From: Vivek Goyal <vgoyal@xxxxxxxxxx> Date: Wed, 23 Apr 2014 12:45:37 -0400 > On Tue, Apr 15, 2014 at 08:47:54PM -0700, Andy Lutomirski wrote: > > [..] >> Here's an attack against SO_PASSCGROUP, as you implemented it: connect >> a socket and get someone else to write(2) to it. This isn't very >> hard. Now you've impersonated. > > If this is a problem then I think kernel requires fixing. Because kernel > will apply all resource management policies based on the cgroup at write(2) > time and not based on open() time. Anyways, this is not even worth discussing. We already agreed that the cgroup passed at write time with SO_PASSGROUP enabled should be the socket creation time cgroup. Just like SO_PASSCRED does. The identity given is thus the one at open() time. -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
