Quoting Tejun Heo ([email protected]): > On Tue, Jul 23, 2013 at 2:38 PM, Serge Hallyn <[email protected]> wrote: > > This doesn't delegate it into the container. It allows me, on the host, > > to set the cgroup for a container. > > Hmmm? I'm a bit confused. Isn't the description saying that the patch > allows pseudo-root in userns to change cgroup membership even if it > isn't actually root?
If task A is uid 1000 on the host, and creates task B as uid X in a new user namespace, then task A, still being uid 1000 on the host, is privileged with respect to B and his namespace - i.e. ns_capable(B->userns, CAP_SYS_ADMIN) is true. > Besides, I find the whole check rather bogus and would actually much > prefer just nuking the check and just follow the standard permission > checks. I'd be ok with that - but there's one case I'm not sure about: If PAM sets me up with /sys/fs/cgroup/devices/serge owned by me, then if I'm thinking right, removing can_attach would mean I could move init into /sys/fs/cgroup/devices/serge... Is there something else stopping that from happening? -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
