On Thu, Feb 17, 2022 at 05:11:28PM +0100, Michal Koutný wrote:
> The idea is to check: a) the owning user_ns of cgroup_ns, b)
> capabilities in init_user_ns.
>
> The commit 24f600856418 ("cgroup-v1: Require capabilities to set
> release_agent") got this wrong in the write handler of release_agent
> since it checked user_ns of the opener (may be different from the owning
> user_ns of cgroup_ns).
> Secondly, to avoid possibly confused deputy, the capability of the
> opener must be checked.
>
> Fixes: 24f600856418 ("cgroup-v1: Require capabilities to set release_agent")
> Cc: stable@xxxxxxxxxxxxxxx
> Link: https://lore.kernel.org/stable/20220216121142.GB30035@xxxxxxxxxxxxxxxxx/
> Signed-off-by: Michal Koutný <mkoutny@xxxxxxxx>
Applied to cgroup/for-5.17-fixes.
Thanks.
--
tejun
