Quoting Tejun Heo (tj@xxxxxxxxxx):
> On Fri, Jul 15, 2016 at 06:36:44AM -0500, Eric W. Biederman wrote:
> >
> > Unprivileged users can't use hierarchies if they create them as they do not
> > have privilieges to the root directory.
> >
> > Which means the only thing a hiearchy created by an unprivileged user
> > is good for is expanding the number of cgroup links in every css_set,
> > which is a DOS attack.
> >
> > We could allow hierarchies to be created in namespaces in the initial
> > user namespace. Unfortunately there is only a single namespace for
> > the names of heirarchies, so that is likely to create more confusion
> > than not.
> >
> > So do the simple thing and restrict hiearchy creation to the initial
> > cgroup namespace.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces")
> > Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
>
> Applied to cgroup/for-4.7-fixes.
Thanks, guys.
--
To unsubscribe from this list: send the line "unsubscribe cgroups" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
