Re: [RESEND RFC PATCH 1/1] Selectively allow CAP_SYS_NICE capability inside user namespaces

From: prakash.sangappa
Date: Wed Jan 08 2020 - 16:25:36 EST




On 11/21/2019 05:45 PM, Prakash Sangappa wrote:


On 11/21/19 1:27 PM, ebiederm@xxxxxxxxxxxx wrote:
Prakash Sangappa <prakash.sangappa@xxxxxxxxxx> writes:
<..>
2) If I read the other thread correctly there was talk about setting the
nice levels of processes in other containers. Ouch!

No not in other containers. Only on processes within the container which has this capability. The use case is to use it in a container with user namespace and pid namespace. So no processes from other containers should be visible. Necessary checks should be added?.



The only thing I can think that makes any sense at all is to allow
setting the nice levels of the processes in your own container.

Yes that is the intended use.


I can totally see having a test to see if a processes credentials are
in the caller's user namespace or a child of caller's user namespace
and allowing admin level access if the caller has the appropriate
caps in their user namespace.

Ok

But in this case I don't see anything preventing the admin in a
container from using the ordinary nice levels on a task. You are
unlocking the nice levels reserved for the system administrator
for special occassions. I don't see how that makes any sense
to do from inside a container.

But this is what seems to be lacking. A container could have some critical processes running which need to run at a higher priority.

Any comments about this? What would be the recommendation for dealing with such a requirement?