11AM -0600, serge.hallyn@ubuntu.com wrote: > From: Serge Hallyn > > allowing root in a non-init user namespace to mount it. This should > now be safe, because > > 1. non-init-root cannot mount a previously unbound subsystem > 2. the task doing the mount must be privileged with respect to the > user namespace owning the cgroup namespace > 3. the mounted subsystem will have its current cgroup as the root dentry. > the permissions will be unchanged, so tasks will receive no new > privilege over the cgroups which they did not have on the original > mounts. > > Signed-off-by: Serge Hallyn Applied 1-8 to cgroup/for-4.6-ns w/ trivial stylistic updates. Thanks. -- tejun