Hey, Eric. On Tue, Nov 06, 2012 at 03:58:04AM -0800, Eric W. Biederman wrote: > > Why doesn't it follow the usual security enforced by cgroupfs > > permissions? Why is the explicit check necessary? > > An almost more interesting question is why is cgroup one of the last > pieces of code not using capabilities and instead lets you attach to any > process simply if your uid == 0. Because it has a filesystem as interface and most things w/ file system interface depend on VFS for access policies. > I don't know the history but the device cgroup testing for CAP_SYS_ADMIN > makes a naive sort of sense to me. If some different CAP_* is needed for cgroup (but why?), the right thing to do is enforcing it uniformly from cgroup core instead of doing it from individual controllers. If there's no actual good reason to keep this, I'll write up a patch to remove it. Thanks. -- tejun _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
