Quoting Tejun Heo (tj@xxxxxxxxxx): > On Tue, Jul 23, 2013 at 2:38 PM, Serge Hallyn <serge.hallyn@xxxxxxxxxx> wrote: > > This doesn't delegate it into the container. It allows me, on the host, > > to set the cgroup for a container. > > Hmmm? I'm a bit confused. Isn't the description saying that the patch > allows pseudo-root in userns to change cgroup membership even if it > isn't actually root? If task A is uid 1000 on the host, and creates task B as uid X in a new user namespace, then task A, still being uid 1000 on the host, is privileged with respect to B and his namespace - i.e. ns_capable(B->userns, CAP_SYS_ADMIN) is true. > Besides, I find the whole check rather bogus and would actually much > prefer just nuking the check and just follow the standard permission > checks. I'd be ok with that - but there's one case I'm not sure about: If PAM sets me up with /sys/fs/cgroup/devices/serge owned by me, then if I'm thinking right, removing can_attach would mean I could move init into /sys/fs/cgroup/devices/serge... Is there something else stopping that from happening? -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
