Hello, Eric.
On Fri, Jul 15, 2016 at 12:17:18AM -0500, Eric W. Biederman wrote:
> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
> index c99b0bcd2647..01f34edceb6b 100644
> --- a/kernel/cgroup.c
> +++ b/kernel/cgroup.c
> @@ -2209,12 +2209,8 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
> goto out_unlock;
> }
>
> - /*
> - * We know this subsystem has not yet been bound. Users in a non-init
> - * user namespace may only mount hierarchies with no bound subsystems,
> - * i.e. 'none,name=user1'
> - */
> - if (!opts.none && !capable(CAP_SYS_ADMIN)) {
> + /* Hierarchies may only be created in the initial cgroup namespace. */
> + if (ns != &init_cgroup_ns) {
Doesn't this allow any user in the init ns to create any hierarchies?
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
