lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGr1F2Ht1q_nYGJwmQvEEyj8r3R1stgD=g3s8_5zYOTogjz-UQ@mail.gmail.com> Date: Thu, 17 Jul 2014 13:55:43 -0700 From: Aditya Kali <adityakali@...gle.com> To: Andy Lutomirski <luto@...capital.net> Cc: Tejun Heo <tj@...nel.org>, Li Zefan <lizefan@...wei.com>, cgroups@...r.kernel.org, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Linux API <linux-api@...r.kernel.org>, Ingo Molnar <mingo@...hat.com>, Linux Containers <containers@...ts.linux-foundation.org> Subject: Re: [PATCH 5/5] cgroup: introduce cgroup namespaces On Thu, Jul 17, 2014 at 12:57 PM, Andy Lutomirski <luto@...capital.net> wrote: > On Thu, Jul 17, 2014 at 12:52 PM, Aditya Kali <adityakali@...gle.com> wrote: >> Introduce the ability to create new cgroup namespace. The newly created >> cgroup namespace remembers the 'struct cgroup *root_cgrp' at the point >> of creation of the cgroup namespace. The task that creates the new >> cgroup namespace and all its future children will now be restricted only >> to the cgroup hierarchy under this root_cgrp. In the first version, >> setns() is not supported for cgroup namespaces. >> The main purpose of cgroup namespace is to virtualize the contents >> of /proc/self/cgroup file. Processes inside a cgroup namespace >> are only able to see paths relative to their namespace root. >> This allows container-tools (like libcontainer, lxc, lmctfy, etc.) >> to create completely virtualized containers without leaking system >> level cgroup hierarchy to the task. > > What happens if someone moves a task in a cgroup namespace outside of > the namespace root cgroup? > Attempt to move a task outside of cgroupns root will fail with EPERM. This is true irrespective of the privileges of the process attempting this. Once cgroupns is created, the task will be confined to the cgroup hierarchy under its cgroupns root until it dies. > --Andy -- Aditya -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists