Hello, On Fri, Aug 26, 2022 at 06:52:34PM +0200, Michal Koutný wrote: > Cgroup id is becoming a new way for userspace how to refer to cgroups it > wants to act upon. As opposed to cgroupfs (paths, opened FDs), the > current approach does not reflect limited view by (non-init) cgroup > namespaces. Looking at the code, I'm not quite sure we're actually plugging all holes in terms of lookup. I think cgroup_get_from_path() would allow walking up past the ns boundary. We aren't using kernfs ns support and I don't see anything preventing ..'ing past the boundary. > This patches don't aim to limit what a user can do (consider an uid=0 in > mere cgroup namespace) but to provide consistent view within a > namespace. Considering userns and the fact that we try to isolate two separate sub hierarchies delegated to the same UID, I think we'd have to tighten down on the behaviors so that visiblity scope matches the permission scope. Thanks. -- tejun
