| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Nov 2015 00:01:56 -0600
From: "Serge E. Hallyn" <serge.hallyn@...ntu.com>
To: Tejun Heo <tj@...nel.org>
Cc: serge@...lyn.com, linux-kernel@...r.kernel.org,
adityakali@...gle.com, linux-api@...r.kernel.org,
containers@...ts.linux-foundation.org, cgroups@...r.kernel.org,
lxc-devel@...ts.linuxcontainers.org, akpm@...ux-foundation.org,
ebiederm@...ssion.com
Subject: Re: [PATCH 7/8] cgroup: mount cgroupns-root when inside non-init
cgroupns
On Tue, Nov 24, 2015 at 12:16:10PM -0500, Tejun Heo wrote:
...
> > + if (ns != &init_cgroup_ns) {
> > + struct dentry *nsdentry;
> > + struct cgroup *cgrp;
> > +
> > + cgrp = cset_cgroup_from_root(ns->root_cgrps, root);
> > + nsdentry = kernfs_obtain_root(dentry->d_sb,
> > + cgrp->kn);
> > + dput(dentry);
> > + dentry = nsdentry;
> > + }
> > + }
>
> So, this would effectively allow namespace mounts to claim controllers
> which aren't configured otherwise which doesn't seem like a good idea.
> I think the right thing to do for namespace mounts is to always
> require an existing superblock.
that was my goal with https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/commit/?h=cgroupns.v4&id=8eb75d2bb24df59e262f050dce567d2332adc5f3
(which was sent inline earlier in this thread in response to Eric) Does
that look sufficient?
thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists