| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 May 2016 12:03:32 -0400 From: Tejun Heo <tj@...nel.org> To: Aleksa Sarai <asarai@...e.de> Cc: Li Zefan <lizefan@...wei.com>, Johannes Weiner <hannes@...xchg.org>, cgroups@...r.kernel.org, linux-kernel@...r.kernel.org, dev@...ncontainers.org, Aleksa Sarai <cyphar@...har.com> Subject: Re: [PATCH v3 1/2] cgroup: apply common ancestor cgroup.procs restriction in cgroupv1 On Tue, May 03, 2016 at 12:01:20AM +1000, Aleksa Sarai wrote: > The common ancestor restriction for moving tasks between cgroups (the > process moving the task must have the right to write to cgroup.procs in > both the destination and common ancestor cgroup) only applied for > cgroupv2 (cgroups in the default hierarchy). This meant that there was a > different policy for unprivileged users in the different cgroup > hierarchies. > > Update cgroup_procs_write_permission() to apply the cgroup.procs > restriction regardless of the cgroup root of the destination cgroup. > However, if the task doesn't have any association with the destination > hierarchy, there's no permission check to be done. In addition, if the > destination cgroup is a descendant of the task's current cgroup then > there are no further permission checks. This is important for > unprivileged processes creating subtrees. So, you can't apply a new restriction like this retro-actively to cgroup v1 hierarchies. Thanks. -- tejun
Powered by blists - more mailing lists