| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Oct 2016 12:16:30 -0400
From: Tejun Heo <tj@...nel.org>
To: John Stultz <john.stultz@...aro.org>
Cc: lkml <linux-kernel@...r.kernel.org>, Li Zefan <lizefan@...wei.com>,
Jonathan Corbet <corbet@....net>, cgroups@...r.kernel.org,
Android Kernel Team <kernel-team@...roid.com>,
Rom Lemarchand <romlem@...roid.com>,
Colin Cross <ccross@...roid.com>,
Dmitry Shmidt <dimitrysh@...gle.com>,
Todd Kjos <tkjos@...gle.com>,
Christian Poetzsch <christian.potzsch@...tec.com>,
Amit Pundir <amit.pundir@...aro.org>
Subject: Re: [RFC][PATCH 0/2] Another pass at Android style loosening of
cgroup attach permissions
Hello, John.
On Mon, Oct 03, 2016 at 09:41:28PM -0700, John Stultz wrote:
> The migration of a task from the foreground to background, or to
> elevate a task to audio priority, may be done by system service that
> does not run as root. So this patch allows processes with CAP_SYS_NICE
> to be able to migrate tasks between cgroups. I suspect if there was a
> specific cap (CAP_SYS_CHANGE_CGROUP) for this, it would be usable here,
> but in its absence, they've overloaded CAP_SYS_NICE for this use.
CAP_SYS_RESOURCE won't do?
> At first glance, overloading CAP_SYS_NICE seems a bit hackish, but this
> shows that there is a active and widely deployed use for different cgroup
> attachment rules then what is currently available.
I'm curious who issues these migrations. Is that restricted to
certain uids? If so, would it work for android if cgroupfs supports
ACL so that those uids can be approved via setfacl? That'd be an a
lot more generic approach.
Thanks.
--
tejun
Powered by blists - more mailing lists