Quoting Tejun Heo (tj@xxxxxxxxxx): > Hello, Serge. > > On Tue, Oct 04, 2016 at 03:18:40PM -0500, Serge E. Hallyn wrote: > > how about changing the GLOBAL_ROOT_UID check with a targeted > > capability check, like > > > > if (!ns_capable(tcred->user_ns, CAP_SYS_NICE) && > > !uid_eq(cred->euid, tcred->uid) && > > !uid_eq(cred->euid, tcred->suid)) > > ret = -EACCES; > > > > where the actual capability to use may require some thought. > > Yeah, that's the direction I'm thinking too. We can't use > CAP_SYS_NICE in general tho. Let's see if a dedicated CAP sticks. One possibility would be to let each cgroup subsystem define a move_caps capability mask which is required over the target task. And add a new CAP_CGROUP which always suffices? -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
