On Tue, May 03, 2016 at 12:01:20AM +1000, Aleksa Sarai wrote: > The common ancestor restriction for moving tasks between cgroups (the > process moving the task must have the right to write to cgroup.procs in > both the destination and common ancestor cgroup) only applied for > cgroupv2 (cgroups in the default hierarchy). This meant that there was a > different policy for unprivileged users in the different cgroup > hierarchies. > > Update cgroup_procs_write_permission() to apply the cgroup.procs > restriction regardless of the cgroup root of the destination cgroup. > However, if the task doesn't have any association with the destination > hierarchy, there's no permission check to be done. In addition, if the > destination cgroup is a descendant of the task's current cgroup then > there are no further permission checks. This is important for > unprivileged processes creating subtrees. So, you can't apply a new restriction like this retro-actively to cgroup v1 hierarchies. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
