Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces

From: Aleksa Sarai
Date: Mon May 02 2016 - 05:32:46 EST

Next message: Sedat Dilek: "Re: [fuse-devel] Horrible mmap write performance (kernel writeback issue?)"
Previous message: Vinod Koul: "Re: [PATCH] dma: rcar-dmac: use list_add() on rcar_dmac_desc_put()"
In reply to: Aleksa Sarai: "[PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces"
Next in thread: James Bottomley: "Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

+ * 3. cgroup core doesn't allow tasks to be migrated by users that have
+ * write access to two subtrees unless they also have write access to
+ * the common ancestor of the two subtrees. Thus you cannot use a
+ * complicit process in less restrictive cgroup to overcome your own
+ * cgroup restriction.

It appears this restriction isn't actually being applied on cgroupv1. I'll send an updated patch which makes sure the cgroup.proc common ancestor restriction is enforced for all hierarchies.

--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/

Next message: Sedat Dilek: "Re: [fuse-devel] Horrible mmap write performance (kernel writeback issue?)"
Previous message: Vinod Koul: "Re: [PATCH] dma: rcar-dmac: use list_add() on rcar_dmac_desc_put()"
In reply to: Aleksa Sarai: "[PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces"
Next in thread: James Bottomley: "Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]