On Tue, Nov 24, 2015 at 12:16:10PM -0500, Tejun Heo wrote: ... > > + if (ns != &init_cgroup_ns) { > > + struct dentry *nsdentry; > > + struct cgroup *cgrp; > > + > > + cgrp = cset_cgroup_from_root(ns->root_cgrps, root); > > + nsdentry = kernfs_obtain_root(dentry->d_sb, > > + cgrp->kn); > > + dput(dentry); > > + dentry = nsdentry; > > + } > > + } > > So, this would effectively allow namespace mounts to claim controllers > which aren't configured otherwise which doesn't seem like a good idea. > I think the right thing to do for namespace mounts is to always > require an existing superblock. that was my goal with https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/commit/?h=cgroupns.v4&id=8eb75d2bb24df59e262f050dce567d2332adc5f3 (which was sent inline earlier in this thread in response to Eric) Does that look sufficient? thanks, -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers