Without further ado, the following was found: Issue: user ID → UID "We have a cgroup directory, I</cg/1>, that is owned by user ID 9000." "We have a process, I<X>, also owned by user ID 9000, that is namespaced " "under the cgroup I</cg/1/2> (i.e., I<X> was placed in a new cgroup namespace " "via B<clone>(2) or B<unshare>(2) with the B<CLONE_NEWCGROUP> flag)." "In the absence of cgroup namespacing, because the cgroup directory I</cg/1> " "is owned (and writable) by UID 9000 and process I<X> is also owned by user " "ID 9000, process I<X> would be able to modify the contents of cgroups files " "(i.e., change cgroup settings) not only in I</cg/1/2> but also in the " "ancestor cgroup directory I</cg/1>. Namespacing process I<X> under the " "cgroup directory I</cg/1/2>, in combination with suitable mount operations " "for the cgroup filesystem (as shown above), prevents it modifying files in " "I</cg/1>, since it cannot even see the contents of that directory (or of " "further removed cgroup ancestor directories). Combined with correct " "enforcement of hierarchical limits, this prevents process I<X> from escaping " "the limits imposed by ancestor cgroups." "In the absence of cgroup namespacing, because the cgroup directory I</cg/1> " "is owned (and writable) by UID 9000 and process I<X> is also owned by user " "ID 9000, then process I<X> would be able to modify the contents of cgroups " "files (i.e., change cgroup settings) not only in I</cg/1/2> but also in the " "ancestor cgroup directory I</cg/1>. Namespacing process I<X> under the " "cgroup directory I</cg/1/2>, in combination with suitable mount operations " "for the cgroup filesystem (as shown above), prevents it modifying files in " "I</cg/1>, since it cannot even see the contents of that directory (or of " "further removed cgroup ancestor directories). Combined with correct " "enforcement of hierarchical limits, this prevents process I<X> from escaping " "the limits imposed by ancestor cgroups."
