From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752027AbcGRQSZ (ORCPT <rfc822;w@1wt.eu>);
	Mon, 18 Jul 2016 12:18:25 -0400
Received: from mx2.suse.de ([195.135.220.15]:54886 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751528AbcGRQSW (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 18 Jul 2016 12:18:22 -0400
From: Aleksa Sarai <asarai@suse.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Tejun Heo <tj@kernel.org>,
        Li Zefan <lizefan@huawei.com>, Johannes Weiner <hannes@cmpxchg.org>,
        "Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
        Aditya Kali <adityakali@google.com>,
        Chris Wilson <chris@chris-wilson.co.uk>
Cc: linux-kernel@vger.kernel.org, cgroups@vger.kernel.org,
        Christian Brauner <cbrauner@suse.de>, Aleksa Sarai <asarai@suse.de>,
        dev@opencontainers.org
Subject: [PATCH v1 0/3] cgroup: allow for unprivileged management
Date: Tue, 19 Jul 2016 02:18:13 +1000
Message-Id: <20160718161816.13040-1-asarai@suse.de>
X-Mailer: git-send-email 2.9.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is a rewrite of my old cgroup unprivileged subtree management[1]
patchset. Rather than magically creating a new cgroup, I've instead
modified kernfs so that we can have custom permission hooks. The
following only applies to cgroupv2 trees, due to the fact that cgroupv1
doesn't explicitly require that cgroups be hierarchical.

You can only create a new subtree if you either would traditionally have
write access, or you are attempting to create a new cgroup under the
root cgroup of your current cgroup namespace (and you have CAP_SYS_ADMIN
in the user namespace pinned by the cgroup namespace). This means that
users would only be able to create sub-cgroups of their current cgroup
using this method.

In addition, I relaxed one of the ancestor restrictions so that you can
move to direct descendants of the current cgroup without needing to be
able to join the current cgroup you're in (because that restriction
doesn't make much sense).

[1]: http://marc.info/?l=linux-kernel&m=146319604331859

Cc: dev@opencontainers.org

Aleksa Sarai (3):
  kernfs: add support for custom per-sb permission hooks
  cgroup: allow for unprivileged subtree management
  cgroup: relax common ancestor restriction for direct descendants

 fs/kernfs/inode.c      | 13 +++++++-
 include/linux/kernfs.h |  3 ++
 kernel/cgroup.c        | 86 +++++++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 93 insertions(+), 9 deletions(-)

-- 
2.9.0