| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200117171228.evtvrny3v7zjcocd@wittgenstein>
Date: Fri, 17 Jan 2020 18:12:28 +0100
From: Christian Brauner <christian.brauner@...ntu.com>
To: Tejun Heo <tj@...nel.org>
Cc: linux-api@...r.kernel.org, linux-kernel@...r.kernel.org,
Ingo Molnar <mingo@...hat.com>,
Oleg Nesterov <oleg@...hat.com>,
Johannes Weiner <hannes@...xchg.org>,
Li Zefan <lizefan@...wei.com>,
Peter Zijlstra <peterz@...radead.org>, cgroups@...r.kernel.org
Subject: Re: [PATCH v2 2/3] clone3: allow spawning processes into cgroups
On Fri, Jan 17, 2020 at 08:53:11AM -0800, Tejun Heo wrote:
> Hello, Christian.
>
> Sorry about late reply.
>
> On Thu, Jan 16, 2020 at 01:29:44PM +0100, Christian Brauner wrote:
> > Could it be that you misread cgroup_attach_permissions()? Because it
> > does check for write permissions on the destination cgroup.procs file.
> > That's why I've added the cgroup_get_from_file() helper. :) See:
> >
> > static int cgroup_attach_permissions(struct cgroup *src_cgrp,
> > struct cgroup *dst_cgrp,
> > struct super_block *sb, bool thread)
> > {
> > int ret = 0;
> >
> > ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb);
> > if (ret)
> > return ret;
>
> So, if you look at cgroup_procs_write_permission(), it's only checking
> the write perm of the common ancestor, not the destination because it
> assumes that the destination is already checked by the vfs layer, and
> we need to check both.
Ok, gimme 20 min.
Thanks!
Christian
Powered by blists - more mailing lists