On Fri, Jan 17, 2020 at 08:53:11AM -0800, Tejun Heo wrote:
> Hello, Christian.
>
> Sorry about late reply.
>
> On Thu, Jan 16, 2020 at 01:29:44PM +0100, Christian Brauner wrote:
> > Could it be that you misread cgroup_attach_permissions()? Because it
> > does check for write permissions on the destination cgroup.procs file.
> > That's why I've added the cgroup_get_from_file() helper. :) See:
> >
> > static int cgroup_attach_permissions(struct cgroup *src_cgrp,
> > struct cgroup *dst_cgrp,
> > struct super_block *sb, bool thread)
> > {
> > int ret = 0;
> >
> > ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb);
> > if (ret)
> > return ret;
>
> So, if you look at cgroup_procs_write_permission(), it's only checking
> the write perm of the common ancestor, not the destination because it
> assumes that the destination is already checked by the vfs layer, and
> we need to check both.
Ok, gimme 20 min.
Thanks!
Christian
