this patch disallows container to change top cgroup's
subsystem files,since these files are shared with host.
Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
kernel/cgroup.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index e077660..b0caa1d 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2928,6 +2928,14 @@ static int cgroup_add_file(struct cgroup *cgrp, struct cgroup_subsys *subsys,
}
mode = cgroup_file_mode(cft);
+ /*
+ * Disallow container to change it's top cgroup's subsys files,
+ * since these files are shared with host.
+ */
+ if (test_bit(ROOT_NAMESPACE, &cgrp->root->flags) &&
+ cgrp == cgrp->top_cgroup)
+ mode &= ~S_IWUSR;
+
error = cgroup_create_file(dentry, mode | S_IFREG, cgrp->root->sb);
if (!error) {
cfe->type = (void *)cft;
--
1.7.7.6
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
