On Mon 21-09-20 17:04:50, Christian Brauner wrote: > On Mon, Sep 21, 2020 at 04:55:37PM +0200, Michal Hocko wrote: > > On Mon 21-09-20 16:43:55, Christian Brauner wrote: > > > On Mon, Sep 21, 2020 at 10:38:47AM -0400, Tejun Heo wrote: > > > > Hello, > > > > > > > > On Mon, Sep 21, 2020 at 04:28:34PM +0200, Michal Hocko wrote: > > > > > Fundamentaly CLONE_INTO_CGROUP is similar to regular fork + move to > > > > > the > > > > > target cgroup after the child gets executed. So in principle there > > > > > shouldn't be any big difference. Except that the move has to be > > > > > explicit > > > > > and the the child has to have enough privileges to move itself. I am > > > > > not > > > > > > > > Yeap, they're supposed to be the same operations. We've never clearly > > > > defined how the accounting gets split across moves because 1. it's > > > > inherently blurry and difficult 2. doesn't make any practical > > > > difference for > > > > the recommended and vast majority usage pattern which uses migration to > > > > seed > > > > the new cgroup. CLONE_INTO_CGROUP doesn't change any of that. > > > > > > > > > completely sure about CLONE_INTO_CGROUP model though. According to man > > > > > clone(2) it seems that O_RDONLY for the target cgroup directory is > > > > > sufficient. That seems much more relaxed IIUC and it would allow to > > > > > fork > > > > > into a different cgroup while keeping a lot of resources in the > > > > > parent's > > > > > proper. > > > > > > > > If the man page is documenting that, it's wrong. cgroup_css_set_fork() > > > > has > > > > an explicit cgroup_may_write() test on the destination cgroup. > > > > CLONE_INTO_CGROUP should follow exactly the same rules as regular > > > > migrations. > > > > > > Indeed! > > > The O_RDONLY mention on the manpage doesn't make sense but it is > > > explained that the semantics are exactly the same for moving via the > > > filesystem: > > > > OK, if the semantic is the same as for the task migration then I do not > > see any (new) problems. Care to point me where the actual check is > > enforced? For the migration you need a write access to cgroup.procs but > > if the API expects directory fd then I am not sure how that would expose > > the same behavior. > > kernel/cgroup/cgroup.c:cgroup_csset_fork() > > So there's which is the first check for inode_permission() essentially: > > /* > * Verify that we the target cgroup is writable for us. This is > * usually done by the vfs layer but since we're not going through > * the vfs layer here we need to do it "manually". > */ > ret = cgroup_may_write(dst_cgrp, sb); > if (ret) > goto err; > > and what you're referring to is checked right after in: > > ret = cgroup_attach_permissions(cset->dfl_cgrp, dst_cgrp, sb, > !(kargs->flags & CLONE_THREAD)); > if (ret) > goto err; > > which calls: > > ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb); > if (ret) > return ret; > > That should be what you're looking for. I've also added selftests as > always that verify this behavior under: > > tools/testing/selftests/cgroup/ > > as soon as CLONE_INTO_CGROUP is detected on the kernel than all the > usual tests are exercised using CLONE_INTO_CGROUP so we should've seen > any regression hopefully.
Thanks a lot for this clarification! So I believe the only existing bug is in documentation which should be explicit that the cgroup fd read access is not sufficient because it also requires to have a write access for cgroup.procs in the same directory at the time of fork. I will send a patch if I find some time for that. Thanks! -- Michal Hocko SUSE Labs
