lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 17 Jan 2020 08:53:11 -0800
From:   Tejun Heo <tj@...nel.org>
To:     Christian Brauner <christian.brauner@...ntu.com>
Cc:     linux-api@...r.kernel.org, linux-kernel@...r.kernel.org,
        Ingo Molnar <mingo@...hat.com>,
        Oleg Nesterov <oleg@...hat.com>,
        Johannes Weiner <hannes@...xchg.org>,
        Li Zefan <lizefan@...wei.com>,
        Peter Zijlstra <peterz@...radead.org>, cgroups@...r.kernel.org
Subject: Re: [PATCH v2 2/3] clone3: allow spawning processes into cgroups

Hello, Christian.

Sorry about late reply.

On Thu, Jan 16, 2020 at 01:29:44PM +0100, Christian Brauner wrote:
> Could it be that you misread cgroup_attach_permissions()? Because it
> does check for write permissions on the destination cgroup.procs file.
> That's why I've added the cgroup_get_from_file() helper. :) See:
> 
> static int cgroup_attach_permissions(struct cgroup *src_cgrp,
> 				     struct cgroup *dst_cgrp,
> 				     struct super_block *sb, bool thread)
> {
> 	int ret = 0;
> 
> 	ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb);
> 	if (ret)
> 		return ret;

So, if you look at cgroup_procs_write_permission(), it's only checking
the write perm of the common ancestor, not the destination because it
assumes that the destination is already checked by the vfs layer, and
we need to check both.

Thanks.

-- 
tejun

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ