From: Christian Brauner <christian.brauner@ubuntu.com>
To: Tejun Heo <tj@kernel.org>
Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
Ingo Molnar <mingo@redhat.com>, Oleg Nesterov <oleg@redhat.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Li Zefan <lizefan@huawei.com>,
Peter Zijlstra <peterz@infradead.org>,
cgroups@vger.kernel.org
Subject: Re: [PATCH v2 2/3] clone3: allow spawning processes into cgroups
Date: Fri, 17 Jan 2020 18:12:28 +0100 [thread overview]
Message-ID: <20200117171228.evtvrny3v7zjcocd@wittgenstein> (raw)
In-Reply-To: <20200117165311.GH2677547@devbig004.ftw2.facebook.com>
On Fri, Jan 17, 2020 at 08:53:11AM -0800, Tejun Heo wrote:
> Hello, Christian.
>
> Sorry about late reply.
>
> On Thu, Jan 16, 2020 at 01:29:44PM +0100, Christian Brauner wrote:
> > Could it be that you misread cgroup_attach_permissions()? Because it
> > does check for write permissions on the destination cgroup.procs file.
> > That's why I've added the cgroup_get_from_file() helper. :) See:
> >
> > static int cgroup_attach_permissions(struct cgroup *src_cgrp,
> > struct cgroup *dst_cgrp,
> > struct super_block *sb, bool thread)
> > {
> > int ret = 0;
> >
> > ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb);
> > if (ret)
> > return ret;
>
> So, if you look at cgroup_procs_write_permission(), it's only checking
> the write perm of the common ancestor, not the destination because it
> assumes that the destination is already checked by the vfs layer, and
> we need to check both.
Ok, gimme 20 min.
Thanks!
Christian
WARNING: multiple messages have this Message-ID (diff)
From: Christian Brauner <christian.brauner-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Ingo Molnar <mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH v2 2/3] clone3: allow spawning processes into cgroups
Date: Fri, 17 Jan 2020 18:12:28 +0100 [thread overview]
Message-ID: <20200117171228.evtvrny3v7zjcocd@wittgenstein> (raw)
In-Reply-To: <20200117165311.GH2677547-LpCCV3molIbIZ9tKgghJQw2O0Ztt9esIQQ4Iyu8u01E@public.gmane.org>
On Fri, Jan 17, 2020 at 08:53:11AM -0800, Tejun Heo wrote:
> Hello, Christian.
>
> Sorry about late reply.
>
> On Thu, Jan 16, 2020 at 01:29:44PM +0100, Christian Brauner wrote:
> > Could it be that you misread cgroup_attach_permissions()? Because it
> > does check for write permissions on the destination cgroup.procs file.
> > That's why I've added the cgroup_get_from_file() helper. :) See:
> >
> > static int cgroup_attach_permissions(struct cgroup *src_cgrp,
> > struct cgroup *dst_cgrp,
> > struct super_block *sb, bool thread)
> > {
> > int ret = 0;
> >
> > ret = cgroup_procs_write_permission(src_cgrp, dst_cgrp, sb);
> > if (ret)
> > return ret;
>
> So, if you look at cgroup_procs_write_permission(), it's only checking
> the write perm of the common ancestor, not the destination because it
> assumes that the destination is already checked by the vfs layer, and
> we need to check both.
Ok, gimme 20 min.
Thanks!
Christian
next prev parent reply other threads:[~2020-01-17 17:12 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-23 6:15 [PATCH v2 0/3] clone3 & cgroups: allow spawning processes into cgroups Christian Brauner
2019-12-23 6:15 ` [PATCH v2 1/3] cgroup: unify attach permission checking Christian Brauner
2019-12-23 6:15 ` [PATCH v2 2/3] clone3: allow spawning processes into cgroups Christian Brauner
2020-01-07 16:32 ` Tejun Heo
2020-01-08 18:09 ` Christian Brauner
2020-01-16 12:29 ` Christian Brauner
2020-01-16 12:29 ` Christian Brauner
2020-01-17 16:53 ` Tejun Heo
2020-01-17 16:53 ` Tejun Heo
2020-01-17 17:12 ` Christian Brauner [this message]
2020-01-17 17:12 ` Christian Brauner
2020-01-08 16:01 ` Michal Koutný
2020-01-08 18:10 ` Christian Brauner
2020-01-08 18:10 ` Christian Brauner
2020-01-16 23:57 ` Christian Brauner
2020-01-16 23:57 ` Christian Brauner
2020-01-16 23:57 ` Christian Brauner
2019-12-23 6:15 ` [PATCH v2 3/3] selftests/cgroup: add tests for cloning " Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200117171228.evtvrny3v7zjcocd@wittgenstein \
--to=christian.brauner@ubuntu.com \
--cc=cgroups@vger.kernel.org \
--cc=hannes@cmpxchg.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.