Re: [PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces

From: Tejun Heo
Date: Mon May 02 2016 - 12:06:14 EST


On Tue, May 03, 2016 at 12:01:21AM +1000, Aleksa Sarai wrote:
> Allow an unprivileged processes to control subtrees of their associated
> cgroup, a necessary feature if an unprivileged container (set up with an
> unprivileged user namespace) wishes to take advantage of cgroups for its
> own subprocesses.
> Change the mode of the cgroup directory for each cgroup association,
> allowing the process to create subtrees and modify the limits of the
> subtrees *without* allowing the process to modify its own limits. Due to
> the cgroup core restrictions and unix permission model, this allows for
> processes to create new subtrees without breaking the cgroup limits for
> the process.

I don't get why this is necessary. What's wrong with the parent
setting up permission correctly for the namespace?