On Wed, Oct 23, 2013 at 12:41:30AM +0000, Serge E. Hallyn wrote: > Quoting Tejun Heo (tj@xxxxxxxxxx): > > On Tue, Jul 23, 2013 at 2:38 PM, Serge Hallyn <serge.hallyn@xxxxxxxxxx> wrote: > > > This doesn't delegate it into the container. It allows me, on the host, > > > to set the cgroup for a container. > > > > Hmmm? I'm a bit confused. Isn't the description saying that the patch > > allows pseudo-root in userns to change cgroup membership even if it > > isn't actually root? > > > > Besides, I find the whole check rather bogus and would actually much > > prefer just nuking the check and just follow the standard permission > > checks. > > Can we please nuke it like this then? > > From b840083ec8fa1f0645ae925c79db3dc51edd019c Mon Sep 17 00:00:00 2001 > From: Serge Hallyn <serge.hallyn@xxxxxxxxxx> > Date: Wed, 23 Oct 2013 01:34:00 +0200 > Subject: [PATCH 1/1] device_cgroup: remove can_attach > > It is really only wanting to duplicate a check which is already done by the > cgroup subsystem. > > With this patch, user jdoe still cannot move pid 1 into a devices cgroup > he owns, but now he can move his own other tasks into devices cgroups. > > Signed-off-by: Serge Hallyn <serge.hallyn@xxxxxxxxxx> > Cc: Aristeu Rozanski <aris@xxxxxxxxxx> > Cc: Tejun Heo <tj@xxxxxxxxxx> Applied to cgroup/for-3.13. Thanks. -- tejun _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
