Hi,
thanks for writing up on the care needed when you only use namespacing
(and not de-privilgation) for delegation.
On Thu, Aug 15, 2024 at 02:41:18AM GMT, Chen Ridong <chenridong@xxxxxxxxxx> wrote:
...
What about some more clarifications to prevent other confusions?
> --- a/Documentation/admin-guide/cgroup-v2.rst
> +++ b/Documentation/admin-guide/cgroup-v2.rst
> @@ -533,10 +533,12 @@ cgroup namespace on namespace creation.
> Because the resource control interface files in a given directory
> control the distribution of the parent's resources, the delegatee
> shouldn't be allowed to write to them. For the first method, this is
> -achieved by not granting access to these files. For the second, the
> -kernel rejects writes to all files other than "cgroup.procs" and
> -"cgroup.subtree_control" on a namespace root from inside the
> -namespace.
> +achieved by not granting access to these files. For the second, files
> +outside the namespace shouldn't be visible from within the delegated
should be hidden from the delegatee by the
means of at least mount namespacing, and the kernel...
> +namespace, and the kernel rejects writes to all files on a namespace
> +root from inside the namespace, except for those files listed in
inside the cgroup namespace
> +"/sys/kernel/cgroup/delegate" (including "cgroup.procs", "cgroup.threads",
> +"cgroup.subtree_control", etc.).
...
> - * except for the files explicitly marked delegatable -
> - * cgroup.procs and cgroup.subtree_control.
> + * except for the set delegatable files shown in /sys/kernel/cgroup/delegate,
> + * including cgroup.procs, cgroup.threads and cgroup.subtree_control, etc.
"Marked delegatable" (meaning CFTYPE_NS_DELEGATABLE) is appropriate
comment in the code, a reference to the sysfs file is only consequential
to this marking. A minimal change would be like:
- * cgroup.procs and cgroup.subtree_control.
+ * e.g. cgroup.procs and cgroup.subtree_control.
Attachment:
signature.asc
Description: PGP signature
