From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:60235 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1947074AbcHRK56 (ORCPT ); Thu, 18 Aug 2016 06:57:58 -0400 Subject: Patch "cgroupns: Only allow creation of hierarchies in the initial cgroup namespace" has been added to the 4.7-stable tree To: ebiederm@xmission.com, gregkh@linuxfoundation.org, tj@kernel.org Cc: , From: Date: Thu, 18 Aug 2016 12:57:36 +0200 Message-ID: <1471517856384@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled cgroupns: Only allow creation of hierarchies in the initial cgroup namespace to the 4.7-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: cgroupns-only-allow-creation-of-hierarchies-in-the-initial-cgroup-namespace.patch and it can be found in the queue-4.7 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 726a4994b05ff5b6f83d64b5b43c3251217366ce Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Fri, 15 Jul 2016 06:36:44 -0500 Subject: cgroupns: Only allow creation of hierarchies in the initial cgroup namespace From: Eric W. Biederman commit 726a4994b05ff5b6f83d64b5b43c3251217366ce upstream. Unprivileged users can't use hierarchies if they create them as they do not have privilieges to the root directory. Which means the only thing a hiearchy created by an unprivileged user is good for is expanding the number of cgroup links in every css_set, which is a DOS attack. We could allow hierarchies to be created in namespaces in the initial user namespace. Unfortunately there is only a single namespace for the names of heirarchies, so that is likely to create more confusion than not. So do the simple thing and restrict hiearchy creation to the initial cgroup namespace. Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") Signed-off-by: "Eric W. Biederman" Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman --- kernel/cgroup.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -2215,12 +2215,8 @@ static struct dentry *cgroup_mount(struc goto out_unlock; } - /* - * We know this subsystem has not yet been bound. Users in a non-init - * user namespace may only mount hierarchies with no bound subsystems, - * i.e. 'none,name=user1' - */ - if (!opts.none && !capable(CAP_SYS_ADMIN)) { + /* Hierarchies may only be created in the initial cgroup namespace. */ + if (ns != &init_cgroup_ns) { ret = -EPERM; goto out_unlock; } Patches currently in stable-queue which might be from ebiederm@xmission.com are queue-4.7/cgroupns-fix-the-locking-in-copy_cgroup_ns.patch queue-4.7/cgroupns-only-allow-creation-of-hierarchies-in-the-initial-cgroup-namespace.patch queue-4.7/cgroupns-close-race-between-cgroup_post_fork-and-copy_cgroup_ns.patch