[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <vrozw5w2l32ni43akbf3xceq6rqpkskdlwbp2ko32qxv546n6s@qtw4l3qt357v>
Date: Thu, 15 Aug 2024 14:12:06 +0200
From: Michal Koutný <mkoutny@...e.com>
To: Chen Ridong <chenridong@...wei.com>
Cc: tj@...nel.org, lizefan.x@...edance.com, hannes@...xchg.org,
longman@...hat.com, cgroups@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cgroup: update some statememt about delegation
Hi,
thanks for writing up on the care needed when you only use namespacing
(and not de-privilgation) for delegation.
On Thu, Aug 15, 2024 at 02:41:18AM GMT, Chen Ridong <chenridong@...wei.com> wrote:
...
What about some more clarifications to prevent other confusions?
> --- a/Documentation/admin-guide/cgroup-v2.rst
> +++ b/Documentation/admin-guide/cgroup-v2.rst
> @@ -533,10 +533,12 @@ cgroup namespace on namespace creation.
> Because the resource control interface files in a given directory
> control the distribution of the parent's resources, the delegatee
> shouldn't be allowed to write to them. For the first method, this is
> -achieved by not granting access to these files. For the second, the
> -kernel rejects writes to all files other than "cgroup.procs" and
> -"cgroup.subtree_control" on a namespace root from inside the
> -namespace.
> +achieved by not granting access to these files. For the second, files
> +outside the namespace shouldn't be visible from within the delegated
should be hidden from the delegatee by the
means of at least mount namespacing, and the kernel...
> +namespace, and the kernel rejects writes to all files on a namespace
> +root from inside the namespace, except for those files listed in
inside the cgroup namespace
> +"/sys/kernel/cgroup/delegate" (including "cgroup.procs", "cgroup.threads",
> +"cgroup.subtree_control", etc.).
...
> - * except for the files explicitly marked delegatable -
> - * cgroup.procs and cgroup.subtree_control.
> + * except for the set delegatable files shown in /sys/kernel/cgroup/delegate,
> + * including cgroup.procs, cgroup.threads and cgroup.subtree_control, etc.
"Marked delegatable" (meaning CFTYPE_NS_DELEGATABLE) is appropriate
comment in the code, a reference to the sysfs file is only consequential
to this marking. A minimal change would be like:
- * cgroup.procs and cgroup.subtree_control.
+ * e.g. cgroup.procs and cgroup.subtree_control.
Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists