Tejun Heo <tj@xxxxxxxxxx> writes:
> Hello, Eric.
>
> On Fri, Jul 15, 2016 at 12:17:18AM -0500, Eric W. Biederman wrote:
>> diff --git a/kernel/cgroup.c b/kernel/cgroup.c
>> index c99b0bcd2647..01f34edceb6b 100644
>> --- a/kernel/cgroup.c
>> +++ b/kernel/cgroup.c
>> @@ -2209,12 +2209,8 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
>> goto out_unlock;
>> }
>>
>> - /*
>> - * We know this subsystem has not yet been bound. Users in a non-init
>> - * user namespace may only mount hierarchies with no bound subsystems,
>> - * i.e. 'none,name=user1'
>> - */
>> - if (!opts.none && !capable(CAP_SYS_ADMIN)) {
>> + /* Hierarchies may only be created in the initial cgroup namespace. */
>> + if (ns != &init_cgroup_ns) {
>
> Doesn't this allow any user in the init ns to create any hierarchies?
To perform the mount you must be ns_capable(ns->user_ns, CAP_SYS_ADMIN),
we check that at the top of cgroup_mount.
For init_cgroup_ns->user_ns == &init_user_ns. Which means that when
ns == &init_cgroup_ns we know that capable(CAP_SYS_ADMIN) is true.
Or in short only root in the initial cgroup namespace is allowed to
create hiearchies after this.
Eric
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
