With recent fixes for the permission checking when moving a task into a cgroup using a file descriptor to a cgroup's cgroup.procs file and calling write() it seems a good idea to clarify CLONE_INTO_CGROUP permission checking with a comment. Cc: Tejun Heo <tj@xxxxxxxxxx> Cc: <cgroups@xxxxxxxxxxxxxxx> Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx> --- kernel/cgroup/cgroup.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c index 9d05c3ca2d5e..0f8bd120be17 100644 --- a/kernel/cgroup/cgroup.c +++ b/kernel/cgroup/cgroup.c @@ -6166,6 +6166,18 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs) if (ret) goto err; + /* + * Note, spawning a task directly into a cgroup works by passing a file + * descriptor to the target cgroup directory. This can even be an + * O_PATH file descriptor. But it can never be a cgroup.procs file + * descriptor. This was done on purpose so spawning into a cgroup could + * be conceptualized as an atomic + * fd = openat(dfd_cgroup, "cgroup.procs", ...); + * write(fd, <child-pid>, ...); + * sequence, i.e. it's a shorthand for the caller opening and writing + * cgroup.procs of the cgroup indicated by @dfd_cgroup. This allows + * us to always use the caller's credentials. + */ ret = cgroup_attach_permissions(cset->dfl_cgrp, dst_cgrp, sb, !(kargs->flags & CLONE_THREAD), current->nsproxy->cgroup_ns); base-commit: cfb92440ee71adcc2105b0890bb01ac3cddb8507 -- 2.32.0
