Hello, On Tue, May 03, 2016 at 12:01:21AM +1000, Aleksa Sarai wrote: > Allow an unprivileged processes to control subtrees of their associated > cgroup, a necessary feature if an unprivileged container (set up with an > unprivileged user namespace) wishes to take advantage of cgroups for its > own subprocesses. > > Change the mode of the cgroup directory for each cgroup association, > allowing the process to create subtrees and modify the limits of the > subtrees *without* allowing the process to modify its own limits. Due to > the cgroup core restrictions and unix permission model, this allows for > processes to create new subtrees without breaking the cgroup limits for > the process. I don't get why this is necessary. What's wrong with the parent setting up permission correctly for the namespace? Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
