Tejun Heo <tj@xxxxxxxxxx> writes: > Hello, guys. > > Why doesn't it follow the usual security enforced by cgroupfs > permissions? Why is the explicit check necessary? An almost more interesting question is why is cgroup one of the last pieces of code not using capabilities and instead lets you attach to any process simply if your uid == 0. I don't know the history but the device cgroup testing for CAP_SYS_ADMIN makes a naive sort of sense to me. Eric -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
