On Wed, Dec 18, 2019 at 06:35:14PM +0100, Christian Brauner wrote:
> The core codepaths to check whether a process can be attached to a
> cgroup are the same for threads and thread-group leaders. Only a small
> piece of code verifying that source and destination cgroup are in the
> same domain differentiates the thread permission checking from
> thread-group leader permission checking.
> Since cgroup_migrate_vet_dst() only matters cgroup2 - it is a noop on
> cgroup1 - we can move it out of cgroup_attach_task().
> All checks can now be consolidated into a new helper
> cgroup_attach_permissions() callable from both cgroup_procs_write() and
> cgroup_threads_write().
>
> Cc: Tejun Heo <tj@xxxxxxxxxx>
> Cc: Li Zefan <lizefan@xxxxxxxxxx>
> Cc: Johannes Weiner <hannes@xxxxxxxxxxx>
> Cc: cgroups@xxxxxxxxxxxxxxx
> Signed-off-by: Christian Brauner <christian.brauner@xxxxxxxxxx>
> ---
> kernel/cgroup/cgroup.c | 46 +++++++++++++++++++++++++++++-------------
> 1 file changed, 32 insertions(+), 14 deletions(-)
>
> diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
> index 735af8f15f95..5ee06c1f7456 100644
> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -2719,11 +2719,7 @@ int cgroup_attach_task(struct cgroup *dst_cgrp, struct task_struct *leader,
> {
> DEFINE_CGROUP_MGCTX(mgctx);
> struct task_struct *task;
> - int ret;
> -
> - ret = cgroup_migrate_vet_dst(dst_cgrp);
> - if (ret)
> - return ret;
> + int ret = 0;
>
> /* look up all src csets */
> spin_lock_irq(&css_set_lock);
> @@ -4690,6 +4686,33 @@ static int cgroup_procs_write_permission(struct cgroup *src_cgrp,
> return 0;
> }
>
> +static inline bool cgroup_same_domain(const struct cgroup *src_cgrp,
> + const struct cgroup *dst_cgrp)
> +{
> + return src_cgrp->dom_cgrp == dst_cgrp->dom_cgrp;
> +}
> +
> +static int cgroup_attach_permissions(struct cgroup *src_cgrp,
> + struct cgroup *dst_cgrp,
> + struct super_block *sb, bool thread)
> +{
> + int ret;
> +
> + ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb);
> + if (ret)
> + return ret;
> +
> + ret = cgroup_migrate_vet_dst(dst_cgrp);
> + if (ret)
> + return ret;
> +
> + if (thread &&
> + !cgroup_same_domain(src_cgrp->dom_cgrp, dst_cgrp->dom_cgrp))
> + ret = -EOPNOTSUPP;
> +
> + return 0;
> +}
> +
> static ssize_t cgroup_procs_write(struct kernfs_open_file *of,
> char *buf, size_t nbytes, loff_t off)
> {
> @@ -4712,8 +4735,8 @@ static ssize_t cgroup_procs_write(struct kernfs_open_file *of,
> src_cgrp = task_cgroup_from_root(task, &cgrp_dfl_root);
> spin_unlock_irq(&css_set_lock);
>
> - ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp,
> - of->file->f_path.dentry->d_sb);
> + ret = cgroup_attach_permissions(src_cgrp, dst_cgrp,
> + of->file->f_path.dentry->d_sb, true);
typo: s/true/false/
