From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753387AbcEBJcp (ORCPT <rfc822;w@1wt.eu>);
	Mon, 2 May 2016 05:32:45 -0400
Received: from mx2.suse.de ([195.135.220.15]:56241 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752459AbcEBJcg (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 2 May 2016 05:32:36 -0400
Subject: Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup
 namespaces
To: Tejun Heo <tj@kernel.org>, Li Zefan <lizefan@huawei.com>,
        Johannes Weiner <hannes@cmpxchg.org>
References: <1462110065-4904-1-git-send-email-asarai@suse.de>
 <1462110065-4904-2-git-send-email-asarai@suse.de>
Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org,
        dev@opencontainers.org, Aleksa Sarai <cyphar@cyphar.com>
From: Aleksa Sarai <asarai@suse.de>
Message-ID: <57271EA8.5080104@suse.de>
Date: Mon, 2 May 2016 19:32:24 +1000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <1462110065-4904-2-git-send-email-asarai@suse.de>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> +	 * 3. cgroup core doesn't allow tasks to be migrated by users that have
> +	 *    write access to two subtrees unless they also have write access to
> +	 *    the common ancestor of the two subtrees. Thus you cannot use a
> +	 *    complicit process in less restrictive cgroup to overcome your own
> +	 *    cgroup restriction.

It appears this restriction isn't actually being applied on cgroupv1. 
I'll send an updated patch which makes sure the cgroup.proc common 
ancestor restriction is enforced for all hierarchies.

-- 
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/