On Thu, Jun 18, 2015 at 01:59:27PM -0400, Tejun Heo wrote: > On traditional hierarchies, if a task has write access to "tasks" or > "cgroup.procs" file of a cgroup and its euid agrees with the target, > it can move the target to the cgroup; however, consider the following > scenario. The owner of each cgroup is in the parentheses. > > R (root) - 0 (root) - 00 (user1) - 000 (user1) > | \ 001 (user1) > \ 1 (root) - 10 (user1) > > The subtrees of 00 and 10 are delegated to user1; however, while both > subtrees may belong to the same user, it is clear that the two > subtrees are to be isolated - they're under completely separate > resource limits imposed by 0 and 1, respectively. Note that 0 and 1 > aren't strictly necessary but added to ease illustrating the issue. > > If user1 is allowed to move processes between the two subtrees, the > intention of the hierarchy - keeping a given group of processes under > a subtree with certain resource restrictions while delegating > management of the subtree - can be circumvented by user1. > > This happens because migration permission check doesn't consider the > hierarchical nature of cgroups. To fix the issue, this patch adds an > extra permission requirement when userland tries to migrate a process > in the default hierarchy - the issuing task must have write access to > the common ancestor of "cgroup.procs" file of the ancestor in addition > to the destination's. > > Conceptually, the issuer must be able to move the target process from > the source cgroup to the common ancestor of source and destination > cgroups and then to the destination. As long as delegation is done in > a proper top-down way, this guarantees that a delegatee can't smuggle > processes across disjoint delegation domains. > > The next patch will add documentation on the delegation model on the > default hierarchy. > > v2: Fixed missing !ret test. Spotted by Li Zefan. > > Signed-off-by: Tejun Heo <tj@xxxxxxxxxx> > Cc: Li Zefan <lizefan@xxxxxxxxxx> Acked-by: Johannes Weiner <hannes@xxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
