On Fri, Jul 3, 2009 at 1:58 AM, Li Zefan<lizf@xxxxxxxxxxxxxx> wrote:
>
> If it's not per cgroup, it can be a global value.
No it can't, since the notes subsystem can be mounted on multiple
hierarchies simultaneously.
> But why not make it per cgroup?
Setting notes.size to a large value allows userspace to create large
kmalloc'd objects; so if it's per-cgroup, then it's not safe to
delegate control of part of a cgroups hierarchy to untrusted users.
(E.g. we want to be able to give an untrusted user process the power
to create sub-cgroups in the CPU scheduler hierarchy, so that it can
give different CPU guarantees to each of its threadpools).
I guess that an alternative would be to have a per-cgroup size field,
and use the min of the cgroup and all its ancestors when doing length
checking.
>> + if (nbytes > cg_info(cgrp->top_cgroup)->max_len)
>> + return -E2BIG;
>> + if (nbytes) {
>> + notes = kmalloc(nbytes, GFP_USER);
>> + if (!notes)
>> + return -ENOMEM;
>> + if (copy_from_user(notes, userbuf, nbytes))
>
> missing kfree(notes)
>
Good catch, thanks. Fixed (and all the newlines added).
Paul
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
