Re: [RESEND RFC PATCH 1/1] Selectively allow CAP_SYS_NICE capability inside user namespaces

[prakash.sangappa]

On 11/21/2019 05:45 PM, Prakash Sangappa wrote:
> On 11/21/19 1:27 PM, ebiederm@xxxxxxxxxxxx wrote:
> > Prakash Sangappa <prakash.sangappa@xxxxxxxxxx> writes:
<..>
> > 2) If I read the other thread correctly there was talk about setting the
> >     nice levels of processes in other containers.  Ouch!
>
> No not in other containers. Only on processes within the container 
> which has this capability. The use case is to use it in a container 
> with user namespace and pid namespace. So no processes from other 
> containers should be visible. Necessary checks should be added?.
>
>
> >     The only thing I can think that makes any sense at all is to allow
> >     setting the nice levels of the processes in your own container.
>
> Yes that is the intended use.
>
> >     I can totally see having a test to see if a processes credentials 
> > are
> >     in the caller's user namespace or a child of caller's user namespace
> >     and allowing admin level access if the caller has the appropriate
> >     caps in their user namespace.
>
> Ok
>
> >     But in this case I don't see anything preventing the admin in a
> >     container from using the ordinary nice levels on a task. You are
> >     unlocking the nice levels reserved for the system administrator
> >     for special occassions.   I don't see how that makes any sense
> >     to do from inside a container.
>
> But this is what seems to be lacking. A container could have some 
> critical processes running which need to run at a higher priority.

Any comments about this? What would be the recommendation for dealing 
with such a requirement?