* [PATCH] cgroup: clarify cgroup_css_set_fork()
@ 2022-02-21 15:16 Christian Brauner
[not found] ` <20220221151639.3828143-1-brauner-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
0 siblings, 1 reply; 2+ messages in thread
From: Christian Brauner @ 2022-02-21 15:16 UTC (permalink / raw)
To: Tejun Heo; +Cc: cgroups-u79uwXL29TY76Z2rM5mHXA, Christian Brauner
With recent fixes for the permission checking when moving a task into a cgroup
using a file descriptor to a cgroup's cgroup.procs file and calling write() it
seems a good idea to clarify CLONE_INTO_CGROUP permission checking with a
comment.
Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: <cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Signed-off-by: Christian Brauner <brauner-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
---
kernel/cgroup/cgroup.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 9d05c3ca2d5e..0f8bd120be17 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -6166,6 +6166,18 @@ static int cgroup_css_set_fork(struct kernel_clone_args *kargs)
if (ret)
goto err;
+ /*
+ * Note, spawning a task directly into a cgroup works by passing a file
+ * descriptor to the target cgroup directory. This can even be an
+ * O_PATH file descriptor. But it can never be a cgroup.procs file
+ * descriptor. This was done on purpose so spawning into a cgroup could
+ * be conceptualized as an atomic
+ * fd = openat(dfd_cgroup, "cgroup.procs", ...);
+ * write(fd, <child-pid>, ...);
+ * sequence, i.e. it's a shorthand for the caller opening and writing
+ * cgroup.procs of the cgroup indicated by @dfd_cgroup. This allows
+ * us to always use the caller's credentials.
+ */
ret = cgroup_attach_permissions(cset->dfl_cgrp, dst_cgrp, sb,
!(kargs->flags & CLONE_THREAD),
current->nsproxy->cgroup_ns);
base-commit: cfb92440ee71adcc2105b0890bb01ac3cddb8507
--
2.32.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-22 17:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-21 15:16 [PATCH] cgroup: clarify cgroup_css_set_fork() Christian Brauner
[not found] ` <20220221151639.3828143-1-brauner-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2022-02-22 17:39 ` Tejun Heo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.