Re: [PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces

From: Tejun Heo
Date: Mon May 02 2016 - 12:06:14 EST

Next message: Dave Hansen: "Re: [PATCH v4 04/10] x86/xsaves: Introduce a new check that allows correct xstates copy from kernel to user directly"
Previous message: Ingo Molnar: "Re: sched: tweak select_idle_sibling to look for idle threads"
In reply to: Aleksa Sarai: "[PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces"
Next in thread: Aleksa Sarai: "Re: [PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Tue, May 03, 2016 at 12:01:21AM +1000, Aleksa Sarai wrote:
> Allow an unprivileged processes to control subtrees of their associated
> cgroup, a necessary feature if an unprivileged container (set up with an
> unprivileged user namespace) wishes to take advantage of cgroups for its
> own subprocesses.
>
> Change the mode of the cgroup directory for each cgroup association,
> allowing the process to create subtrees and modify the limits of the
> subtrees *without* allowing the process to modify its own limits. Due to
> the cgroup core restrictions and unix permission model, this allows for
> processes to create new subtrees without breaking the cgroup limits for
> the process.

I don't get why this is necessary. What's wrong with the parent
setting up permission correctly for the namespace?

Thanks.

--
tejun

Next message: Dave Hansen: "Re: [PATCH v4 04/10] x86/xsaves: Introduce a new check that allows correct xstates copy from kernel to user directly"
Previous message: Ingo Molnar: "Re: sched: tweak select_idle_sibling to look for idle threads"
In reply to: Aleksa Sarai: "[PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces"
Next in thread: Aleksa Sarai: "Re: [PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]