From: Tejun Heo <tj@kernel.org>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
Ingo Molnar <mingo@redhat.com>, Oleg Nesterov <oleg@redhat.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Li Zefan <lizefan@huawei.com>,
Peter Zijlstra <peterz@infradead.org>,
cgroups@vger.kernel.org
Subject: Re: [PATCH v2 2/3] clone3: allow spawning processes into cgroups
Date: Fri, 17 Jan 2020 08:53:11 -0800 [thread overview]
Message-ID: <20200117165311.GH2677547@devbig004.ftw2.facebook.com> (raw)
In-Reply-To: <20200116122944.nj3e66eusxu6sb44@wittgenstein>
Hello, Christian.
Sorry about late reply.
On Thu, Jan 16, 2020 at 01:29:44PM +0100, Christian Brauner wrote:
> Could it be that you misread cgroup_attach_permissions()? Because it
> does check for write permissions on the destination cgroup.procs file.
> That's why I've added the cgroup_get_from_file() helper. :) See:
>
> static int cgroup_attach_permissions(struct cgroup *src_cgrp,
> struct cgroup *dst_cgrp,
> struct super_block *sb, bool thread)
> {
> int ret = 0;
>
> ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb);
> if (ret)
> return ret;
So, if you look at cgroup_procs_write_permission(), it's only checking
the write perm of the common ancestor, not the destination because it
assumes that the destination is already checked by the vfs layer, and
we need to check both.
Thanks.
--
tejun
WARNING: multiple messages have this Message-ID (diff)
From: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
To: Christian Brauner
<christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Ingo Molnar <mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH v2 2/3] clone3: allow spawning processes into cgroups
Date: Fri, 17 Jan 2020 08:53:11 -0800 [thread overview]
Message-ID: <20200117165311.GH2677547@devbig004.ftw2.facebook.com> (raw)
In-Reply-To: <20200116122944.nj3e66eusxu6sb44@wittgenstein>
Hello, Christian.
Sorry about late reply.
On Thu, Jan 16, 2020 at 01:29:44PM +0100, Christian Brauner wrote:
> Could it be that you misread cgroup_attach_permissions()? Because it
> does check for write permissions on the destination cgroup.procs file.
> That's why I've added the cgroup_get_from_file() helper. :) See:
>
> static int cgroup_attach_permissions(struct cgroup *src_cgrp,
> struct cgroup *dst_cgrp,
> struct super_block *sb, bool thread)
> {
> int ret = 0;
>
> ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb);
> if (ret)
> return ret;
So, if you look at cgroup_procs_write_permission(), it's only checking
the write perm of the common ancestor, not the destination because it
assumes that the destination is already checked by the vfs layer, and
we need to check both.
Thanks.
--
tejun
next prev parent reply other threads:[~2020-01-17 16:53 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-23 6:15 [PATCH v2 0/3] clone3 & cgroups: allow spawning processes into cgroups Christian Brauner
2019-12-23 6:15 ` [PATCH v2 1/3] cgroup: unify attach permission checking Christian Brauner
2019-12-23 6:15 ` [PATCH v2 2/3] clone3: allow spawning processes into cgroups Christian Brauner
2020-01-07 16:32 ` Tejun Heo
2020-01-08 18:09 ` Christian Brauner
2020-01-16 12:29 ` Christian Brauner
2020-01-16 12:29 ` Christian Brauner
2020-01-17 16:53 ` Tejun Heo [this message]
2020-01-17 16:53 ` Tejun Heo
2020-01-17 17:12 ` Christian Brauner
2020-01-17 17:12 ` Christian Brauner
2020-01-08 16:01 ` Michal Koutný
2020-01-08 18:10 ` Christian Brauner
2020-01-08 18:10 ` Christian Brauner
2020-01-16 23:57 ` Christian Brauner
2020-01-16 23:57 ` Christian Brauner
2020-01-16 23:57 ` Christian Brauner
2019-12-23 6:15 ` [PATCH v2 3/3] selftests/cgroup: add tests for cloning " Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200117165311.GH2677547@devbig004.ftw2.facebook.com \
--to=tj@kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=hannes@cmpxchg.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.