On Fri, Jul 15, 2016 at 06:36:44AM -0500, Eric W. Biederman wrote:
>
> Unprivileged users can't use hierarchies if they create them as they do not
> have privilieges to the root directory.
>
> Which means the only thing a hiearchy created by an unprivileged user
> is good for is expanding the number of cgroup links in every css_set,
> which is a DOS attack.
>
> We could allow hierarchies to be created in namespaces in the initial
> user namespace. Unfortunately there is only a single namespace for
> the names of heirarchies, so that is likely to create more confusion
> than not.
>
> So do the simple thing and restrict hiearchy creation to the initial
> cgroup namespace.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces")
> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Applied to cgroup/for-4.7-fixes.
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
