Hello, John. On Tue, Oct 04, 2016 at 11:01:12AM -0700, John Stultz wrote: > So to make sure I understand your suggestion, you're suggesting the > cgroupfs files like: > cpuctrl/tasks, > cpuctrl/bg_non_interactive/tasks, > cpuset/foreground/tasks, > cpuset/background/tasks, > etc > use ACL permissions to specify the specific uids that can write to > them? I guess this would be conceptually similar to just setting the > owner to the system task, no? Though I'm not sure that would be Yeah, finer grained but essentially just giving write perms. > sufficient since it would still fail the > cgroup_procs_write_permission() checks. Or are you suggesting we add > extra logic to make the file owner uid as sufficient to change other > tasks? Hah, now I'm not sure how this is supposed to work inside a userns as it's checking against GLOBAL_ROOT_UID. cc'ing Serge. Serge, can you please have a look? But back on subject, yeah, I think a capability based approach is better here too. No idea how difficult it is to add a new CAP but I think it's worth trying. Can you please spin up a patch? Thanks! -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
