Re: [PATCH v2] cgroup: allow management of subtrees by new cgroup namespaces

From: Aleksa Sarai
Date: Mon May 02 2016 - 05:32:46 EST


+ * 3. cgroup core doesn't allow tasks to be migrated by users that have
+ * write access to two subtrees unless they also have write access to
+ * the common ancestor of the two subtrees. Thus you cannot use a
+ * complicit process in less restrictive cgroup to overcome your own
+ * cgroup restriction.

It appears this restriction isn't actually being applied on cgroupv1. I'll send an updated patch which makes sure the cgroup.proc common ancestor restriction is enforced for all hierarchies.

--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/