Why does devices cgroup check for CAP_SYS_ADMIN explicitly?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Aristeu Rozanski <aris@xxxxxxxxxx>, "Serge E. Hallyn" <serge.hallyn@xxxxxxxxxxxxx>
Subject: Why does devices cgroup check for CAP_SYS_ADMIN explicitly?
From: Tejun Heo <tj@xxxxxxxxxx>
Date: Mon, 5 Nov 2012 18:38:45 -0800
Cc: cgroups@xxxxxxxxxxxxxxx, containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
Delivered-to: containers@xxxxxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.21 (2010-09-15)

Hello, guys.

Why doesn't it follow the usual security enforced by cgroupfs
permissions?  Why is the explicit check necessary?

Thanks.

-- 
tejun
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers

Follow-Ups:
- Re: Why does devices cgroup check for CAP_SYS_ADMIN explicitly?
  - From: Eric W. Biederman

Prev by Date: Re: [PATCH] coredump: run the coredump helper using the same namespace as the dead process
Next by Date: Re: Why does devices cgroup check for CAP_SYS_ADMIN explicitly?
Previous by thread: [PATCH] coredump: run the coredump helper using the same namespace as the dead process
Next by thread: Re: Why does devices cgroup check for CAP_SYS_ADMIN explicitly?
Index(es):
- Date
- Thread

[Index of Archives] [Cgroups] [Netdev] [Linux Wireless] [Kernel Newbies] [Security] [Linux for Hams] [Netfilter] [Bugtraq] [Yosemite Forum] [MIPS Linux] [ARM Linux] [Linux RAID] [Linux Admin] [Samba]

Powered by Linux