| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5262cc0e-8e89-4ba0-8777-2ba49ec7c1f8@huawei.com> Date: Thu, 15 Aug 2024 20:28:51 +0800 From: chenridong <chenridong@...wei.com> To: Michal Koutný <mkoutny@...e.com> CC: <tj@...nel.org>, <lizefan.x@...edance.com>, <hannes@...xchg.org>, <longman@...hat.com>, <cgroups@...r.kernel.org>, <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] cgroup: update some statememt about delegation On 2024/8/15 20:12, Michal Koutný wrote: > Hi, > thanks for writing up on the care needed when you only use namespacing > (and not de-privilgation) for delegation. > > On Thu, Aug 15, 2024 at 02:41:18AM GMT, Chen Ridong <chenridong@...wei.com> wrote: > ... > > What about some more clarifications to prevent other confusions? > >> --- a/Documentation/admin-guide/cgroup-v2.rst >> +++ b/Documentation/admin-guide/cgroup-v2.rst >> @@ -533,10 +533,12 @@ cgroup namespace on namespace creation. >> Because the resource control interface files in a given directory >> control the distribution of the parent's resources, the delegatee >> shouldn't be allowed to write to them. For the first method, this is >> -achieved by not granting access to these files. For the second, the >> -kernel rejects writes to all files other than "cgroup.procs" and >> -"cgroup.subtree_control" on a namespace root from inside the >> -namespace. >> +achieved by not granting access to these files. For the second, files >> +outside the namespace shouldn't be visible from within the delegated > should be hidden from the delegatee by the > means of at least mount namespacing, and the kernel... > >> +namespace, and the kernel rejects writes to all files on a namespace >> +root from inside the namespace, except for those files listed in > inside the cgroup namespace > >> +"/sys/kernel/cgroup/delegate" (including "cgroup.procs", "cgroup.threads", >> +"cgroup.subtree_control", etc.). > > ... >> - * except for the files explicitly marked delegatable - >> - * cgroup.procs and cgroup.subtree_control. >> + * except for the set delegatable files shown in /sys/kernel/cgroup/delegate, >> + * including cgroup.procs, cgroup.threads and cgroup.subtree_control, etc. > > "Marked delegatable" (meaning CFTYPE_NS_DELEGATABLE) is appropriate > comment in the code, a reference to the sysfs file is only consequential > to this marking. A minimal change would be like: > > - * cgroup.procs and cgroup.subtree_control. > + * e.g. cgroup.procs and cgroup.subtree_control. Thank you, Michal, I will send new patch. Thanks, Ridong
Powered by blists - more mailing lists