[PATCH v1 2/3] cgroup: allow for unprivileged subtree management
Aleksa Sarai writes: (Summary) + if (cgroupns->root_cset->dfl_cgrp == cgroup) { + /* + * Check CAP_SYS_ADMIN, to make sure that unprivileged + * processes inside a cgroup namespace they don't...
View Article[PATCH v1 1/3] kernfs: add support for custom per-sb permission hooks
Aleksa Sarai writes: (Summary) 3 +++ 2 files changed, 15 insertions(+), 1 deletion(-)diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c index 63b925d5ba1e..e82b8e5aa643 100644 --- a/fs/kernfs/inode.c...
View ArticleRe: [PATCH v1 3/3] cgroup: relax common ancestor restriction for d ...
Aleksa Sarai writes: (Summary) While a higher level process might not know where precisely in the hierarchy the process is, they'll know it that it must be a sub-cgroup of the one they were put in...
View ArticleRe: [PATCH v1 2/3] cgroup: allow for unprivileged subtree management
Aleksa Sarai writes: [...] I'll send out a fixed patchset once we figure out the cgroups_proc_write_permission() stuff.
View ArticleRe: [PATCH v1 3/3] cgroup: relax common ancestor restriction for d ...
Aleksa Sarai writes: (Summary) I'm not sure I really agree with the argument that a higher level process should be able to stop a process from imposing more *stringent* limits on itself if the process...
View ArticleRe: [PATCH v1 3/3] cgroup: relax common ancestor restriction for d ...
Aleksa Sarai writes: (Summary) [...] Would you find it acceptable if we added a bit that would make this not happen (you could specify that a cgroup should not allow a process to move itself to a...
View ArticleRe: [PATCH v1 3/3] cgroup: relax common ancestor restriction for d ...
Aleksa Sarai writes: (Summary) [...] Having a PAM module requires getting an administrator to install the PAM module (and also presumably audit it, not to mention convincing them that your requirement...
View ArticleRe: [PATCH v1 3/3] cgroup: relax common ancestor restriction for d ...
Aleksa Sarai writes: [...] My experience with certain systemdaemons' cgroup handling doesn't inspire confidence :/ (from the runC side, we've had nothing but issues). Also, how do you even boot into a...
View ArticleRe: [PATCH v1 3/3] cgroup: relax common ancestor restriction for d ...
Aleksa Sarai writes: [...] Once freezer is ported, wouldn't that allow you to stop the processes so you can drain them? I understand your concern with draining, but surely the same races occur if you...
View ArticleRe: [PATCH v1 3/3] cgroup: relax common ancestor restriction for d ...
Aleksa Sarai writes: (Summary) [...] Just to be clear, the "ns subdir operation" is a cgroup namespaced process moving A -> So an administrator could use rename to change the point at which a...
View Article
