On Fri, Jul 15, 2016 at 06:36:44AM -0500, Eric W. Biederman wrote: > > Unprivileged users can't use hierarchies if they create them as they do not > have privilieges to the root directory. > > Which means the only thing a hiearchy created by an unprivileged user > is good for is expanding the number of cgroup links in every css_set, > which is a DOS attack. > > We could allow hierarchies to be created in namespaces in the initial > user namespace. Unfortunately there is only a single namespace for > the names of heirarchies, so that is likely to create more confusion > than not. > > So do the simple thing and restrict hiearchy creation to the initial > cgroup namespace. > > Cc: stable@xxxxxxxxxxxxxxx > Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") > Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Applied to cgroup/for-4.7-fixes. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html